AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

[catalinpetrisor]

Hi,

First off, thanks for a great tutorial. I am getting the error below:

Do you have a workaround / fix for this?

Thank again.

---

Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 9, in load_entry_point('certbot==0.20.0', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/site-packages/certbot/main.py", line 861, in main return config.func(config, plugins) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 698, in run certname, lineage) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 85, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/usr/lib/python2.7/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate certr, chain, key, _ = self.obtain_certificate(domains) File "/usr/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate self.config.allow_subset_of_names) File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 68, in get_authorizations self._choose_challenges(domains) File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 103, in _choose_challenges self.authzr[dom].body.combinations) File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 374, in gen_challenge_path return _find_smart_path(challbs, preferences, combinations) File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 411, in _find_smart_path _report_no_chall_path() File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 442, in _report_no_chall_path raise errors.AuthorizationError(msg) AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

[mishinev]

@catalinpetrisor The problem is that Let's Encrypt did disable TLS-SNI validation method used by this plugin. Which unfortunately makes certbot-asa plugin useless :-(

Here is the announce from Let's Encrypt:

https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188

[placidsolace]

Are there any plans for "...moving to the HTTP validation method..." with regard to the certbot-asa plugin?

[chrismarget]

Using HTTP validation would require the ASA to serve arbitrary web pages at:

http://<your_domain>/.well-known/acme-challenge/<challenge_string>

If that's possible with an ASA, I don't know how to do it.

[Fhajad]

Seems there may need to be an update to this to state it won't work. I went through all the steps to get this setup and running, only to find this issue three hours after the fact.