Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

The issue:

We got into this issue because the certbot version we used to generate SSL certificate was outdated. We use free SSL by the certificate authority (CA) called letsencrypt. Our certbot version was really old.

$ certbot --version
certbot 0.17.0

Using the old certbot when we tried to renew the certificate manually with –dry-run option we got into the issue:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.

We got multiple emails warning about the SSL certificate expiration. Following is the warning email:

Hello,

Your certificate (or certificates) for the names listed below will expire in 10 days (on 07 Jun 19 11:32 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details. 

The reason:

In our case we have installed the complete package of certbot and that took care of certificate renewal. Usually if you generate the SSL certificate using certbot then the certificate validity is 90 days (3 months). After 3 months a new certificate needs to be generated. Certbot does that automatically using certbot renew command. It was working quite nice for us. But after more than a year the certbot renew did not work because certbot needed a version upgrade.

The solution:

This is the certbot version issue that needed an updated version to renew the certificate. We upgraded the certbot version using the following command:

$ sudo apt-get update
$ sudo apt-get install --only-upgrade certbot

This should update the certbot version. We can again check the certbot version certbot –version. The certbot version should be above certbot 0.28. In our case after the upgrade the certbot version became certbot 0.31.0

Now we are ready to run certbot renew using the following command:

$ sudo certbot renew 

As soon as we ran the above command we got the new certificate generated:

ert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Running pre-hook command: service apache2 stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for .no
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/.no/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/.no/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Share