Certbot DNS challenge not generating a challenge

No DNS challenge sent or generated, just ends with error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns -d \*.examplesite.ng (not the real domain)
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for *.examplesite.ng
Performing the following challenges:
dns-01 challenge for examplesite.ng
Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Waiting for verification...
Challenge failed for domain examplesite.ng
dns-01 challenge for examplesite.ng
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Domain: examplesite.ng
    Type: unauthorized
    Detail: No TXT record found at _acme-challenge.examplesite.ng

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
No web server, attempting to use DNS manually for HAProxy
The operating system my web server runs on is (include version):
CentOS 7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
certbot 1.11.01

Your thread title says "Certbot DNS challenge not generating a challenge", but its actually the script at /etc/letsencrypt/acme-dns-auth.py responsible for putting the challenge in your DNS. And that script is not part of certbot. Are you sure the script is functioning properly?

You could use --debug-challenges to see if the TXT record has been added to your DNS zone. Depending on your DNS provider, this could take a few seconds, a few minutes or even longer.

Ok thanks I must be mistaken, I was following an DigitalOcean blog.
Whats the correct command invocation to use?

If you're really, really sure you want a certificate with the manual DNS challenge, you could just remove the --manual-auth-hook option altogether.

Note that this is not recommended, as Let's Encrypt certificates are only valid for 90 days and a fully manual challenge can not be automated when you're required to renew.

Do you actually require the wildcard? If not you could use the standalone plugin in combination with HAProxy. See for example the following guide: LetsEncrypt with HAProxy | Servers for Hackers (Note: you shouldn't follow guides literally, but always take one step at a time and think about if you require that step in the first place [for example, you already have certbot installed, so you wouldn't need to follow the installation step of this guide] and if the step maybe needs to be augmented a little bit to fit in your situation).

If you do require the wildcard, there might be a specific DNS plugin for certbot available for your DNS provider. See the certbot documentation for a list of DNS plugins: User Guide — Certbot 1.15.0.dev0 documentation

If your DNS provider isn't in the list of certbot DNS plugins, there might be a script for your DNS provider available for acme.sh. See its DNS plugins at acme.sh/dnsapi at master · acmesh-official/acme.sh · GitHub It might be possible to rewrite one of those script to be used by certbot. Or you might choose to switch ACME client from certbot to acme.sh altogether.

Thanks! The HAProxy guide was very helpful.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.