Automatic renewal hooks for

I want to be able to renew my certificate for the domain and the level under (wildcard) for the service

Two problems that I face which I don't know how to tackle.

  1. Let's encrypt sends the challenges for all the subject names and certbot demands the TXT to be done for all domains that are requested before validating them.

  2. Freemyip only allows one single TXT record for each domain at a time. Hence Certbot/Let's Encrypt fails to complete the challenges.

So if I want automatic renewal for * and the challenges fail due to my authenticator hook updating the TXT record a second time before certbot/Let's encrypt can confirm it. For both domains Let's encrypt asks for a TXT record at

I've already confirmed that it works if I only request the renewal for one domain. Would be nice to skip having to do this every third month manually. Any ideas as to how I can achieve that?

I have already tried http-challenge and I guess it makes sense, but then Let's Encrypt says it won't accept that. And I've tried turning off --preferred-challenges but it seems to really like using mainly the TXT-confirmation method.

Welcome to the community @MiyasakiYoshi

A DNS Challenge is required for a wildcard cert. One option is that if you don't absolutely need a wildcard you could use the HTTP Challenge. A cert can have up to 100 domain names in it.

As for your one TXT record at a time problem, two options come to mind:
One, use a different DNS provider that supports what you want to do

Two, run Certbot twice. The first time just request one name. When successful Let's Encrypt caches the successful result for that domain and your account. Then, the second run do both domain names. But, make sure your authenticator hook only does the one TXT record for the second name. The cached result and the TXT record should allow a cert with both domains. I'm pretty sure this would work.


Two more options:

  1. Pick an ACME client which submits challenges one-by-one. lego is one that does this, and supports
  2. You can actually mix challenge types in Certbot's manual authenticator. If your webserver is accessible from the internet, you can get Certbot to use the HTTP challenge for the base domain, and the DNS API for the wildcard. I had a go at writing such a hook below, it seems to work fine and should work fine for automatic renewal as well.

You can call it with:

certbot certonly --preferred-challenges http,dns --manual \
--manual-auth-hook "/path/to/ auth" \
--manual-cleanup-hook "/path/to/ cleanup" \
-d -d "*"

Make sure to chmod +x the script. The contents are below, you'll need to modify the token and the webroot of your domain:

#!/usr/bin/env bash


auth() {
    if [[ -v CERTBOT_TOKEN ]]; then
        mkdir -p "$WEBROOT_DIRECTORY/.well-known/acme-challenge/"
        echo "$CERTBOT_VALIDATION" > "$WEBROOT_DIRECTORY/.well-known/acme-challenge/$CERTBOT_TOKEN"
        curl -s "$FREEMYIP_TOKEN&domain=_acme-challenge.$CERTBOT_DOMAIN&txt=$CERTBOT_VALIDATION"
        sleep 60

cleanup() {
    if [[ -v CERTBOT_TOKEN ]]; then
        rm -f "$WEBROOT_DIRECTORY/.well-known/acme-challenge/$CERTBOT_TOKEN" || true
        curl -s "$FREEMYIP_TOKEN&domain=_acme-challenge.$CERTBOT_DOMAIN&txt="

declare -A COMMANDS=(

"${COMMANDS[${1:-auth}]:-${COMMANDS[auth]}}" "$@"

Amazing help. Way better than my script. I was thinking of exactly such a solution, but gave up the idea thinking certbot wouldn't allow automatic renewal with both http and dns. Genius.

Thank you so much! The dry-run was succesful!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.