How to get again CNAME value for DNS challenge

Hello gurus,

I'm new in the community so forgive if this is a known question (but I did not found the solution anywhere)

I was able to get correctly the certificates using DNS challenge, but for a mistake, I deleted the registered domain (is a Dynamic domain example my "") so I lost the registered CNAME value.

If I try to register the domain again using this command:

 certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges dns --debug-challenges -d * -d -v

the CNAME value to add in DNS does not appear any more.

To sort out I revoked the "old" certificate in letsEncrypt using this command:

sudo certbot revoke --cert-path /etc/letsencrypt/archive/

The revoke was successful but requesting again a "new" certificate Letsencrypt does not provide the CNAME value and the DNS challenge cannot complete.

of course if I use a new domain the process work perfectly, but I cannot use a different domain name ....

Any suggestion is welcome



I'm assuming you're using the free acme-dns server at (Which is not really recommended, as you're putting all your trust in a sort of unknown service with regard to whom is allowed to issue certificates for your domain.)

If the above is the case, you could remove /etc/letsencrypt/acmedns.json (or better: rename it so you'll have a backup) and start the on-boarding for the script again.


Hi Osiris,
thanks for your attention.

yes I’am using acme-dns (to be honest I do not know other alternatives you are welcom if you could suggest; I’ll learn)

delete the file you mention (backup first)

I try to request the certificate again but I received the message

:: too many certificates (5) already issued for this exact set of domains in the last 168 hours:

and I have to wait…. although this issue is very hot for me



1 Like

How is it possible you've issued that many certificates? What happened to them?

That depends on your DNS service provider and if they offer an API which is one way or another compatible with Certbot (or another ACME client).


What was the point of doing that?
There is hardly ever a need to revoke a working cert.


Specifically, it won't do anything to help with the rate limits.


I think the reason you weren't getting the value to add to the DNS record is that you didn't need to: the authorization from your first order was still valid, so issuance succeeded immediately without needing to re-do the DNS-01 challenge.

This is also why you hit the duplicate certificate rate limit: each of those times you thought things were failing because you weren't being given a DNS challenge value, they were actually succeeding all the way through issuing the certificate.


Thanks all for your replies.

The reason why I revoke a certificate it was because I deleted by mistake the Dynamic Domain Name loosing the DNS records associates with it.

Recreating the domain I experienced this message during Let’s Encrypt command: certbot renew —dry-run

Failed to renew certificate with error: Some challenges have failed.

So I start clutching at straws trying to solve the situation keeping the domain name but I exceeded rate limit. In this case because is urgent I had to abandon the original domain name restarting from the beginning with a new name.

As I told I’m newbie on Let’s Encrypt logic: I received other messages during simulated renew about “some challenges have failed” and I’m afraid, crossing my fingers, when the real expiration terms expire.

I’m wondering why Let’s Encrypt, when creating a new certificate, does not send for future reference a simple email containing the CNAME value avoiding I hope, all those trouble.


1 Like

Because this has nothing whatsoever to do with Let's Encrypt. You're using--for some reason, which you haven't mentioned, and I'm not sure you even understand--a third-party service to handle DNS validation for you. It's that third-party service, not Let's Encrypt, that has you create the CNAME record. Let's Encrypt will follow that CNAME record (it's how acme-dns can handle the validation for you), but doesn't need it, nor does it request you create one--that's all on acme-dns. Which, I repeat, is something completely distinct from Let's Encrypt.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.