Certbot - mix DNS-01 & http-01 auth

Hey there,
I got some Servers where I would like to mix DNS-01 & http-01 auth with certbot.
-> Needed as I want to install some Wildcard Certs for Domains we manage DNS, but also need some Single Domain Certs for Domains pointing to our Servers but we don't manage DNS

So is it possible to automate both auth methods on one Server?

  • http-01 with apache Plugin
  • DNS-01 with auth-hooks

Not quite sure on how to tell certbot which Domain it should request/renew by which method?!

Thank you, bye from Austria

I don't know if you can tell certbot to authenticate some domains with one challenge and some others with another. (even though I think the ACME spec supports this)

But you can definitely tell it to authenticate domains for one certificate on one challenge and another certificate on another challenge.

currently the renew is done by this cronjob:

python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --webroot-path=/daten/www/

there are a few dozen different Domains renewed right now.
Is certbot storing the information by which method which Domain was initally created?
Do I simply need to add the auth-hook Commands to the renew Command and certbot is deciding if it should use webroot-path (--apache on another server) or --manual-auth-hook ?

Yes. But if you run certbot renew --webroot -w /something you are not only overriding that, you are replacing the saved setting. If you run certbot renew without adding anything else, certbot will use what it has saved, for each certificate.

So what you need to do is:

  • remove --webroot-path=/daten/www/ from your command
  • for the certificates you want to renew using that webroot, do nothing.
  • for the certificates you want to renew using dns-01, force renew them once. With certbot renew --cert-name THE_CERT_NAME --force-renew --authenticator whatever_you_need [more options as needed]

Also, you can check what certbot will do by reading /etc/letsencrypt/renewal/THE_CERT_NAME.conf -- and you don't need to force renew the certificates that already say they're going to use dns-01.


Just for the entire certificate, not for separate hostnames.

Edit: Not even sure about the challenge type! It stores the authenticator but e.g. the manual authenticator can use both the http-01 and dns-01 challenges. And without --preferred-challenges (which is) stored, it can use both.. But I believe Certbot won't initiate a combination of challenges by itself. Although recently @_az corrected me about Certbots handeling with combinations of challenges, but I can't remember nor find that post :blush:


Well... Each DNS plugin is its own authenticator, and the manual plugin has --manual-auth-hook and --manual-cleanup-hook too (do those get saved? hope so, but dunno).

1 Like

It stores just one authenticator, i.e., you can't combine them.


I think so, yes. The most it can do is store a different webroot for each fqdn if you use --webroot.

1 Like

darn - then I got a problem :frowning:
As I need to install a few Wildcard Certs which are only possible by DNS ... but I can't generally switch to DNS as we don't manage all DNS pointing to those Servers ... :-/

The authenticator is linked to the certificate, each certificate can have a different one.

You just have to make sure that you don't mix domains for which you control the dns and domains for which you only get the A/AAAA records pointed to you in the same certificate.


ahhh, ok - then I must have misunderstood you above.
Then my scenario would probably go as hoped...

The certs where we manage the DNS / need wildcards are renewed with --manual-auth-hook and --manual-cleanup-hook then (hopefully they will also be saved, right? ok it's tested quickly then)
And the rest of the certs continue via webroot/apache

Thank you! :slight_smile:


Do you need to use both challenges in the same certificate?

You can use multiple challenges perfectly fine, as long as those are in different certificates.


no need to mix challenges on same cert/domain ... missunderstood you above ... :wink:


Ok, cool!

Do you need more assistence with how to do that in Certbot? You can get multiple certificates with different options by running Certbot multiple times.


guess I can work it out now as I know it should work ... thx! :wink:
Need to write the Hooks first and prepare our DNS to accept those Calls ... :sweat_smile:

What is your DNS situation? Perhaps you don't have to write it from scratch :slight_smile:


currently using 3 bind NS Servers - but unfortunately without proper DNS replication but somewhat custom implementation which combines eazyDNS GUI Data + Plesk DNS Management and some other Systems.
Now quite sure if I should adopt eazyDNS (central DNS Mgmt GUI here) to accept those Web-Hooks or if I should solve it through DNS Replication ... :thinking:

I have no idea what eazyDNS exactly is, but BIND can easily be used with the RFC2136 using the certbot-dns-rfc2136 plugin. Although I think it can only update a single server..?

An alternative is to use acme-dns where you can redirect the challenge using a CNAME to a single acme-dns instance. Certbot can use the acme-dns-certbot-joohoi manual authenticator hook for use with acme-dns.


thx for those Information - will have a look into them and if I can use it or need to do it over out DNS Mgmt Tools ... :wink:
Since no DNS Replication is in Place - I fear I need to add / remove the DNS Entries over eazyDNS ,... but that wouldn't be a big deal ... :wink:

1 Like

A CNAME redirect only has to be set once. You could redirect the _acme-challenge label to any DNS instance you can easily controle (a separate BIND instance, acme-dns, whatever).