Failing DNS challenges, but DNS is okay?

My domain is:

I ran this command:
/usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation

and for diagnostics:

[root@docker-9679f6d9acfc:/]# curl

[root@docker-9679f6d9acfc:/]# nslookup

Non-authoritative answer: canonical name =

Non-authoritative answer: canonical name =

It produced this output:
Challenge failed for domain
Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Some challenges have failed.. Skipping.

My web server is (include version):
nginx-proxy-manager:latest proxying code-server

The operating system my web server runs on is (include version):
ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


Hi @bobbywaz, and welcome to the LE community forum :slight_smile:

This doesn't show enough detail to understand what is failing:

Please show output of:
cat /etc/letsencrypt/renewal/npm-1.conf

And the related output of:
/usr/bin/certbot certificates

This is also a bit confusing:


If you remove the --quiet when trying to renew, you should see diagnostics from Certbot that explain more about what went wrong!


So Hey @schoen (Seth)
Isn't there a way to increase the error output of certbot? Forgive me for not reserching this first. something like -vvv ?

1 Like

Yes, that should work, but just not using --quiet should already help! :slight_smile:


Thanks for that. The more data we can get the better. Maybe It can help.


It should also provide a log in /var/log/letsencrypt/

1 Like

To clarify, I am using a docker container called nginx-proxy-manager which is supposed to automatically renew certs when they expire, but it is not currently. The reason I am using the particular string "/usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns, http" --disable-hook-validation"
is because that's what the container uses.

When I attempt to remove the "http" and do "dns" I get the follow error:

Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

When I remove the --quiet I get this as an error:>

Processing /etc/letsencrypt/renewal/npm-41.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Attempting to renew cert (npm-41) from /etc/letsencrypt/renewal/npm-41.conf produced an unexpected error: Some challenges have failed.. Skipping.

I have attached /var/log/letsencrypt at hastebin

It appears to work when I click the "renew' button from the web interface, but not when it boots... which is weird, and probably an issue with nginx-proxy-manager and not letsencrypt....

1 Like
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.