Error: autorenew of cert: authenticator plugin that can do challenges over DNS

After generating the wildcard cert using ./certbot-auto --server -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * --manual --preferred-challenges dns-01 certonly --csr, the auto-renew does not work.

My domain is: -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d * -d *

I ran this command: ./letsencrypt-auto renew --force-renewal --standalone --preferred-challenges http-01

It produced this output: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.

My web server is (include version):

The operating system my web server runs on is (include version): apache + nginx

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The initial cert was done manually.
The renewal will need to also be done manually or be given all the information needed in the command line.

Thanks for the reply. The same command was working before. Now it does not. Can you please give more inputs on

  1. What is the command to manually renew the certs? or
  2. What information I need to provide in the command line for the cert renewal to be successful?

Thanks in advance.

Try adding --manual and walk through the steps.
If that works, then we can try automating the steps taken.

The command ./letsencrypt-auto renew --force-renewal --standalone --manual --preferred-challenges http-01 gave the error An error occurred while parsing /etc/letsencrypt/renewal/ The error was Too many flags setting configurators/installers/authenticators 'standalone' -> 'manual'. Skipping the file.. and without the --standalone option gives error Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

Please show the file(s) [and their contents] in the /etc/letsencrypt/renewal/ folder.

Which ports are being handled by Apache?
Which ports are being handled by NGINX?

Both apache and nginx are running on default ports 80 and 443 but on a different container. I generate certs here and deploy them on target containers.

The folder has only file file and has below contents.

#renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

#Options used in the renewal process
account = 15d22509d405453bf043a39d35644247
manual_public_ip_logging_ok = True
server =
authenticator = manual
pref_challs = dns-01,

In order to authenticate via --preferred-challenges http-01, the system must be accessible via the Internet.

Which one is accessible via the Internet IP?

./letsencrypt-auto renew --force-renewal --standalone --preferred-challenges http-01

To [whichever is accessible via the Internet]:
./letsencrypt-auto renew --apache --preferred-challenges http-01
./letsencrypt-auto renew --nginx --preferred-challenges http-01

The situation is like this. My apache is running in host/docker01, nginx in host/docker02 and the letsencrypt renewal is running in host/docker03. All the dockers or hosts are publicly accessible. When I pass--apache or --nginx as command line parameter, below error is shown Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.

The actual http-01 authentication challenge comes from the Internet into your system.
[Not out from your system to the Internet.]

I think you mean all of them have access to the Internet. [which is not the answer to the question]
Which is the one that the Internet IP routes to from the outside in?
Start with the domain you want to process.
Resolve that name to an IP.
Follow that IP into your network.
Which system answers requests to that IP (on port 80 and 443)?

The conceptual problem here is that the original command required you to set certain DNS text records in order to prove control over all these domains to obtain the wildcard certificates. But the renewal process requires this to be repeated, and the DNS records that you have to set will be different every time (just leaving the old ones in place does not work). However, with --manual it's not possible to do an unattended renewal because Certbot doesn't know how to make the requested DNS changes other than by asking you to do so on the console.

As a result, what we would expect to happen is that you would have to re-run the original certonly command for renewals and then repeat the manual process each time. In order to renew automatically, you would need a way that Certbot can make the DNS updates without your intervention (for example, via a DNS provider API).


In case it’s not clear from the above: you can’t use --preferred-challenges http-01 when the certificate includes wildcards. DNS verification is mandatory.

I think the --csr option also doesn’t work with the renew subcommand. So if you need to use that you would still have to re-run the certonly command to renew. If you’re using --csr only because you don’t want to rotate your keys on renewal, you could use --reuse-key instead. (You would still need to automate the DNS updates as well).

1 Like

Thanks for nice explanation. This makes the cert auto renewal much harder :(. Creating authentication scripts for various domain hosting companies is not that easy + your text records for the domain will keep on increasing with every cert renewal. Really an unpleasant feature.

There are existing plugins for some popular DNS providers but if you need to deal with lots of different ones, the simplest approach may be to set up a single DNS service to handle all the validation requests, and CNAME all the _acme-challenge subdomains to that service. For example see DNS alias mode · acmesh-official/ Wiki · GitHub (I believe this can also be done with certbot but can't find a reference right now)

You can delete the TXT record after the validation is complete. Most of the existing integrations automate this as well.

1 Like

@jmorahan the last answer of yours is a very interesting one. The link to github shows that it is using Is the script same as using certbot-auto command?

It’s a different piece of software that does roughly the same job. It has more comprehensive support for lots of DNS services, but it won’t automatically configure your web server like certbot.

There's a pull request in progress, but it hasn't been merged yet.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.