Certbot-dns-multi for dns-lego fails with request for two domains

guntbert · May 5, 2026, 8:13pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
Started the LetsEncrypt-Addon in homeassisant (OS) with the following configuration

keyfile: privkey.pem
certfile: fullchain.pem
challenge: dns
dns:
  provider: dns-lego
  lego_provider: hurricane
  lego_env:
    - >-
      HURRICANE_TOKENS=homeassistant.guntbert.net:*redacted*,
      ha.guntbert.net:*redacted*
domains:
  - homeassistant.guntbert.net
  - ha.guntbert.net
email: *redacted*@fastmail.com
verbose: true
dry_run: true
force_renew: true

It produced this output:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[18:15:13] INFO: Selected DNS Provider: dns-lego
[18:15:13] INFO: Use propagation seconds: 60
[18:15:13] INFO: Using certbot-dns-multi for dns-lego
[18:15:13] INFO: Using custom lego provider from config: hurricane
[18:15:13] INFO: Detecting existing certificate type for homeassistant.guntbert.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[18:15:17] INFO: Existing certificate using 'ecdsa' key type.
Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator dns-multi and installer None
Single candidate plugin: * dns-multi
Description: Obtain certificate using any of lego's supported DNS providers
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-multi', value='certbot_dns_multi._internal.dns_multi:Authenticator', group='certbot.plugins')
Initialized: <certbot_dns_multi._internal.dns_multi.Authenticator object at 0x7f54eacfc1a0>
Prep: True
Selected authenticator <certbot_dns_multi._internal.dns_multi.Authenticator object at 0x7f54eacfc1a0> and installer None
Plugins selected: Authenticator dns-multi, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/286815604', new_authzr_uri=None, terms_of_service=None), 841fd6fbbf2a020a77525a17220bda64, Meta(creation_dt=datetime.datetime(2026, 4, 26, 16, 24, 34, tzinfo=datetime.timezone.utc), creation_host='core-letsencrypt.local.hass.io', register_to_eff=None))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1107
Received response:
HTTP 200
Server: nginx
Date: Tue, 05 May 2026 16:15:19 GMT
Content-Type: application/json
Content-Length: 1107
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived",
      "tlsclient": "https://letsencrypt.org/docs/profiles#tlsclient",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/acme/renewal-info",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert",
  "yo8CY_VEDHg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
Notifying user: Simulating renewal of an existing certificate for homeassistant.guntbert.net and ha.guntbert.net
Simulating renewal of an existing certificate for homeassistant.guntbert.net and ha.guntbert.net
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Tue, 05 May 2026 16:15:19 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: UgjRmL47YxqI2hOvh3X9a-rZm06M8SbkqUBksqbTuPItQztkx68
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Storing nonce: UgjRmL47YxqI2hOvh3X9a-rZm06M8SbkqUBksqbTuPItQztkx68
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "homeassistant.guntbert.net"\n    },\n    {\n      "type": "dns",\n      "value": "ha.guntbert.net"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yODY4MTU2MDQiLCAibm9uY2UiOiAiVWdqUm1MNDdZeHFJMmhPdmgzWDlhLXJabTA2TThTYmtxVUJrc3FiVHVQSXRRenRreDY4IiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "hAZoRGtu3bvJzqsOzHN1T9rlj86pdTDegcVEOie7H-icPCEztzBzdjNqs7ShLcHbZfCWX8lYJvMnx8n8DRfAfOK2NZwXD-JkSwgnpOn4ACadlo83kJ0DxqQ6yBAHgJxrmg7JtVuZ6j6-Qws_sywqiGsrjvEB5QLxFihe9_YbYp6seM95Os4xUCAlzVYbg0F9ybTHcQ3gHnc8P8A62nDxdfkrT0zgL70uad7eOwCV0CwAd5VBK57SjoJwtqP55DN66zCWcKeyLSB2KjeoBYM-tbKRdpQ0tYNWibEBf4GOjKJXX4yF4hH4oHXrwZ5wEJumOjvIKE7-hFkfsRrSdzH8PA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImhvbWVhc3Npc3RhbnQuZ3VudGJlcnQubmV0IgogICAgfSwKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImhhLmd1bnRiZXJ0Lm5ldCIKICAgIH0KICBdCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 521
Received response:
HTTP 201
Server: nginx
Date: Tue, 05 May 2026 16:15:19 GMT
Content-Type: application/json
Content-Length: 521
Connection: keep-alive
Boulder-Requester: 286815604
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/286815604/37199356964
Replay-Nonce: UgjRmL47Xv5tDqKQMmx2dH4iv8FYnhuywlz29ZV0fz3rsEVomqM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
  "status": "pending",
  "expires": "2026-05-12T16:15:19Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "ha.guntbert.net"
    },
    {
      "type": "dns",
      "value": "homeassistant.guntbert.net"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/847078274",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/1031286064"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/286815604/37199356964"
}
Storing nonce: UgjRmL47Xv5tDqKQMmx2dH4iv8FYnhuywlz29ZV0fz3rsEVomqM
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/847078274:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yODY4MTU2MDQiLCAibm9uY2UiOiAiVWdqUm1MNDdYdjV0RHFLUU1teDJkSDRpdjhGWW5odXl3bHoyOVpWMGZ6M3JzRVZvbXFNIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI4NjgxNTYwNC84NDcwNzgyNzQifQ",
  "signature": "vBXdRNraO-3hXJsTYm5YIgDefY9GM8buAc33cTqYa-mjYMBCOuNUbhB96_4mK2uBrEUH-0Kg2DnGfYHDPfalKkLfRZepqWPzCqgjGSj4pmX4LclWIrYQXmfY149Jy5ndXUdzvj4sll1oF8XbRCrKNtr9X4A23hp7xxjbP8AAGhcEElRX2TGP6Xq9GqpOjdzyPbcj1l3e4IGZaD5dT21nkiPlBBjnQ15QR5SvtDaTjSlNmPzGRPQcNayle6kLhb6wiUT9Ze7k_qvNsiqH8Hif4rSPxTVPMKuKGkeCIeuqVzqMypvmAUb7B55s4Sp74_Mw2cf0CyIG1-x8i0zGSfZB0Q",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/286815604/847078274 HTTP/1.1" 200 568
Received response:
HTTP 200
Server: nginx
Date: Tue, 05 May 2026 16:15:20 GMT
Content-Type: application/json
Content-Length: 568
Connection: keep-alive
Boulder-Requester: 286815604
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: H6izflzsmBmc7SWicH1Jt1Uq8p4oOzOJ511Ej_tOiFvhU2wdA2I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
  "identifier": {
    "type": "dns",
    "value": "homeassistant.guntbert.net"
  },
  "status": "valid",
  "expires": "2026-05-27T17:16:34Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/847078274/DayjaQ",
      "status": "valid",
      "validated": "2026-04-27T17:16:34Z",
      "token": "_2L9plIkvod1R-f_LtjTtGTHL2eFg5S6ubGbUnIx9ow",
      "validationRecord": [
        {
          "hostname": "homeassistant.guntbert.net",
          "addressUsed": ""
        }
      ]
    }
  ]
}
Storing nonce: H6izflzsmBmc7SWicH1Jt1Uq8p4oOzOJ511Ej_tOiFvhU2wdA2I
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/1031286064:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yODY4MTU2MDQiLCAibm9uY2UiOiAiSDZpemZsenNtQm1jN1NXaWNIMUp0MVVxOHA0b096T0o1MTFFal90T2lGdmhVMndkQTJJIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI4NjgxNTYwNC8xMDMxMjg2MDY0In0",
  "signature": "q5fus8ArbLe-KlEPdpb74RtoqqJ4qaA1i9LHnc9ZK9s_IA5CDa6Ay9UfUPxLJVEy3RZGJERpB1xShIbjwqBx72hCE1phq_D4Zjtay5HR2lnmUOINUGePsUOZJ4pgXcxyksJ5OZxWvEsdPhJg5vN4sJ-zABSQWqlHgm0I9WUAeFDJZHJfOlGPwk3b4Zx_YPd7YN5jZRcmyUGtGmTYVaQTbr4sxtzsd_FPDOqqw1G3XMTSzEL3dL3SjyG4K-jimyTmaiRx4LSWbo1jXxYuq9i53TUpVJyBoJhL7q5w4UzwanbV25i_sUQlEP61qqYC3cnaY3k9L1dXCv1_3llBWoGk7w",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/286815604/1031286064 HTTP/1.1" 200 1075
Received response:
HTTP 200
Server: nginx
Date: Tue, 05 May 2026 16:15:20 GMT
Content-Type: application/json
Content-Length: 1075
Connection: keep-alive
Boulder-Requester: 286815604
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: UgjRmL47Bv_PuZQfpUNsRS4XE5WW07PeQdLLLP-9h9-6CNRM2g0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
  "identifier": {
    "type": "dns",
    "value": "ha.guntbert.net"
  },
  "status": "pending",
  "expires": "2026-05-12T16:15:19Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286064/JBi7nA",
      "status": "pending",
      "token": "drp_vaEven65W4WFc3e8MB2O2y3Q79-T-ambEYICIx4"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286064/tl7fLQ",
      "status": "pending",
      "token": "drp_vaEven65W4WFc3e8MB2O2y3Q79-T-ambEYICIx4"
    },
    {
      "type": "dns-persist-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286064/kPAhXg",
      "status": "pending",
      "issuer-domain-names": [
        "letsencrypt.org"
      ]
    },
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286064/nc6V3g",
      "status": "pending",
      "token": "drp_vaEven65W4WFc3e8MB2O2y3Q79-T-ambEYICIx4"
    }
  ]
}
Storing nonce: UgjRmL47Bv_PuZQfpUNsRS4XE5WW07PeQdLLLP-9h9-6CNRM2g0
dns-persist-01 was not recognized, full message: {'type': 'dns-persist-01', 'url': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286064/kPAhXg', 'status': 'pending', 'issuer-domain-names': ['letsencrypt.org']}
JWS payload:
b'{\n  "status": "deactivated"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/847078274:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yODY4MTU2MDQiLCAibm9uY2UiOiAiVWdqUm1MNDdCdl9QdVpRZnBVTnNSUzRYRTVXVzA3UGVRZExMTFAtOWg5LTZDTlJNMmcwIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI4NjgxNTYwNC84NDcwNzgyNzQifQ",
  "signature": "dTUO4STQo6j9TNXRq67jTiLLMFGZ9SE-WswUVx0FcqmPfSmq1XXVhjIMGmAJYLg1taASUEw_6nKFDBTGCg9uVXlSsK8kGFipdBye1kY8YO_z0yh7Y2fg9Z_tBKqNqS7sVcYyANBrocRtiubAUPS3cfLiRjsZAohC0_jFjdl0ArAy2NxPfne-eYsCdDOgVu_xU7TfD5GktHHjPOhiTwfkR3pdXQOjySyVn5a3345o510Q3uJ1R_aV-yyZBe-IBfn1D8Jm7yCjDYqjZ62uE8hjnARvL3UUi9ioQX9RD5NHCSgzgunbvTwtUwqjXEm036p8em_kWdKk9A_9PCoPJBGZww",
  "payload": "ewogICJzdGF0dXMiOiAiZGVhY3RpdmF0ZWQiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/286815604/847078274 HTTP/1.1" 200 574
Received response:
HTTP 200
Server: nginx
Date: Tue, 05 May 2026 16:15:20 GMT
Content-Type: application/json
Content-Length: 574
Connection: keep-alive
Boulder-Requester: 286815604
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: H6izflzs8KoF6tI-0rz27bMGlVtSDbPyjPdoPVhr2Bgev64HyDI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
  "identifier": {
    "type": "dns",
    "value": "homeassistant.guntbert.net"
  },
  "status": "deactivated",
  "expires": "2026-05-27T17:16:34Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/847078274/DayjaQ",
      "status": "valid",
      "validated": "2026-04-27T17:16:34Z",
      "token": "_2L9plIkvod1R-f_LtjTtGTHL2eFg5S6ubGbUnIx9ow",
      "validationRecord": [
        {
          "hostname": "homeassistant.guntbert.net",
          "addressUsed": ""
        }
      ]
    }
  ]
}
Storing nonce: H6izflzs8KoF6tI-0rz27bMGlVtSDbPyjPdoPVhr2Bgev64HyDI
Recreating order after authz deactivations
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "homeassistant.guntbert.net"\n    },\n    {\n      "type": "dns",\n      "value": "ha.guntbert.net"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yODY4MTU2MDQiLCAibm9uY2UiOiAiSDZpemZsenM4S29GNnRJLTByejI3Yk1HbFZ0U0RiUHlqUGRvUFZocjJCZ2V2NjRIeURJIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "ZPAScO4epbk-_Kv60wEpkVTRG9s4tnPODwlqVCBVBQK8RPka7xn68DjhGfcjYb24jrbcOvWGim_MR9rNg173N_0eqryGBgYJJNvJgeov1DlFcjmnLAyxWry6K92wM0B_3YEvt_2sroOKiZ5bUL-h7IJ9NBwiZBDnyE-O_eCOoQ0fFaTijwNzIBnfxrgPm3LPrCV6HDH0bcz7FbK0Ckb0JsILC8tfrS6XTf2Lz4OtdsvZEUZ0utjbonaqQ2W0dWIBnyTTOXW96fJHcOR-52B001PQI1ssjiHEtXhfl97kb2BZr8unA_Zq1OGwtPHIXp1e2FYmNYanc9TCjwyAMC41Rg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImhvbWVhc3Npc3RhbnQuZ3VudGJlcnQubmV0IgogICAgfSwKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImhhLmd1bnRiZXJ0Lm5ldCIKICAgIH0KICBdCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 522
Received response:
HTTP 201
Server: nginx
Date: Tue, 05 May 2026 16:15:20 GMT
Content-Type: application/json
Content-Length: 522
Connection: keep-alive
Boulder-Requester: 286815604
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/286815604/37199358494
Replay-Nonce: UgjRmL47iWyj9eizrpGITBlMXwnvEbsHw8l3G28zcz4huRDkxeI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
  "status": "pending",
  "expires": "2026-05-12T16:15:20Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "ha.guntbert.net"
    },
    {
      "type": "dns",
      "value": "homeassistant.guntbert.net"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/1031286514",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/1031286524"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/286815604/37199358494"
}
Storing nonce: UgjRmL47iWyj9eizrpGITBlMXwnvEbsHw8l3G28zcz4huRDkxeI
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/1031286514:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yODY4MTU2MDQiLCAibm9uY2UiOiAiVWdqUm1MNDdpV3lqOWVpenJwR0lUQmxNWHdudkVic0h3OGwzRzI4emN6NGh1UkRreGVJIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI4NjgxNTYwNC8xMDMxMjg2NTE0In0",
  "signature": "tTtYHAhdkZHfoYnrYLpYQw1jzooEDak6F8f5S4waJyq66LvlIRG0fabeMtmgjjtBUmkb7IEOXBpEcBi14F_ttK9BBGXbmHtLbjG4AOwwnuWRMJLHejzTwbvzPLDjIvGRKJqnJgugm-XtIZDaH_H_Joah_PYHq_OLQIUJyxhgrW2TnbkeJNe_C3-UjiVdwWK1VhAUuL6oFomRzWF715tJp-9_9WL77mn0Y8fmIj3iKmYPHQYEHSKNNx7vWFYO7auNNAXRKfdoO8A7GZLuX20sGmp1U52QuHN6eRxhl-1VAuOP1c_v7X4KbpC4AN9NK2QbRpFTErzvw-_M5IUFI0XoVw",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/286815604/1031286514 HTTP/1.1" 200 1075
Received response:
HTTP 200
Server: nginx
Date: Tue, 05 May 2026 16:15:21 GMT
Content-Type: application/json
Content-Length: 1075
Connection: keep-alive
Boulder-Requester: 286815604
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: H6izflzsZG8pBGm_9JYmBPna6eWqOaVoKLGLY87-NV1bkWJSd3k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
  "identifier": {
    "type": "dns",
    "value": "ha.guntbert.net"
  },
  "status": "pending",
  "expires": "2026-05-12T16:15:20Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286514/it1PZQ",
      "status": "pending",
      "token": "hXujWui2v6zaKDjDQM5Z_tTKM3irtHWuMSvIzGk877o"
    },
    {
      "type": "dns-persist-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286514/z9NzPw",
      "status": "pending",
      "issuer-domain-names": [
        "letsencrypt.org"
      ]
    },
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286514/LEvT-g",
      "status": "pending",
      "token": "hXujWui2v6zaKDjDQM5Z_tTKM3irtHWuMSvIzGk877o"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286514/ccl8QQ",
      "status": "pending",
      "token": "hXujWui2v6zaKDjDQM5Z_tTKM3irtHWuMSvIzGk877o"
    }
  ]
}
Storing nonce: H6izflzsZG8pBGm_9JYmBPna6eWqOaVoKLGLY87-NV1bkWJSd3k
dns-persist-01 was not recognized, full message: {'type': 'dns-persist-01', 'url': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286514/z9NzPw', 'status': 'pending', 'issuer-domain-names': ['letsencrypt.org']}
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/286815604/1031286524:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yODY4MTU2MDQiLCAibm9uY2UiOiAiSDZpemZsenNaRzhwQkdtXzlKWW1CUG5hNmVXcU9hVm9LTEdMWTg3LU5WMWJrV0pTZDNrIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI4NjgxNTYwNC8xMDMxMjg2NTI0In0",
  "signature": "ldKj3q55WjDCUhp_Iz5yvbVPrix9j4uA5YR-UTkpoPLM0w0tWkQ_1RQ0zOUbJ9F0kU2iwdGOCtCJWo69OSRuBtrTwAxXnI9Zo3lL-uXODu8qG28EXI44-yOcbczKOXDyq-etpsUc-BHqlxutaF2EBAwpqQT1Hx7xXOEeu7LXGEVBcPyzYx6UYpkOIQ5r2R7MqLUBGRaW64CAzFw0fso7ScZKxdSrtxNCV9SsNU_sNIf2uwycSwXeAdUnnL29Zl6kVGueeBHEDIk-wHamvjtm_64-Q-votQQw9vVeb0-qUvxK5E5B-CdhRiQrLqO2xmtgierdmWC2TS8p5GGrepThHQ",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/286815604/1031286524 HTTP/1.1" 200 1086
Received response:
HTTP 200
Server: nginx
Date: Tue, 05 May 2026 16:15:21 GMT
Content-Type: application/json
Content-Length: 1086
Connection: keep-alive
Boulder-Requester: 286815604
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: H6izflzswPBnXYRGM5GKHNGQIKWlmK3kKsHgj7FTFXpoKe8hcus
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
  "identifier": {
    "type": "dns",
    "value": "homeassistant.guntbert.net"
  },
  "status": "pending",
  "expires": "2026-05-12T16:15:20Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286524/9pv_ew",
      "status": "pending",
      "token": "Hrye2uXK2hIJ5Vp5hY5YWJ_Qn9aRf6kJVGOeU2YkT_4"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286524/zBlhng",
      "status": "pending",
      "token": "Hrye2uXK2hIJ5Vp5hY5YWJ_Qn9aRf6kJVGOeU2YkT_4"
    },
    {
      "type": "dns-persist-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286524/aswFaw",
      "status": "pending",
      "issuer-domain-names": [
        "letsencrypt.org"
      ]
    },
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286524/zwGPWQ",
      "status": "pending",
      "token": "Hrye2uXK2hIJ5Vp5hY5YWJ_Qn9aRf6kJVGOeU2YkT_4"
    }
  ]
}
Storing nonce: H6izflzswPBnXYRGM5GKHNGQIKWlmK3kKsHgj7FTFXpoKe8hcus
dns-persist-01 was not recognized, full message: {'type': 'dns-persist-01', 'url': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1031286524/aswFaw', 'status': 'pending', 'issuer-domain-names': ['letsencrypt.org']}
Performing the following challenges:
dns-01 challenge for ha.guntbert.net
dns-01 challenge for homeassistant.guntbert.net
Configuring lego for provider hurricane with 1 options
Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/lib/python3.13/dist-packages/certbot_dns_multi/_internal/dns_multi.py", line 87, in perform
    self._setup_credentials()
    ~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/local/lib/python3.13/dist-packages/certbot_dns_multi/_internal/dns_multi.py", line 78, in _setup_credentials
    LegoClient.configure(provider, lego_environ, nameservers)
    ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/dist-packages/certbot_dns_multi/_internal/dns_multi.py", line 154, in configure
    LegoClient._raise_for_response(
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        cmd(
        ^^^^
    ...<8 lines>...
        )
        ^
    )
    ^
  File "/usr/local/lib/python3.13/dist-packages/certbot_dns_multi/_internal/dns_multi.py", line 201, in _raise_for_response
    raise errors.PluginError(resp["error"])
certbot.errors.PluginError: unknown command
Calling registered functions
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/usr/local/lib/python3.13/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/main.py", line 1871, in main
    return config.func(config, plugins)
           ~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/main.py", line 1577, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/main.py", line 130, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
    ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/client.py", line 423, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/client.py", line 492, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/lib/python3.13/dist-packages/certbot_dns_multi/_internal/dns_multi.py", line 87, in perform
    self._setup_credentials()
    ~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/local/lib/python3.13/dist-packages/certbot_dns_multi/_internal/dns_multi.py", line 78, in _setup_credentials
    LegoClient.configure(provider, lego_environ, nameservers)
    ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/dist-packages/certbot_dns_multi/_internal/dns_multi.py", line 154, in configure
    LegoClient._raise_for_response(
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        cmd(
        ^^^^
    ...<8 lines>...
        )
        ^
    )
    ^
  File "/usr/local/lib/python3.13/dist-packages/certbot_dns_multi/_internal/dns_multi.py", line 201, in _raise_for_response
    raise errors.PluginError(resp["error"])
certbot.errors.PluginError: unknown command
unknown command
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version):
Homeassistant OS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot-dns-multi to 4.33.0

Additional remarks

the conversation with acme-staging seems to work ok
the problem occurs after "Configuring lego for provider hurricane with 1 options"
when requesting only one domain all goes well (with both of them)
I could not find out how to increase the verbosity

orangepizza · May 5, 2026, 8:46pm

It looks like for some reason certbot selected dns-persist challenge then panics because it can't see token in response.
I think if you skip staging it could work

guntbert · May 5, 2026, 9:25pm

Thanks for having a look at it but I see the same line with "dns-persist-01" in the logs of a successful attempt at staging. The difference is what happens next

Storing nonce: TUKf_XZq3B_AJ7P2MNNWfioiGT1HNeVMSfF4EwhVBGm6ZW3Nugo
dns-persist-01 was not recognized, full message: {'type': 'dns-persist-01', 'url': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/286815604/1036605354/G9U7TQ', 'status': 'pending', 'issuer-domain-names': ['letsencrypt.org']}
Performing the following challenges:
dns-01 challenge for ha.guntbert.net
Configuring lego for provider hurricane with 1 options
Asking lego to create record eLF8Hnpf-3OIdvDivYR_5G4vUjy8lRlt8Q91XCO8_sU for domain ha.guntbert.net
Notifying user: Waiting 60 seconds for DNS changes to propagate

Also i am a bit wary about skipping staging

MikeMcQ · May 5, 2026, 9:39pm

Yes, I agree. I think Certbot is just warning of a challenge it does not recognize. The log says it is using dns-01 for those 2 domain names.

I'm not sure how much help we can be for this problem. You might be better off posting on the github for lego. My best guess it has something to do with your DNS provider's API. Perhaps they changed it since the lego plugin for Hurricane was last tested.

In any case, it looks like a bug somewhere but not with Let's Encrypt itself. Possibly lego plugin, dns-multi, or Certbot itself - in that order. I'd start with Lego, then try the github for dns-multi and lastly the EFF's github for Certbot if those are not successful.

guntbert · May 5, 2026, 9:55pm

thanks for dissecting that - I was not aware of those different components. Gonna ask the lego people.

Topic		Replies	Views
Dns-01 urn:ietf:params:acme:error:unauthorized 403 Help	26	4995	May 13, 2023
Failed DNS-01 challenge Help	4	190	October 24, 2025
My main domain has SSL and my subdomain dont have SSL Help	100	2161	April 15, 2023
Certbot renewal dns-01 challenge failure, During secondary validation: DNS problem Help	23	1905	October 15, 2022
`certbot-dns-multi` - bringing lego's 100+ DNS providers to Certbot Client dev	24	2947	November 28, 2022

Certbot-dns-multi for dns-lego fails with request for two domains

Related topics