Installing certbot on windows server 2016

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:, *

I ran this command: certbot cert only

It produced this output: e[31mClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.e[0m

My web server is (include version): iis 10

The operating system my web server runs on is (include version):server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Hi @doyinluv,

Could you please show the complete command, exactly as you typed it? certbot cert only could not be the exact command you used, because the space in "cert only" isn't valid and would have produce an error message.

Normally the Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA error message has to do with Let's Encrypt's policies about wildcard certificates. You can find a lot more information about this in previous threads on this forum:

By Let's Encrypt policies, wildcard certificates (those starting with the *.) require the DNS challenge method

which is not required for other kinds of certificates. This method involves creating a DNS TXT record in your DNS zone, with a value provided by the certificate authority, which will be different for every certificate renewal. Certbot can't do this by itself, because it doesn't have a way to change DNS records, unless you use a Certbot DNS plugin or script that gives Certbot a way to make changes to your DNS records automatically.

1 Like

As mentioned, to create a wildcard certificate you need to use DNS validation instead of http validation. As your DNS is with Azure and you are using certbot you might be able to use GitHub - dlapiduz/certbot-azure: Certbot plugin for Azure services - authenticate with DNS, install to App Gateways or switch to using acme-dns (CNAME redirection).

If you can't get that to work Certify The Web (, win-acme or Posh-ACME all support Azure DNS validation.

1 Like

yes its azure DNS ...can you help break down what i need to do to ensure the virtual machine hosting the websites can be certified and why is it so hard .I can generate a CSR so why cant certbot just make it easy

Sorry I can only really give usage advice for Certify The Web (the app I develop). With Certify you just install the app on the server (ensure tcp port 80 is open at the firewall/vm network settings), click New Certificate, select your website (the domains are populated form the hostname bindings on the site) then click Request Certificate, if that goes without any error then thereafter the certificates are auto renewed. That's assuming you don't really need a wildcard (* and can just use specific domains (like, etc and they all point to the same server).

If you do really need a wildcard (why?) you need to use DNS validation. In the case of Azure DNS this requires quite a lot of information for the DNS provider configuration (see

[Edit: most tools don't need you to generate a CSR, that's usually done automatically for you).]

[Edit: If you do use certbot you can still use http validation if you don't need a wildcard, there is some configuration to do and you need to convert your final certificate files to a PFX for install into the windows cert store, then create https bindings in IIS]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.