Fixing Letsencrypt validation failed with selected authenticator does not support any combination of challenges
This post goes through the steps of fixing Letsencrypt with the issue “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.”.
Why Letsencrypt fails to validate domains
When trying to set up a new https website with Letsencrypt you may get a failure about the “tls-sni-01 challenge”. The full error of text is as below:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
This may occur because the standard validation has now been disabled by Letsencrypt. This is down to security issues with the original primary authenticator.
To validate new domains you will need to configure what authenticator it uses by default.
Fixing the problem for new validations
While they push out new changes for certbot there is a way to use other authentication methods.
In Fedora you can run the following command to add a new certificate for apache:
certbot --authenticator standalone --installer apache --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
This authenticator
flag is used to make certbot use the standalone authenticator. This is currently accepted as it doesn’t have the security flaws.
The installer
flag tells letsencrypt to set up the certificate for apache. This can be changed to nginx or any other supported webservers.
The final parts, pre-hook
and post-hook
are used to stop and start the webserver so it properly reloads the modified configuration. This can be ignored but for apache on Fedora it is sometimes required so it knows how to properly reload it. If you get errors with this you will want to try adding it. This may need to be changed for different webservers.
Hopefully this should help you set up new https websites using Letsencrypt in the meantime.