Certbot creates new certificate but does not display token for _acme-challenge TXT record update

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2020-04-16. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Which gives me the problem that I don’t know what values to set acme_challenge TXT records to be in DNS config

My web server is (include version):
AWS Lightsail Wordpress instance of
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1099-aws x86_64)
*** System restart required ***
___ _ _ _
| _ |) | _ _ __ _ _ __ ()
| _ \ | | ’ / ` | ’ | |

*** Welcome to the Bitnami WordPress 5.1.1-2 ***
*** Documentation: https://docs.bitnami.com/aws/apps/wordpress/ ***
*** https://docs.bitnami.com/aws/ ***
*** Bitnami Forums: https://community.bitnami.com/ ***

The operating system my web server runs on is (include version):
Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1099-aws x86_64)

My hosting provider, if applicable, is:
AWS Lightsail wordpress instance

I can login to a root shell on my machine (yes or no, or I don’t know):
Standard Admin account created as part of AWS instance

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
CMD line access

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Hi @alanhsmith

you have already created a lot of certificates - https://check-your-website.server-daten.de/?q=longbar.co.uk#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-01-17 2020-04-16 *.longbar.co.uk, longbar.co.uk
2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-01-16 2020-04-15 *.longbar.co.uk, longbar.co.uk
2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-01-10 2020-04-09 *.longbar.co.uk, longbar.co.uk
2 entries
Let’s Encrypt Authority X3 2020-01-10 2020-04-09 *.longbar.co.uk, longbar.co.uk
2 entries
Let’s Encrypt Authority X3 2020-01-10 2020-04-09 *.longbar.co.uk, longbar.co.uk
2 entries
Let’s Encrypt Authority X3 2020-01-10 2020-04-09 *.longbar.co.uk, longbar.co.uk
2 entries

Positive results are 30 days cached, so you don’t need a new token.

Please install one of these certificates instead of creating certificates again and again.

Create one certificate, then use it 60 - 85 days, then create the next.

Hi @JuergenAuer thanks for the prompt reply
Yes I have the problem that I am creating certificates but dont know how to see the associated token value to set up the DNS TXT _acme-challenge records because certbot has stopped displaying them and I dont know how else to see them despite searches of the documentation. So as a result I have been trying revokes and deletes etc to try and reset the status so that certbot displays the value.
Is there a tool for check the _acme-challenge value that should be associated with a certificate?
Thanks again

After successfully validated a domain, no need to re-validate it for a month for the same account, so no new DNS challenge will be asked for.

It is a questionable practice to generate multiple certificates one after the other. If you have the certificate, you just use it. The recommended way that you generate precisely one, and only generate a new one after two months elapsed.

If you generate multiple instance of a certificate, you may even risk to hit the rate limit.

Hi @bruncsac
Can’t use certificate
Any of them
Because I can’t set up new dns challenge

To use a certificate there is no need of DNS challenge. You just include the certificate (probably the full chain) and its associated private key into the configuration of the service (HTTPS, POPS, IMAPS, SMTPS and so on).

Please read some basics:

Then something about challenge types:

If you have a certificate, then use it. And you have some certificates created.

You mix completely different things.

Ok guys you were absolutely right and separating the two issues I have stepped through and completed the renew cycle using the latest certificate and the site is now back live.

Only problem is I dont know what to set the DNS _acme-challenge TXT records to before the next DNS challenge. Is it possible to derive the token value?

Thanks again


New certificate order -> new token -> new TXT entry.

Ok thanks, I’ll wait till new certificate is required and see if Cerbot gives me a new token next time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.