I cannot get SSL cert Certbot: error: unrecognized arguments: prefered-challenges=dns

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:dsrlearn.com

I ran this command:certbot certonly prefered-challenges=dns --manual --agree-tos --email srinivasarao10247@gmail.com --server https://acme-v02.api.letsencrypt.org/directory --work-dir=. --config-dir=. --logs-dir=. --csr dsrlearncsr.pem -d dsrlearn.com -d *.dsrlearn.com

It produced this output:usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: prefered-challenges=dns

My web server is (include version):nginx 1.21.4

The operating system my web server runs on is (include version):ubuntu 20.04

My hosting provider, if applicable, is:upcloud

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.23.0

2

Should be:

--preferred-challenges
4 Likes
3

now i got this error error: unrecognized arguments: --prefered-challenges=dns

4

I think you are missing an r in preferred

3 Likes
5

my dns is at namecheap and host at upcloud. any way to auto renewal ?

6

Did you need a wildcard certificate? Because if you don't you could use the HTTP challenge and that is often much easier to automate. Something as simple as this might work for HTTP challenge:

certbot --nginx -d dsrlearn.com -d www.dsrlearn.com --email (youremail)@gmail.com

A --csr is not required, certbot will make one.

3 Likes
7

but i need wild card.

8

OK, if you have a large number of subdomain names a wildcard will help. Without a wildcard you are limited to 100 names in one cert.

For automating with wildcard you will need to use a DNS plug-in. The certbot docs for those are here. Another client named acme.sh has support for Namecheap DNS so you could consider that client instead of certbot. Some people have used the DNS plug-ins from acme.sh with certbot but I personally do not know how to do that.

3 Likes
9

no plugin support from certbot docs. the acme.sh plugin needs namecheap api. but namecheap syas "We’re sorry, you have not met the criteria to qualify for API access. To qualify, you must have: Account balance of $50+, 20+ domains in your account, or purchases totaling $50+ within the last 2 years." but mine is new account. i dont want to spen $50 just for automating ssl. what should i do?

10

You could switch DNS providers. Just because you have your domain name at namecheap does not require you to use their DNS system.

You could use a DNS delegation method to a DNS provider that does support API access

Or, live with HTTP challenge and no wildcard

Other volunteers might offer other ideas. Here is one thread discussing some ideas

5 Likes
11

i brought premium dns from namecheap. if i use another dns provider i have to buy the dns. i can use the same money to buy a ssl why to use certbot?

12

You mean why use Let's Encrypt? Right? Certbot is just one of many ways to get certs from Let's Encrypt.

It is too bad if you bought something like premium DNS that is not helpful. But, Cloudflare offers free DNS and has an API.

There is also a way to direct your DNS to another one using CNAME and run your own DNS just for ACME challenges. Search for acme-dns in this forum.

Or, you could just live with manual updates every 60-75 days.

It is up to you to decide how much effort and money to spend on things.

3 Likes
13

The things retailers don't tell you until they have your money.
Name is cheap, but the rest will cost you a pretty penny!
@MikeMcQ 's suggestion is a good one.

https://community.letsencrypt.org/search?q=acme-dns%20

2 Likes
14

after generating ssl with above command in question. i tried it with nginx and got error saying private key doesnot match cert. i generated csr (SAN dsrlearn.com, *.dsrlearn.com) with openssl. is there a way to provide key to certbot ? or should i generate key with certbot? how to generate sha384 4096 rsa with certbot single command?

15

after generating ssl with above command in question. i tried it with nginx and got error saying private key doesnot match cert. i generated csr (SAN dsrlearn.com, *.dsrlearn.com) with openssl. is there a way to provide key to certbot ? or should i generate key with certbot? how to generate sha384 4096 rsa with certbot single command?

16

Yes.

  --rsa-key-size N      Size of the RSA key. (default: 2048)

I don't know where sha384 comes into play in the key. Are you sure it's not a server configuration?

1 Like
17

sha384 is sha2 algorithm. it is used by CA's to when signing certs. you can just google it.

18

can i place

--rsa-key-size N

anywhere in command or after --manual?

19

It seems that is only used in the CSR process, not actually included as part of the cert.
There are only hour choices for cert key size:

  • RSA 2048
  • RSA 4096
  • ECC 256
  • ECC 384
1 Like
20

should i generate csr with certbot only? how to do that for SAN wildcad for dsrlearn.com and *.dsrlearn.com. in openssl i created a .cnf. how to do with certbot?