Let’s Encrypt Error: “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.”

Last updated on | 16 replies
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)

On Jan 9th 2018 Let’s Encrypt got a report that one of their three validation methods, TLS-SNI-01, could be used to get certificates for domains you don’t own. As a result, Let’s Encrypt permanently disabled the TLS-SNI-01 challenge.

The above issue can be resolved by updating to the latest version of Certbot and renewing certs again.

Alternatively, these hooks below will cause Certbot to automatically stop your server to obtain certificates and then start it again. This should only be a temporary measure until you update Certbot because when it comes to renewing your cert again in 90 days, Certbot may fail.

Note for Cloudflare users: You must temporarily Pause your website in the control panel, otherwise Cloudflare may interfere with the renewal.

Apache

For Apache, run this command. Make sure to replace example.com with your own domain.

sudo certbot --authenticator standalone --installer apache -d example.com -d www.example.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

Nginx

For Nginx, run this command. Make sure to replace example.com with your own domain.

sudo certbot --authenticator standalone --installer nginx -d example.com -d www.example.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

Let me know if this helped. Follow me on Twitter, Facebook and YouTube, or 🍊 buy me a smoothie.

16 replies

Leave a reply

Your email address will not be published. Required fields are marked *

  1. This solution didn’t work for me, facing same error in Nginx. Any idea how to fix this?

    > ERROR:
    > Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

  2. Thanks for the info. This is the only site that I have found that mentions TLS-SNI-01 being disabled. Unfortunately, your solution for Apache did not work for me because my ISP is blocking port 80 (but not 443). Also because because I do not pay for a static IP, I use a DDNS service and have no control over DNS for the domain I selected. Are there any other options in certbot that I can use to generate a cert?

    Thanks