Certbot dns manual mode, challenge txt changes every run


#1

Hello,
Is there any way to get certbot to use the same challenge on subsequent runs?

For example, after waiting a while for my DNS to finally be updated, I finally hit Enter to continue on certbot and then due to slow internet I have a connection failure and certbot quits with a ReadTimeout exception.

I then run the certbot command again but get given a different challenge TXT and so I have to go through that process all over again. It’s very frustrating.

Is there any flag to force certbot to not generate a new challenge if the old one is still valid?

it would also save having to check that my domain provider had updated their nameservers too if I could re-run the command


#2

Hi @asgh4dvx,

This might be possible in principle using the ACME protocol that Let’s Encrypt uses, but Certbot doesn’t have any code to support this.

I think this is the core problem, because we’re not prepared to handle this situation well in connection with the manual authenticator.

Is there any way that you could run Certbot on a machine with a better Internet connection, or use a DNS API or authenticator script to update the DNS records?


#3

Thanks for the confirmation,

Weirdly, I ran the command again today and it DID use the same TXT challenge, and verified successfully!

Perhaps it does re-use it when there was a connection failure, then. I swear it never gave the same token before (but then this is the first time I experienced the connection failure, other times I just re-ran the command to see if the DNS had updated and it would validate)…

Anyway, thanks for the great service.

I will look into more automated ways in the future, but for this particular project at this time the manual method is simply the least work.

(I will have multiple servers behind a single domain name, I don’t want each server to generate a duplicate certificate in case I run into rate limits or the rate limits are ever reduced, so I have to generate the certificate in one place and deploy to other servers. And for now, it’s easiest to do that on my development machine and deploy the certificates as part of my regular deployment process. And, since this is a manual process anyway, using the DNS API wouldn’t really add too much, if I moved to a registrar that supported it).

In the longer term I think I need some kind of master server which generates the certificates and then my other servers connect to it and download them when necessary. But that’s a bit of work :slight_smile: