Certbot DNS plugin listed in certbot plugins, but still not working

I did a fresh Installation of certbot on ubuntu 18.04 using your instructions with sudo snap install --classic certbot and had some trouble in finding a way how to install the certbot-dns-hetzner plugin (snap install certbot-dns-hetzner did not find the plugin).

So I tried an installation with pip, what seemed to succeed in first place - certbot plugins listed dns-hetzner - but when trying to generate a cert I'll get error messages like 'The requested certbot-dns-hetzner plugin does not appear to be installed'.

Here is my own answer to my question on how to do the installation on StackOverflow (I was too fast posting it, I was so happy to see the plugin in certbot plugins)

So what am I doing wrong?

Here are my Commands I am running without success.

root@my-server:~# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

* dns-hetzner
Description: Obtain certificates using a DNS TXT record (if you are using
Hetzner for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-hetzner = certbot_dns_hetzner.dns_hetzner:Authenticator

* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

root@my-server:~# certbot certonly --authenticator dns-hetzner -d "my-server.domain.me" --dns-hetzner-credentials /root/my-cert.ini
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certbot: error: unrecognized arguments: --dns-hetzner-credentials /root/my-cert.ini

root@my-server:~# certbot certonly --authenticator dns-hetzner
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The requested dns-hetzner plugin does not appear to be installed
The requested dns-hetzner plugin does not appear to be installed

One other note.
Included plugins, like apache are located in /snap/certbot/784/lib/python3.8/site-packages/ where as the hetzner plugin is placed in /root/.local/lib/python3.8/site-packages/.

I tried to copy the hetzner directories to the snap folder, but it is mounted as read only.

1 Like

This should be just --authenticator dns-hetzner, or you can use --dns-hetzner for short.

The snapped version of the plugin should be in /snap/certbot-dns-hetzner/.... Snapped Certbot would not look at pip-installed stuff on the host.


I don't think you can mix and match SNAP with PIP.
That can't lead to anything good!
I would uninstall anything added with PIP.
Then look for the right plugin for SNAP or, if one is not yet available, look for another ACME client that does have that functionality today (Like maybe: amce.sh).


Thanks az for your answer.

You are right with the wrong parameter, that was my fault while testing different ways (in an older installation we had to use --authenticator certbot-dns-hetzner). I hat tried before with the correct parameter as suggested, so I've corrected it in my post to avoid confusions because of this deprecated param.

But the strange thing is, that certbot plugins does list the Hetzner plugin installed by pip. So it does look up plugins in the user's / root's home directory.
How should I add something to the read only directory /snap/ when it is read only and not having the desired plugin as a snap app?


Thank you rg305 for your answer.

I'll give it one last try and if that does not solve the problem I'll use the --manual-auth-hook and --manual-cleanup-hook together with an other script (like described here https://community.hetzner.com/tutorials/letsencrypt-dns).


Ugh, I forgot to post (and to look into) the log file. So here it is:

2020-12-03 09:31:05,314:DEBUG:certbot._internal.main:certbot version: 1.10.0
2020-12-03 09:31:05,314:DEBUG:certbot._internal.main:Arguments: ['--authenticator', 'dns-hetzner']
2020-12-03 09:31:05,314:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-12-03 09:31:05,324:DEBUG:certbot._internal.log:Root logging level set at 20
2020-12-03 09:31:05,325:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-12-03 09:31:05,326:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-hetzner and installer None
2020-12-03 09:31:05,326:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2020-12-03 09:31:05,326:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None
2020-12-03 09:31:05,326:INFO:certbot._internal.main:Could not choose appropriate plugin: The requested dns-hetzner plugin does not appear to be installed
2020-12-03 09:31:05,326:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
  File "/usr/local/lib/python3.6/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/main.py", line 1412, in main
return config.func(config, plugins)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/main.py", line 1271, in certonly
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/plugins/selection.py", line 235, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/plugins/selection.py", line 339, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The requested dns-hetzner plugin does not appear to be installed
2020-12-03 09:31:05,327:ERROR:certbot._internal.log:The requested dns-hetzner plugin does not appear to be installed

So I'll give it one last try in installing the plugin with pip in /usr/local/...

1 Like

Er, you're right. I'm certain this is a bug. I'll file an issue.


O.K. I finally got it running. :slight_smile:
See my stackoverflow post

Now the plugin is not listed when running certbot plugins but it works when creating certs.

Would have saved me a lot of time when I simply would have tried to use the plugin instead of trusting certbot plugins what totally deceived me. My first installation way was the right one.

So this should be included in your issue as well. Certbot and letsencrypt are scanning different folders for plugins.


Hi @Ludwig,

We've made a change to the next release of Certbot (1.11) which will prevent pip --user-installed plugins from inadvertently showing up in certbot plugins.

For others: the only way to use DNS (and other) plugins from the Certbot snap, is to install the plugin via snap. If the plugin you want to use is not available as a snap, we can provide help with getting it packaged and published. Have a look over the instructions for writing your own plugin snap and file an issue if you'd like some assistance.


Hi @_az

Meanwhile there is a snap installation available for the desired plugin, but I can't get it running, So I'll have to stick to the pip installation what is doing it's job without any problems. I hope an update of certbot won't break my configuration.

Maybe you can give a tip, how to get the snap installation including the plugin (https://snapcraft.io/certbot-dns-hetzner) running.
Please see https://github.com/ctrlaltcoop/certbot-dns-hetzner/issues/12#issuecomment-738121987 and https://github.com/certbot/certbot/issues/8504

1 Like

It will. What I wanted to convey is that you absolutely cannot rely on the pip method and it will break in 1.11.

Sure. Like I said, I am happy to help you debug this and contribute any changes or assistance to the plugin upstream as required.

For what it's worth, I was able to install it in the following way:

snap install --classic certbot
snap set certbot trust-plugin-with-root=ok
snap install certbot-dns-hetzner
snap connect certbot:plugin certbot-dns-hetzner

Those extra trust/connect steps are needed because the plugin does not come from the same publisher as the main Certbot snap, and that's the condition we have placed on us for being a "classic" snap.

It appears in certbot plugins and appears to work properly (though I don't have any Hetzner credentials to do a full end-to-end test):

root@benefit-athena:~/work# certbot certonly -d example.com -a dns-hetzner --dns-hetzner-credentials creds.ini --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-hetzner, Installer None
Simulating a certificate request for example.com
Performing the following challenges:
dns-01 challenge for example.com
Unsafe permissions on credentials configuration file: creds.ini
Cleaning up challenges
Missing property in credentials configuration file creds.ini:
* Property "dns_hetzner_api_token" not found (should be Hetzner API Token from 'https://dns.hetzner.com/settings/api-token').

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.