Guidelines

This site is for tech Q&A. Please keep your posts focused on the subject at hand.

Ask one question at a time. Don't conflate multiple problems into a single question.

Make sure to include all relevant information in your posts. Try to avoid linking to external sites.

Links to documentation are fine, but in addition you should also quote the relevant parts in your posts.

0 votes
76 views
76 views

I'm trying to obtain a Let'sEncrypt certificate using certbot. The certificate will be used for a service that uses the FQDN as well as a couple subdomains thereof (foo.example.org, xy.foo.example.org, ab.example.org, ...), so I thought I'd use a wildcard for the subdomains instead of listing them all individually (foo.example.org, *.foo.example.org).

However, trying to generate the certificat with certbot yields the following error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Full output:


me@localhost:~# certbot certonly --preferred-challenges http --webroot -w /var/www/foo -d foo.example.org -d '*.foo.example.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

The webroot in the webserver is set up correctly (I have used this kind of config for other certificates before), so it's unlikely that the problem lies there. And I've also used certbot before without a DNS challenge

Why does certbot suddenly require a DNS challenge? And how do I fix it?

My operating system is Devuan Ascii, and the certbot version is 0.28.0 from the distribution repositories.

in Sysadmin
by (100)
1 4 18
edit history

Please log in or register to answer this question.

1 Answer

0 votes
 

The problem is with the CA, not with certbot. Let'sEncrypt decided that they'll issue wildcard certificates only when authenticated via DNS. From the announcement (emphasis mine):

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

If you can't (or don't want to) use DNS authentication you'll have to resort to listing all subdomains individually in the request.

certbot certonly --preferred-challenges http --webroot -w /var/www/foo -d foo.example.org -d xy.foo.example.org -d ab.foo.example.org ...
by (100)
1 4 18
edit history
...