![Upokary](https://upokary.com/wp-content/uploads/2019/09/upokary-logo-english.png"){kind=logo}
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
The issue:
We got into this issue because the certbot version we used to generate SSL certificate was outdated. We use free SSL by the certificate authority (CA) called letsencrypt. Our certbot version was really old.
$ certbot --version certbot 0.17.0
Using the old certbot when we tried to renew the certificate manually with –dry-run option we got into the issue:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.
We got multiple emails warning about the SSL certificate expiration. Following is the warning email:
Hello, Your certificate (or certificates) for the names listed below will expire in 10 days (on 07 Jun 19 11:32 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors. We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
The reason:
In our case we have installed the complete package of certbot and that took care of certificate renewal. Usually if you generate the SSL certificate using certbot then the certificate validity is 90 days (3 months). After 3 months a new certificate needs to be generated. Certbot does that automatically using certbot renew command. It was working quite nice for us. But after more than a year the certbot renew did not work because certbot needed a version upgrade.
The solution:
This is the certbot version issue that needed an updated version to renew the certificate. We upgraded the certbot version using the following command:
$ sudo apt-get update $ sudo apt-get install --only-upgrade certbot
This should update the certbot version. We can again check the certbot version certbot –version. The certbot version should be above certbot 0.28. In our case after the upgrade the certbot version became certbot 0.31.0
Now we are ready to run certbot renew using the following command:
$ sudo certbot renew
As soon as we ran the above command we got the new certificate generated:
ert is due for renewal, auto-renewing... Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Running pre-hook command: service apache2 stop Renewing an existing certificate Performing the following challenges: http-01 challenge for.no Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/ .no/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/ .no/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -