Crypt::LE --delayed not being honored

I’ve been using Crypt::LE for about years to acquire certs from Lets Encrypt. It is the core of a C# app (partially) automating cert acquisition.

My domain is: lacerate.com lacearte.com

I ran this command:

le64.exe --key lacearte_com_Acct.key --csr lacearte_com.csr --csr-key lacearte_com.key --crt lacearte_com.crt --domains "lacearte.com,mail.lacearte.com,www.lacearte.com" --generate-missing --handle-as HTTP --live --delayed

<>

le64.exe --key lacearte_com_Acct.key --csr lacearte_com.csr --csr-key lacearte_com.key --crt lacearte_com.crt --domains "lacearte.com,mail.lacearte.com,www.lacearte.com" --generate-missing --handle-as HTTP --live

It produced this output:

2026/05/10 17:03:22 [ Crypt::LE client v0.39 started. ]

2026/05/10 17:03:22 Loading an account key from lacearte_com_Acct.key

2026/05/10 17:03:22 Loading a CSR from lacearte_com.csr

2026/05/10 17:03:23 Registering the account key

2026/05/10 17:03:24 The key is already registered. ID: 2398714517

2026/05/10 17:03:25 Challenge for lacearte.com requires:

A file 'QqIMBx27sgdwQNKQbqawwxMf5YxGFwBQYcMaF3FfqPI' in '/.well-known/acme-challenge/' with the text: QqIMBx27sgdwQNKQbqawwxMf5YxGFwBQYcMaF3FfqPI.rNtcLQ4ID4dyuBOWrgDcEdci9BzETG3UIubwamt4610

2026/05/10 17:03:25 Challenge for mail.lacearte.com requires:

A file 's6T8vLDg6BFVXU5P5YQkb3nkYjYd4IZ48tTY439HonI' in '/.well-known/acme-challenge/' with the text: s6T8vLDg6BFVXU5P5YQkb3nkYjYd4IZ48tTY439HonI.rNtcLQ4ID4dyuBOWrgDcEdci9BzETG3UIubwamt4610

2026/05/10 17:03:25 Challenge for www.lacearte.com requires:

A file 'qFUHa1zi929ymkKuqLMRN2Tg_eO8SZUNSFF3aVxaTB8' in '/.well-known/acme-challenge/' with the text: qFUHa1zi929ymkKuqLMRN2Tg_eO8SZUNSFF3aVxaTB8.rNtcLQ4ID4dyuBOWrgDcEdci9BzETG3UIubwamt4610

D:__TMP_getcert\CertWorking>

After required challenge responses are upload process continuation occurs by running the initial command without the delayed flag. Historically the required challenge responses are the same for both runs but as depicted below that has changed. The Crypt::LE client has not changed since mid 2023.

2026/05/10 17:07:36 [ Crypt::LE client v0.39 started. ]

2026/05/10 17:07:36 Loading an account key from lacearte_com_Acct.key

2026/05/10 17:07:36 Loading a CSR from lacearte_com.csr

2026/05/10 17:07:37 Registering the account key

2026/05/10 17:07:38 The key is already registered. ID: 2398714517

2026/05/10 17:07:39 Challenge for lacearte.com requires:

A file 'RT6yJ8YXC2qEERAPNTU76yxe-eHEX47R__ZST_F7MR4' in '/.well-known/acme-challenge/' with the text: RT6yJ8YXC2qEERAPNTU76yxe-eHEX47R__ZST_F7MR4.rNtcLQ4ID4dyuBOWrgDcEdci9BzETG3UIubwamt4610

When done, press

2026/05/10 17:09:23 Challenge for mail.lacearte.com requires:

A file 'kSGE_JlsTclGYKh9xPZQXIDIKRqL0f6_lkgHZrezOe0' in '/.well-known/acme-challenge/' with the text: kSGE_JlsTclGYKh9xPZQXIDIKRqL0f6_lkgHZrezOe0.rNtcLQ4ID4dyuBOWrgDcEdci9BzETG3UIubwamt4610

When done, press

2026/05/10 17:11:05 Challenge for www.lacearte.com requires:

A file 'ir-1KaAaBO0CAM6vK0EniBie1O0bL9Ko7W99HY9p2lo' in '/.well-known/acme-challenge/' with the text: ir-1KaAaBO0CAM6vK0EniBie1O0bL9Ko7W99HY9p2lo.rNtcLQ4ID4dyuBOWrgDcEdci9BzETG3UIubwamt4610

When done, press

2026/05/10 17:14:56 Domain verification results for 'lacearte.com': success.

2026/05/10 17:14:56 You can now delete the 'RT6yJ8YXC2qEERAPNTU76yxe-eHEX47R__ZST_F7MR4' file.

2026/05/10 17:14:59 Domain verification results for 'mail.lacearte.com': success.

2026/05/10 17:14:59 You can now delete the 'kSGE_JlsTclGYKh9xPZQXIDIKRqL0f6_lkgHZrezOe0' file.

2026/05/10 17:15:02 Domain verification results for 'www.lacearte.com': success.

2026/05/10 17:15:02 You can now delete the 'ir-1KaAaBO0CAM6vK0EniBie1O0bL9Ko7W99HY9p2lo' file.

2026/05/10 17:15:02 Requesting domain certificate.

2026/05/10 17:15:02 Requesting issuer's certificate.

2026/05/10 17:15:02 Saving the full certificate chain to lacearte_com.crt.

2026/05/10 17:15:02 The job is done, enjoy your certificate!

Checking the API Announcements there is nothing mentioned that could affect this functionality. Has some “unannounced” tweak occurred which was expected to be transparent to end users that could be causing this? Nothing has changed in my arena…

Possible spelling issue?

As was pointed out here What is the purpose/function of the Renew classification - #5 by rg305 In Oct 2023

Yes, I updated the first post with the correct name.

@Art.H I don't have a direct comments for this apparent change in behavior. I don't know your ACME Client well enough to know where it stops for --delayed processing. I see you posted on the Crypt::LE github and I'll be interested to see their comments.

I do have some general comments though.

You got a cert just a few hours ago. What method did you use to get that?

You should be renewing your certs further in advance than you do. Based on your history you renew either the day of expiration or just a couple days before. Let's Encrypt recommends renewing with just 1/3 of the prior certs life remaining. And, to automate that although I can see why automation may be difficult in your circumstance. Any number of issues can occur issuing certs and some may take time to resolve.

Cert lives are being reduced across the industry to 45 day max. This will make your manual method more tedious. If you cannot automate your method you should keep a watch for when Let's Encrypt supports the dns-persist-01 in production. It is currently available in staging only. Unless le64 gets support for that you will need to switch to a different ACME client that supports that. The lego client is likely to support that promptly. See: Lego :: Let’s Encrypt client and ACME library written in Go.

See: Decreasing Certificate Lifetimes to 45 Days - Let's Encrypt
And: DNS-PERSIST-01: A New Model for DNS-based Challenge Validation - Let's Encrypt

If there is a client bug you should raise it at GitHub - do-know/Crypt-LE: Crypt::LE - Let's Encrypt / Buypass / ZeroSSL and other ACME-servers client and library in Perl for obtaining free SSL certificates (inc. generating RSA/ECC keys and CSRs). HTTP/DNS verification is supported out of the box, EAB (External Account Binding) supported, easily extended with plugins, easily dockerized. · GitHub

--delayed seems to be largely designed for manual our out of process challenge steps.

The issue has already been raised in that repo. --delayed flag has stoppe working · Issue #111 · do-know/Crypt-LE · GitHub

yep laceate.com should be lacearte.com :-/.For the new valid Cert the way Crypt::LE works is with the ---delayed flag it proceeds through communication with Lets Encrypt' environment until receipt of all required challenge responses is complete then terminates. Without that flag when each challenge is received it pauses awaiting user input enabling manual file (if HTTP ) creation/upload. My little C# app is designed to use the 2 step process.to ensure LE will get the correct responses when it does its job. So whatever caused the change in behavior is a "breaking change" for my app I had to revert to manual. I'll take a look at Lego - thanx.

yeah - I'm ddDerelict

For what it's worth, Posh-ACME should also be supporting dns-persist-01 as soon as the spec gets closer to finalization (full disclosure, I'm the author). And it's PowerShell based which might integrate better with your C# app more easily than Lego. Lego is still great though.

Yeah, I understand the concept of --delayed but I meant I was curious about the actual ACME API flows. Is there a logging option for le64 to see those?

I assume with --delayed that LE64 stops after posting the AUTHZ leaving it in a pending state, for example. I'd be curious to confirm that and also what the actual responses are for the second run from the LE ACME Server and how LE64 handles those.

I noticed --delayed is the last option in your command. Is it possible it is somehow being dropped?

It's possible that the delayed two-step has been taking advantage of some quirk in the flows which has changed. Without seeing the actual API requests and responses it is hard to say. Perhaps there is small timing change affecting a polling sequence in LE64. Without any more detailed logs the author of that ACME Client is in the best position to debug.

Thanx I'll give Posh a look

I don't know if this provides more insight but following is output with a debug flag:
-key lifesrain_com_Acct.key --csr lifesrain_com.csr --csr-key lifesrain_com.key --crt lifesrain_com.crt --domains "lifesrain.com,mail.lifesrain.com,www.lifesrain.com" --generate-missing --handle-as HTTP --delayed --debug
06 [ Crypt::LE client v0.39 started. ]
06 Loading an account key from lifesrain_com_Acct.key
06 Account key loaded.
06 Loading a CSR from lifesrain_com.csr
06 Loaded domain names from CSR: lifesrain.com, mail.lifesrain.com, www.lifesrain.com
06 CSR loaded.
06 CSR key loaded
06 Connecting to https://acme-staging-v02.api.letsencrypt.org/directory
07 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
07 Directory loaded successfully.
07 Registering the account key
08 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
08 Key is already registered, reg path: https://acme-staging-v02.api.letsencrypt.org/acme/acct/291559373.
08 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/acct/291559373
08 Account ID: 291559373
08 Registration success: TOS change status - 0, new registration flag - 0.
08 The key is already registered. ID: 291559373
08 TOS has NOT been changed, no need to accept again.
08 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
08 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/finalize/291559373/37812379373
08 Could not finalize an order.
08 Requesting challenge.
08 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/authz/291559373/1209152693
09 Challenge (dns) for domain lifesrain.com is missing a valid token.
09 Received challenges for lifesrain.com.
09 Requesting challenge.
09 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/authz/291559373/1209152703
09 Challenge (dns) for domain mail.lifesrain.com is missing a valid token.
09 Received challenges for mail.lifesrain.com.
09 Requesting challenge.
09 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/authz/291559373/1209152713
09 Challenge (dns) for domain www.lifesrain.com is missing a valid token.
09 Received challenges for www.lifesrain.com.
09 Requested challenges for 3 domain(s).
09 Challenge for lifesrain.com requires:
A file 'iJjwRdx9lKXvdp5WFB-AwqUqR94zIOvyXiKjcr9n9vw' in '/.well-known/acme-challenge/' with the text: iJjwRdx9lKXvdp5WFB-AwqUqR94zIOvyXiKjcr9n9vw.JQGEgvr6fOGfKZFP272yBF_AK5GZZTPeXH9st4KiR5g
09 Challenge for mail.lifesrain.com requires:
A file 'BUiXPqHTyoKg-Mefp2iz-PrZtBR9aGydNy5OPpXg2z0' in '/.well-known/acme-challenge/' with the text: BUiXPqHTyoKg-Mefp2iz-PrZtBR9aGydNy5OPpXg2z0.JQGEgvr6fOGfKZFP272yBF_AK5GZZTPeXH9st4KiR5g
09 Challenge for www.lifesrain.com requires:
A file 'ryYkrlI3D2d3t5XzE9OC1FT59aKldcDtvQm0GChazkw' in '/.well-known/acme-challenge/' with the text: ryYkrlI3D2d3t5XzE9OC1FT59aKldcDtvQm0GChazkw.JQGEgvr6fOGfKZFP272yBF_AK5GZZTPeXH9st4KiR5g
09 Accepted challenges for 3 domain(s).

The client's author as the following in the help but I don't know how to use it:

log4perl.rootLogger=DEBUG, File, Screen
log4perl.appender.File = Log::Log4perl::Appender::File
log4perl.appender.File.filename = le.log
log4perl.appender.File.mode = append
log4perl.appender.File.layout = PatternLayout
log4perl.appender.File.layout.ConversionPattern = %d [%p] %m%n
log4perl.appender.File.utf8 = 1
log4perl.appender.Screen = Log::Log4perl::Appender::Screen
log4perl.appender.Screen.layout = PatternLayout
log4perl.appender.Screen.layout.ConversionPattern = %d [%p] %m%n
log4perl.appender.Screen.utf8 = 109 Accepted challenges for 3 domain(s).

I will have more time later today but that looks suspicious. Is a Finalize tried immediately after a New-Order for the second step too? Can you show that log for it too?

Because the Finalize shouldn't be sent until the challenges for the order are satisfied and is marked ready for Finalize. It does not seem harmful for this --delayed step (as it fails anyway). But, if the second step sends a faulty Finalize I could imagine that might trigger new challenges where it did not before. I'd have to think about that more but it is definitely not a standard API flow.

If there is a way to get the log to print the API reply from the LE server that would be great.

I am not bothered by the "dns" token warning message. I think LE64 may be seeing the new dns-persist-01 challenge and not knowing what to do with that. And, I think it may be parsing the names wrong or perhaps just formatting the error message wrong and using only the first portion of the challenge name (ie, omitting everything after the first dash).

The LE production system does not yet have dns-persist-01 so should not be affecting production anyway.

yeah that Finalize looked odd where it is even to my uneducated eye & I was curious about the dns mention for a handle-as HTTP request ...

I'll run the second step tomorrow (I'm in Belgium) with debug and post it

here's 2nd step with debug

Microsoft Windows [Version 10.0.19045.7291]
(c) Microsoft Corporation. All rights reserved.

D:__TMP_getcert\CertWorking>le64.exe --key lifesrain_com_Acct.key --csr lifesrain_com.csr --csr-key lifesrain_com.key --crt lifesrain_com.crt --domains "lifesrain.com,mail.lifesrain.com,www.lifesrain.com" --live --debug
41 [ Crypt::LE client v0.39 started. ]
41 Loading an account key from lifesrain_com_Acct.key
41 Account key loaded.
41 Loading a CSR from lifesrain_com.csr
41 Loaded domain names from CSR: lifesrain.com, mail.lifesrain.com, www.lifesrain.com
41 CSR loaded.
41 CSR key loaded
41 Connecting to https://acme-v02.api.letsencrypt.org/directory
42 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
42 Directory loaded successfully.
42 Registering the account key
42 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-acct
43 Key is already registered, reg path: https://acme-v02.api.letsencrypt.org/acme/acct/2531897231.
43 Connecting to https://acme-v02.api.letsencrypt.org/acme/acct/2531897231
43 Account ID: 2531897231
43 Registration success: TOS change status - 0, new registration flag - 0.
43 The key is already registered. ID: 2531897231
43 TOS has NOT been changed, no need to accept again.
43 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-order
43 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/2531897231/510779038376
43 Could not finalize an order.
43 Requesting challenge.
43 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz/2531897231/704074873856
43 Received challenges for lifesrain.com.
43 Requesting challenge.
43 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz/2531897231/704074873996
44 Received challenges for mail.lifesrain.com.
44 Requesting challenge.
44 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz/2531897231/704074874276
44 Received challenges for www.lifesrain.com.
44 Requested challenges for 3 domain(s).
44 Challenge for lifesrain.com requires:
A file 'K9EgZnjNlWVSTnbDAWB43PynynRnvRKh6INuATd_gVI' in '/.well-known/acme-challenge/' with the text: K9EgZnjNlWVSTnbDAWB43PynynRnvRKh6INuATd_gVI.JQGEgvr6fOGfKZFP272yBF_AK5GZZTPeXH9st4KiR5g
When done, press

2026/05/14 16:39:21 Challenge for mail.lifesrain.com requires:
A file 'yM0EZdR3Lr6kXYOoRZHsq9giXjEa0Mr-ztEkmQrVYdc' in '/.well-known/acme-challenge/' with the text: yM0EZdR3Lr6kXYOoRZHsq9giXjEa0Mr-ztEkmQrVYdc.JQGEgvr6fOGfKZFP272yBF_AK5GZZTPeXH9st4KiR5g
When done, press

2026/05/14 16:41:18 Challenge for www.lifesrain.com requires:
A file 'NMV03AKfOP7fXPGzW8TFbKxz7TxTaos5pK6c3TGhUT8' in '/.well-known/acme-challenge/' with the text: NMV03AKfOP7fXPGzW8TFbKxz7TxTaos5pK6c3TGhUT8.JQGEgvr6fOGfKZFP272yBF_AK5GZZTPeXH9st4KiR5g
When done, press

20 Accepted challenges for 3 domain(s).
20 Connecting to https://acme-v02.api.letsencrypt.org/directory
20 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
41 Directory loaded successfully.
41 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074873856/oAIvNg
42 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074873856/oAIvNg
44 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074873856/oAIvNg
44 Domain verification results for 'lifesrain.com': error. 198.54.114.164: Invalid response from https://lifesrain.com/.well-known/acme-challenge/K9EgZnjNlWVSTnbDAWB43PynynRnvRKh6INuATd_gVI: 404
44 You can now delete the 'K9EgZnjNlWVSTnbDAWB43PynynRnvRKh6INuATd_gVI' file.
44 Domain lifesrain.com has failed verification (status code 200).
44 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074873996/J50WsQ
44 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074873996/J50WsQ
46 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074873996/J50WsQ
47 Domain verification results for 'mail.lifesrain.com': error. 198.54.114.164: Invalid response from http://mail.lifesrain.com/.well-known/acme-challenge/yM0EZdR3Lr6kXYOoRZHsq9giXjEa0Mr-ztEkmQrVYdc: 404
47 You can now delete the 'yM0EZdR3Lr6kXYOoRZHsq9giXjEa0Mr-ztEkmQrVYdc' file.
47 Domain mail.lifesrain.com has failed verification (status code 200).
47 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074874276/mjOlWw
47 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074874276/mjOlWw
49 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704074874276/mjOlWw
49 Domain verification results for 'www.lifesrain.com': error. 198.54.114.164: Invalid response from https://www.lifesrain.com/.well-known/acme-challenge/NMV03AKfOP7fXPGzW8TFbKxz7TxTaos5pK6c3TGhUT8: 404
49 You can now delete the 'NMV03AKfOP7fXPGzW8TFbKxz7TxTaos5pK6c3TGhUT8' file.
49 Domain www.lifesrain.com has failed verification (status code 200).
49 All verifications failed
49 All verifications failed

D:__TMP_getcert\CertWorking>

I am not sure where
https://lifesrain.com/.well-known/acme-challenge/K9EgZnjNlWVSTnbDAWB43PynynRnvRKh6INuATd_gVI: ,

http://mail.lifesrain.com/.well-known/acme-challenge/yM0EZdR3Lr6kXYOoRZHsq9giXjEa0Mr-ztEkmQrVYdc: and

https://www.lifesrain.com/.well-known/acme-challenge/NMV03AKfOP7fXPGzW8TFbKxz7TxTaos5pK6c3TGhUT8:

are coming from since I've always put all verification files in a single directory
i.e /home/lacearte/public_html/lifesrain.com/.well-known/acme-challenge/

re the 404s I'm chatting with hosting provider since I can't access the index.htm in that directory - different issue

below is the successful validation stage for the failed run above with the debug fllag set; the 404 encountered above was caused by incorrect permissions ...

10 Accepted challenges for 3 domain(s).
10 Connecting to https://acme-v02.api.letsencrypt.org/directory
10 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
11 Directory loaded successfully.
11 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449405946/zguF0A
11 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449405946/zguF0A
13 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449405946/zguF0A
13 Domain lifesrain.com has been verified successfully.
13 Domain verification results for 'lifesrain.com': success.
13 You can now delete the 'AhPB3tYOfIYvnMQwOtfQTH-vt6p70_Mwm3DkKPb5FhI' file.
13 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449406036/FYBdhA
13 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449406036/FYBdhA
15 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449406036/FYBdhA
16 Domain mail.lifesrain.com has been verified successfully.
16 Domain verification results for 'mail.lifesrain.com': success.
16 You can now delete the 'DLLLX8H__QqXQVH_hPi7hPyL-tkMWLTK_jqErIIGn0Q' file.
16 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449406176/EzUU9w
16 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449406176/EzUU9w
18 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall/2531897231/704449406176/EzUU9w
18 Domain www.lifesrain.com has been verified successfully.
18 Domain verification results for 'www.lifesrain.com': success.
18 You can now delete the '2Ty3G8npLqQ7rn_dS8OF-wC78XBnLaab-ohoqwEqZZ0' file.
18 Verified challenges for 3 domain(s).
18 Requesting domain certificate.
18 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/2531897231/511010151726
20 The certificate is ready for download at https://acme-v02.api.letsencrypt.org/acme/cert/062fb94e7de6d149766265f4c8d0433e6b30.
20 Connecting to https://acme-v02.api.letsencrypt.org/acme/cert/062fb94e7de6d149766265f4c8d0433e6b30
20 Certificate is separated from the chain.
20 Domain certificate has been received.
20 Requesting issuer's certificate.
20 Issuer's certificate has been already received.
20 Saving the full certificate chain to lifesrain_com.crt.
20 The job is done, enjoy your certificate!

D:__TMP_getcert\CertWorking>SS

Huh, I'm not sure I can be much more help. That successful run did not even issue a new-order request and started processing the challenges right away. That would only be possible if the --delayed run saved info that was picked up by that run. Maybe this saved info is somehow getting lost at least in some sequences.

The 404 second step shows a new-order request so I'd guess it did not see whatever was saved by --delayed and started over.

We need to have the Crypt::LE developer involved to know exactly why this is happening. I've mentioned several possibilities. The log does not provide sufficient info.

Personally, given you have not gotten any response to your github post to Crypt I'd strongly consider abandoning it in favor of Posh-ACME. It's webroot support allows a callout to your own function which would do whatever your program does today. See: WebRoot - Posh-ACME

Not only would Posh give you a more, um, compliant API flow today it will have dns-persist support promptly when available. That would allow full automation for you.

I am not exactly sure how you'd do a remote Webroot location but perhaps @rmbolger would advise

Remote webroot would work the same as a local webroot except that you'd use a Windows UNC path or mapped drive letter. The current caveat is that if the remote drive requires authentication, that currently has to be done before Posh runs. I think I have an open ticket to add support for explicit credentials, but I haven't gotten around to implementing it yet.

On Windows, the WebSelfHost plugin might be easier if the existing web server is IIS/http.sys based since they can share port 80.

I am not exactly sure what their program did but it looks like a VPS at NameCheap running LiteSpeed (so probably a linux). The client runs on Windows and they update their cert manually given the challenges with the server. I am guessing at some of this. But, if it was a self-contained system they wouldn't have needed the two-step --delayed method of LE64.

I further guess they are using some kind of custom programmatic method (like https to a designed endpoint) and not have ready ability to map using Windows methods.

I originally thought your webroot args allowed a callout to a script but after I posted I saw that was not the case. A callout would be similar to what they do with the LE64 delayed but all in one nice series of ACME API flows.

Anyway, we'll have to see if this interests them and to get more details.

@MikeMcQ & @rmbolger thanks to both of you for your educational input. Since the initial post I've been restructuring my C# app to eliminate reliance on the delay capability (now working for HTTP) only to discover the delay appears to be working again (2nd pass, no delay italicized)
BzS2bn...zpsSXgJw
BzS2bn...zpsSXgJw.mjJ93Q...-3M0QSY
*BzS2bn...zpsSXgJw *
BzS2bn...zpsSXgJw.mjJ93Q...-3M0QSY
When done, press ENTER

23eeV1...QXLaRXg
23eeV1...QXLaRXg.mjJ93Q...-3M0QSY
*23eeV1...QXLaRXg *
23eeV1...QXLaRXg.mjJ93Q...-3M0QSY
When done, press ENTER

VE7pY9...VDyRVo
VE7pY9...VDyRVo.mjJ93Q...-3M0QSY
*VE7pY9...VDyRVo *
VE7pY9...VDyRVo.mjJ93Q...-3M0QSY
When done, press ENTER

However that may be irrelevant as I see there is still no response to the issue I raised on the Crypt::LE git-hub site. I had previously (≈3 yrs ago) been in communication with the author and he was quite responsive so I concur with the observation that Crypt::LE is likely past its "use by" date.

@rmbolger I've downloaded Posh, done a preliminary review and would ;like to discuss further. Is the best way of contacting you via your Posh git-hub repository?

Here via public thread or DM or there via the Issue tracker are both fine.