[Let's Encrypt] How to resolve 'Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.' error

Tadashi Shigeoka ·  Thu, April 25, 2019

I’ll introduce how to resolve the error Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. in Let’s Encrypt.

Let's Encrypt

certbot Version

First, check the version of certbot currently in use.

$ certbot --version
certbot 0.14.2

Error with certbot renew

$ sudo /usr/bin/certbot renew \\
--renew-hook "/bin/systemctl start nginx"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Upgrade certbot and Renew SSL Certificate

certbot Upgrade

Since the cause is an outdated version of certbot, upgrading certbot will resolve the issue.

sudo apt-get update
sudo apt-get install --only-upgrade certbot

Check the version of certbot after the upgrade.

$ certbot --version
certbot 0.31.0

Renew SSL Certificate with certbot

It seems the certbot command options have changed due to the upgrade.

For Nginx, I was able to complete the SSL certificate renewal by running the certbot command with the following options:

$ sudo certbot \\
--authenticator standalone \\
--installer nginx \\
-d example.com \\
--pre-hook "/bin/systemctl stop nginx" \\
--post-hook "/bin/systemctl start nginx"

Note that since we stop and start nginx, there will be a few seconds of downtime where Nginx cannot process requests.

How to Resolve Nginx Plugin Error

If you encounter the error The requested nginx plugin does not appear to be installed, please refer to the following article for resolution:

That’s all from the Gemba, where we upgraded certbot to renew Let’s Encrypt SSL certificates.

Reference Information