Suggest DNS authenticator when it's needed (#5638)

certbot/auth_handler.py

@@ -433,7 +433,7 @@ def _find_smart_path(challbs, preferences, combinations):
         combo_total = 0
 
     if not best_combo:
-        _report_no_chall_path()
+        _report_no_chall_path(challbs)
 
     return best_combo
 
@@ -454,15 +454,23 @@ def _find_dumb_path(challbs, preferences):
         if supported:
             path.append(i)
         else:
-            _report_no_chall_path()
+            _report_no_chall_path(challbs)
 
     return path
 
 
-def _report_no_chall_path():
-    """Logs and raises an error that no satisfiable chall path exists."""
+def _report_no_chall_path(challbs):
+    """Logs and raises an error that no satisfiable chall path exists.
+
+    :param challbs: challenges from the authorization that can't be satisfied
+
+    """
     msg = ("Client with the currently selected authenticator does not support "
            "any combination of challenges that will satisfy the CA.")
+    if len(challbs) == 1 and isinstance(challbs[0].chall, challenges.DNS01):
+        msg += (
+            " You may need to use an authenticator "
+            "plugin that can do challenges over DNS.")
     logger.fatal(msg)
     raise errors.AuthorizationError(msg)
 

certbot/tests/auth_handler_test.py

@@ -272,6 +272,12 @@ class HandleAuthorizationsTest(unittest.TestCase):
         self.mock_net.acme_version = 2
         self._test_preferred_challenges_not_supported_common(combos=False)
 
+    def test_dns_only_challenge_not_supported(self):
+        authzrs = [gen_dom_authzr(domain="0", challs=[acme_util.DNS01])]
+        mock_order = mock.MagicMock(authorizations=authzrs)
+        self.assertRaises(
+            errors.AuthorizationError, self.handler.handle_authorizations, mock_order)
+
     def _validate_all(self, unused_1, unused_2):
         for i, aauthzr in enumerate(self.handler.aauthzrs):
             azr = aauthzr.authzr