35

I got this error while renewing let's encrypt certificate:

"Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA"

How can I fix this?

The command I running is like this:

./letsencrypt-auto --apache --renew-by-default -d <domain name>
Sibin John Mattappallil
  • 1,739
  • 4
  • 23
  • 37

7 Answers7

34

It is because Let’s Encrypt has currently disabled the TLS-SNI-01 challenge due to an identified security issue.

The official has provided an workaroud at the Let's Encrypt community website as following:

If you’re serving files for that domain out of a directory on that server, you can run the following command:

sudo certbot --authenticator webroot --webroot-path <path to served directory> --installer nginx -d <domain>

If you’re not serving files out of a directory on the server, you can temporarily stop your server while you obtain the certificate and restart it after Certbot has obtained the certificate. This would look like:

sudo certbot --authenticator standalone --installer nginx -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx start"

2018-01-19 update

Let’s Encrypt just released Certbot 0.21.0, which use HTTP-01 challenge type instead of the compromised TLS-SNI-01 by default for apache httpd and nginx. Update your certbot to get rid of this issue.

tan9
  • 3,490
  • 2
  • 18
  • 21
  • Is the "path to served directory" the nginx config? Would it look something like this: `etc/nginx/sites-available/` – Zorgan Jan 15 '18 at 20:56
  • I'm on nginx, and just installed and it's giving me that error, I used sudo add-apt-repository ppa:certbot/certbot. How do I check version and/or update? – edencorbin Jan 21 '18 at 17:55
  • Okay got it working with: sudo certbot --authenticator standalone --installer nginx -d mydomain.com -d www.mydomain2.com --pre-hook "service nginx stop" --post-hook "service nginx start" – edencorbin Jan 21 '18 at 18:32
  • What's all that NGINX stuff about? OP is using Apache, not Nginx. - and me too – Thomas Weller Jun 24 '18 at 19:38
  • Same here. Just replace `nginx` with `apache` for the `--installer` argument. – S3DEV Aug 10 '19 at 15:06
19

This is what worked for me:

certbot --authenticator standalone --installer apache -d <domain> \
--pre-hook "systemctl stop apache2" \
--post-hook "systemctl start apache2"
Mateusz
  • 2,340
  • 25
  • 24
  • 4
    that worked for me without the backslashes: `certbot --authenticator standalone --installer apache -d --pre-hook "service apache2 stop" --post-hook "service apache2 start"` – Tritof Jan 22 '18 at 15:38
  • Worked without the backslashes – neophyte Feb 05 '18 at 12:50
  • Backslashes are just to escape the newlines, makes the long command easier to ready.. Purely cosmetic – Martin Nov 13 '21 at 11:40
8

Run (as root or with sudo)

apache2ctl stop
letsencrypt --authenticator standalone --installer apache -d your.domain

Choose "easy" (you can tidy up later if you want https only)

The letsencrypt agent should restart apache for you.

putt1ck
  • 81
  • 1
3

Since I'm using apache, I used this format,

sudo ./certbot-auto --authenticator webroot --webroot-path <path-to-webroot> --installer apache -d <your-domain>

e.g.

sudo ./certbot-auto --authenticator webroot --webroot-path /var/www/html --installer apache -d mydomain.com

Sibin John Mattappallil
  • 1,739
  • 4
  • 23
  • 37
3

This works for ubuntu with nginx

sudo apt-get install --only-upgrade certbot
certbot renew
Goran
  • 6,644
  • 11
  • 34
  • 54
2

run the command and change match inside the tags <>

sudo certbot --authenticator webroot --webroot-path <path to served directory> --installer apache -d <domain>
Wayne Werner
  • 49,299
  • 29
  • 200
  • 290
Prem
  • 153
  • 1
  • 7
0

You can try using the following commands:

certbot --authenticator standalone --installer apache -d <domain>
systemctl rest apache2
Shalu T D
  • 3,921
  • 2
  • 26
  • 37
Pooja Priya
  • 1
  • 2