I am getting so frustrated with the lack of support for this issue, so apologies if there is already a solution somewhere, but I’ve spent all day trying to fix my problem.
I have a fixed IP address so do not use DuckDNS, only Let’s Encrypt. I am unable to get an SSL certificate due to the following error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
I believe this has something to do with Certbot disabling TLS-SNI-01, but this was several years ago now so I can’t understand why Let’s Encrypt has not been updated to correct the issue. I can find lots of information with various CLI commands to edit files on Ubuntu etc. but nothing for homeassistant.
Does anyone have any idea how I can fix this please?
OS Version: HAOS 12.4
Home Assisatnt Core: 2024.7.4
Do you have a domain that your IP address is attached to in order to get the certificate? If so, is it registered with one of the supported DNS providers on the Let’s Encrypt add-on? The way you set up your challenges will depend on who supplies your DNS services.
If you don’t have a domain that you own, you can use DuckDNS to get one that you can use to get the SSL certificate with. And you can use DuckDNS even if you have a fixed IP. You just won’t ever update the IP associated with your DuckDNS domain. Don’t know your level of knowledge on how SSL works but just in case, (or for the next person finding this post) in order to get an SSL certificate, you have to have a domain you own and can prove that you own that the certificate is issued for. And you have to have a service that updates that certificate when it expires every 90 days. So, you can’t just get one once, if is a constant process.
Thanks for replying. I should have been a bit clearer in my post, I am happy with SSL certificates and Let’s Encrypt as I have provided web hosting for many years and work in IT.
Home Assistant is fairly new to me, and the error I have posted is a common one due to TLS-SNI-01 being disabled due to security vulnerabilities. As this happened back in 2018 I would have thought that it would have been removed from the Let’s Encrypt add-on by now, but it would appear not.
I have a domain name setup and pointed to my IP and my port forwarding is all correct. This is a fault with the add-on.
Just for info - there is a comprehensive post on here with details of how to fix the issue, but using DuckDNS which I don’t want or need as I am not using DDNS.
So sorry. It was tough to gauge from your first post your level of comfort around SSL. I’m smarter than the average bear when it come to anything technology related and it confused the hell out of me when I first dug into it.
Who is your DNS provider? Why do you assume this is a problem with TLS-SNI-01? Your challenge method will depend on who your DNS provider is and that will dictate how you have to configure the plug-in to work. It sounds like you don’t have the plugin configured correctly for your DNS provider. Most require you to generate an API key that has to be placed into the configuration of the plugin. You don’t mention having done any of that.
It is Let’s Encrypt that have disabled TLS-SNI-01 and not CertBot.
CertBot have left the challenge type in, because CertBot might be used for other service providers of ACME certificates.
It should not mean a thing if you are using DynDNS services or fixed IPs, because the ACME service does not know the difference. All it cares about is that the domain name is resolvable.
What type of challenge have you set up in the Let’s Encrypt addon?
There is a very long post on here already, stating that TLS-SNI-01 was disabled by Certbot, and Let’s Encrypt as you say have since disabled it permanently. I’m saying that’s what the problem is because that’s what everything points to in the HA Community. A quick search for the error message brings up that, and not much else.
I am happy to change to a DNS challenge, but that’s where I’m limited. I’m more than capable of setting up DNS records at my provider, but not sure how to configure the challenge in the Let’s Encrypt add-on.
All sorted now. I’ve added it to my Cloudflare account and installed the Cloudflared add-on. This is also means no open ports on my router so a pen test comes up clean.
Cloudflared is another service and should be seen for what it is.
It is another router into your network, so you need to make a pen test on that one too.