We’re using DNS-01 verification with Certbot and wondering if it’s possible to pause and later resume the process. From past discussions in 2023 (like this one), it seemed there were some limitations:
Single-session design – the whole process (challenge → verification → issuance) must complete in one run
No state persistence – you can’t generate the DNS TXT record, stop, and then resume later
Token regeneration – restarting Certbot usually produces a new DNS token instead of reusing the same one
No split workflow support – not designed for setups where DNS updates are managed externally and may take time to propagate
Our questions:
Is it possible today to generate a DNS challenge, wait for propagation, and then resume/complete verification without starting over?
If not, what are the current best practices for handling external DNS systems with longer propagation times?
This sounds like Manual DNS. Are you using --manual or not? It provides a pause before resuming.
Really manual DNS is only suitable for testing and emergency use, it shouldn't be your normal process. You can CNAME to a zone on an automated DNS provider if your existing DNS does not support automation.
[Regarding "token regeneration", starting a new order requires new challenge response values. In addition newer acme profiles have short order lifetime, so manual updates that take hours or days are increasingly unlikely to work. You can use a different ACME client, there are many to choose from and some may provide more persistence.]
Because Let's Encrypt walks the authoritative DNS tree directly. It is not subject to TTL propagation. Distributed DNS systems take some time to synchronize their servers worldwide but less than a minute for that is common. I've seen some that can take 5-10 minutes. And, I once saw a system that took several hours.
Certbot, and other ACME Clients, usually have a way to sleep and retry for some period of time to account for this lag. Some DNS systems, like Route53 have an API which checks the sync status of a change so avoids the sleep/retry sequence.
Switching your DNS provider to one that performs more reasonably is one option.
Or, as webprofusion noted, setup a CNAME from the horribly slow system to one that performs better and offers an API for automating DNS Challenges.
It is not possible to pause/resume the process in Certbot due to the single-run/state issues you noted.
You can leverage —manual, but that makes renewal a complete pain.
The best option is usually to delegate the _acme-challenge records to a secondary provider - like a self-hosted instance of "acme-dns”, or a commercial vendor that does not have propagation times.
Other ACME clients may be more flexible for your needs.
for right now, try 'certbot renew --force-interactive --debug-challenge' ? not sure if it'd work on DNS challenge but worth try: and as looking at option you can't automate this (need to press d key to pass)