Certbot Auto renew without HTTP and without TLS-SNI-01


i am new here and i can not renew my certificate due the disabled TLS-SNI-01.

My firewall and my webserver only listen to port 443, any suggestions how to get this working again? webroot needs http port 80 which i do not want to open.

Thanks in advanced.



The http-01 challenge must be sent on port 80 (though it will follow redirects to 443). Unless you can do this, it is not an option for you.

The remaining option is the dns-01 challenge (--preferred-challenges dns-01). For automatic renewal using this challenge, Certbot supports a number of DNS providers and you also have the option of providing script hooks to automatically perform the DNS validation updates.

hi, thx…

i checked the dns-01 option and getting this:

None of the preferred challenges are supported by the selected plugin

It is probably relating to the way you are invoking Certbot.

Could you show your command, as well as your /etc/letsencrypt/renewal/xxx.conf file for the domain?


/usr/sbin/certbot-auto --preferred-challenges dns-01

# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/XXX.firewall-gateway.de
cert = /etc/letsencrypt/live/XXX.firewall-gateway.de/cert.pem
privkey = /etc/letsencrypt/live/XXX.firewall-gateway.de/privkey.pem
chain = /etc/letsencrypt/live/XXX.firewall-gateway.de/chain.pem
fullchain = /etc/letsencrypt/live/XXX.firewall-gateway.de/fullchain.pem

# Options used in the renewal process
authenticator = apache
installer = apache
account = 12345807bf2af52d3X3466fd0b4f6d4c

Do you control the DNS for XXX.firewall-gateway.de, or whatever the real domain is?

To do a manual request for a cert using dns-01:

certbot-auto certonly --preferred-challenges dns \
--manual --manual-public-ip-logging-ok \
-d XXX.firewall-gateway.de

In order to automate this, you would need to either use one of the DNS plugins implemented by Certbot (assuming your nameservers are compatible with one of them) or provide scripts to implement the DNS updates for the domain validation.

thx for the fast responsed... i control the DNS record yes, but i can only control the A (AAAA) records and not the TXT records...

If you can put a CNAME record, then you can point the _acme-challenge record to another domain for which you can control the TXT record.

Otherwise I think you are out of luck :frowning: .

sry, no only A record…

ok, but thank you for your time! maybe there will be a solution in the future :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.