Let's encrypt error certificate install error - "Client with the currently selected authenticator does not support any combination of challenges"

Sibin John Mattappallil picture Sibin John Mattappallil · Jan 10, 2018 · Viewed 30.6k times · Source

I got this error while renewing let's encrypt certificate:

"Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA"

How can I fix this?

The command I running is like this:

./letsencrypt-auto --apache --renew-by-default -d <domain name>

Answer

tan9 picture tan9 · Jan 10, 2018

It is because Let’s Encrypt has currently disabled the TLS-SNI-01 challenge due to an identified security issue.

The official has provided an workaroud at the Let's Encrypt community website as following:

If you’re serving files for that domain out of a directory on that server, you can run the following command:

sudo certbot --authenticator webroot --webroot-path <path to served directory> --installer nginx -d <domain>

If you’re not serving files out of a directory on the server, you can temporarily stop your server while you obtain the certificate and restart it after Certbot has obtained the certificate. This would look like:

sudo certbot --authenticator standalone --installer nginx -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx start"

2018-01-19 update

Let’s Encrypt just released Certbot 0.21.0, which use HTTP-01 challenge type instead of the compromised TLS-SNI-01 by default for apache httpd and nginx. Update your certbot to get rid of this issue.