You may need to use a different Authenticator Plugin

Getting this:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

After trying:

  1. sudo certbot renew --force-renewal

  2. sudo certbot -d

Please help.

This clearly showed that you’ll need to use DNS (TXT) based validation.
You can switch your authenticator by adding --preferred-challenges=dns. You might need to use manual mode depends on your actual settings, since you didn’t provide any useful information…

Thank you

1 Like

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hello,

Just got the same error trying to get a wildcard cert…

My domain is: happlyface.be

I ran this command:

certbot certonly --manual --preferred-challenges=dns --email my@email.com --server https://acme-v02.api.letsencrypt.org/directory -d happlyface.be -d *.happlyface.be

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

My web server is Apache version 2.4.41

The operating system my web server runs on is Ubuntu Linux 16.04.6

My hosting provider, if applicable, is: OVH (dedicated)

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: Yes, Virtualmin 6.08 (but I’m having this with shell and in Virtualmin)

The version of my client is: certbot 0.27.0

Side note: I tried yesterday and I manage to get the certificate with the same command. Now I’m trying to make it work with Virtualmin auto renewal but since I’m facing this issue, I’m trying to get back to “basis” (interactively)

Hope you can help.

@jicao

Hello! Three things:

One, this might be caused by an issue that was fixed in Certbot 0.31.0. You could try enabling the Certbot PPA and upgrading.

Two, it’s safer to escape the * in that command line. Otherwise, if there’s a file named something.happyface.be in the current directory, the shell will expand it and Certbot will get the wrong thing. E.g.:

certbot certonly --manual --preferred-challenges=dns --email my@email.com --server https://acme-v02.api.letsencrypt.org/directory -d happlyface.be -d '*.happlyface.be'

I don’t understand how you could get that error message if the shell isn’t expanding it.

Three, it’s separate from what’s going wrong, but it’s best to use automated validation when possible. HTTP validation is easy if you don’t need a wildcard; and DNS validation can be automated with many DNS services and ACME clients.

1 Like

@mnordhoff

Hello,

Thanks a lot for your quick help!

I first tried your second guess but without luck. I then tried your first one and after some search to force upgrading with apt-get install -f certbot I manage to get 0.31.0 version and all works fine! Shell AND Virtualmin.
Now I’ll have to check in 3 months if the auto renewal will work automatically :slight_smile:

Thanks, solved for me!

1 Like

You can actually test that by running sudo certbot renew --dry-run
And since you are running certonly, you’ll also need to restart/reload your web server manually after every successful renewal (else your updated certificate might not be loaded into the server, hence produce a certificate expired warning)

2 Likes

You can also add a --deploy-hook script to reload the web server so that Certbot will do that for you after a successful renewal.