Certbot - non-interactive challenge request

Is there any way how to separate challenge (DNS/HTTP) request to confirm domain ownership and actual certificate creation?

With first "certbot" call I would like to receive just the DSN/HTTP string for challenge to confirm the domain ownernship. This challenge will be done manually and can take some time. After the required DSN/HTTP things has been set, I want to trigger "certbot" again, that will just validate the challenge and will create the actual certificate and key right away.

Everything should be non-interactive, since it will be called from script.

Is there any way how to achieve this?

(I am using windows for certbot and the actual webserver is on another machinem, so the process needs to be manual)

Hi @pakret welcome to the LE community forum

Automating DNS challenges requires being able to add (and remove) TXT records from your DNS zone.
This is done via API calls.
If your DNS Service Provider (DSP) supports DNS updates via API, this can be automated.
If not, then you may need to use HTTP authentication.

In any case, there are some good ACME clients for Windows that can assist you in that process.
See: ACME Client Implementations - Let's Encrypt (letsencrypt.org)

Copying files from one system to another can also be automated.

If you are willing to do this manually (it sounds like you are), then you just want to use Certbot in --manual mode. User Guide — Certbot 1.19.0.dev0 documentation

If you want to automate parts of this, Certbot has several hooks that will allow you to perform actions at different times.

I suggest you read the Certbot documentation. It addresses any possible interpretation of your question within the first page or two.

Thank your for answers.

I will think about the automation possibilities, but for now, lets think that it has to be manual, because the domain owners can come from various sources (hostings) and I don't want them to burden with setting up the automation things that needs to be firstly done.

What I really want to do is a step by step process (HTML form, handled by PHP) for various domains, so I can generate certificate for the domain and then use the certificate for certain WEB service that requires DNS redirect from that domain to my server.

First step of the form would be setting the (sub)domain name. After form submission I want to call the certbot, but only to get the challenge request, then certbot process should exit, so I can serve the challenge request back to the form user, so he can fullfill the request. He should be able to leave the page, fullfill the request and when he will come back, he can just press some button to call certbot again to continue the certificate generation process.

And this is what I have not found in documentation - 1. "how to tell certbot to just return the challenge request and die" and 2. "how to tell certbot to use previous challenge request that has been fullfilled and continue certificate generation".

For example what I was trying was some combination of parameters "-n" (non interactive) and "--manual". however it requires scripting hooks, that I don't have - because it's completely manual. I can set some empty scripts hooks, but it wouldn't solve anything, since the certbot is expecting the challenge to be fullfiled by those scripts.

maybe certbot is not right for this thing? Or am I missing something?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.