Let’s Encrypt Error: “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.”

Last updated on
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)

On Jan 9th 2018 Let’s Encrypt got a report that one of their three validation methods, TLS-SNI-01, could be used to get certificates for domains you don’t own. As a result, Let’s Encrypt permanently disabled the TLS-SNI-01 challenge.

The above issue can be resolved by updating to the latest version of Certbot and renewing certs again.

Alternatively, these hooks below will cause Certbot to automatically stop your server to obtain certificates and then start it again. This should only be a temporary measure until you update Certbot because when it comes to renewing your cert again in 90 days, Certbot may fail.

Note for Cloudflare users: You must temporarily Pause your website in the control panel, otherwise Cloudflare may interfere with the renewal.

Apache

For Apache, run this command. Make sure to replace example.com with your own domain.

sudo certbot --authenticator standalone --installer apache -d example.com -d www.example.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

Nginx

For Nginx, run this command. Make sure to replace example.com with your own domain.

sudo certbot --authenticator standalone --installer nginx -d example.com -d www.example.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
1 Star2 Stars3 Stars4 Stars5 Stars 4.72 (25 votes)

Let me know if this helped. Follow me on Twitter, Facebook and YouTube, or 🍊 buy me a smoothie.

p.s. I increased my AdSense revenue by 68% using AI 🤖. Read my Ezoic review to find out how.

14 replies

avatar
  Subscribe  
newest oldest
Notify of
Waqas
Guest
Waqas
Waqas
10 months ago

when run for apache gives this error
“The requested apache plugin does not appear to be installed”

E Martinson
Guest
E Martinson
E Martinson
10 months ago

Thanks for the info. This is the only site that I have found that mentions TLS-SNI-01 being disabled. Unfortunately, your solution for Apache did not work for me because my ISP is blocking port 80 (but not 443). Also because because I do not pay for a static IP, I use a DDNS service and have no control over DNS for the domain I selected. Are there any other options in certbot that I can use to generate a cert?

Thanks

MikeLima
Guest
MikeLima
MikeLima
1 year ago

Oh great, thanks you 😉

Ermolau Zanoli
Guest
Ermolau Zanoli
Ermolau Zanoli
1 year ago

apt install certbot

Chiyana
Guest
Chiyana
Chiyana
1 year ago

Bravo¡¡

rekk
Guest
rekk
rekk
1 year ago

THANKS!

Diego
Guest
Diego
Diego
1 year ago

Obrigado, resolveu meu problema. Abraço !!!!

Tigran Tsaturyan
Guest
Tigran Tsaturyan
Tigran Tsaturyan
1 year ago

Thank you very much!
Works properly. Appreciate!!!!!

Eddie
Guest
Eddie
Eddie
1 year ago

Thank you guys. Works like a charm! 🙂

tomo
Guest
tomo
tomo
1 year ago

Like a charm, thanks a lot!

Nathan Krowitz
Guest
Nathan Krowitz
Nathan Krowitz
1 year ago

Thanks, this worked!