Letsencrypt not asking for DNS challenge with --manual

I'm trying to generate wildcard cert for my domain

sudo certbot certonly --manual -d "*.example.com" -d "example.com" --preferred-challenges dns -v

The first time I ran this, Certbot prompted me to add a TXT record to my DNS (_acme-challenge) by mistake i remove those txt record from my DNS now I'm trying to again generate certificate. However, when I run the same command again to generate a new certificate, it successfully creates the certificate without asking for the TXT record.

Since I no longer have the _acme-challenge TXT record in my DNS, how can I retrieve or regenerate the correct DNS TXT record value?

@husnainghani4, welcome to the community! :smiley:

The value of the ACME challenge DNS TXT record is different each time when the server asks for it. At next renewal time the server (so then the certbot client) will ask for a different TXT value to put into the DNS.
Therefore, the value of the old TXT record has no use any more.

3 Likes

@bruncsak thanks for prompt response.

I understand, but now it's not prompting me to add a new TXT record; it's just renewing the certificate. Is there a way to generate a new certificate and add a new ACME challenge DNS TXT record without waiting for the current certificate to expire? My site is already live, and it's down because the certificate is invalid.

1 Like

If the challenge properly fulfiled, then the ACME server will cache the state that the domain/accout pair is authorized. At this moment the cache time is one month (subject of change). So during this period the ACME server won't ask for a new challenge if you request a certificate for that domain.

Please do not ask for a new certificate with the same set of domains if you already have one, just use it. Getting a new certificate costs resources for Let'sEncrypt, so there is a rate limit for that.

4 Likes

So, does that mean I need to wait for one month for it to work, and there's no way to override it?

You already have your certificate. Multiple times apparently.

Why do you want the TXT value so badly? It's purpose is to let you get a certificate. But that ultimate goal has already been satisfied. So you don't need the TXT value any longer for now.

If your site is down, you should concentrate on fixing that. Re-issuing the certificate is NOT the answer to fixing your site. Whether or not you'd be using a new TXT value, the issued certificate would be exactly the same.

Also, you haven't used the mandatory questionnaire that was provided to you when you opened this thread in the Help section, so there's not much we can do without extra information:


When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

3 Likes

Thanks @Osiris
I understand your point now. I was under the impression that the challenge and TXT DNS entry were required for the certificate to function. However, as you mentioned, they are only needed for verification. I updated my Nginx configuration, replaced my config, and used the private key with the newly generated certificate—it worked perfectly!
Thank you so much for your help, and apologies for not using the help template.

2 Likes

Glad you've got it working!

You can read more how the ACME protocol works on How It Works - Let's Encrypt. It covers the http-01 challenge, but the principle is the same for the dns-01 challenge you're using.

By the way, is there a specific reason why you're using the dns-01 challenge? Manually renewing certificates every 2 to 3 months is a hassle and Let's Encrypt is meant to be automated. The http-01 challenge is usually more easily to automate.

3 Likes

My understanding is that the DNS challenge is required for obtaining a wildcard certificate, as HTTP challenges do not support wildcard domains. Since we have a multi-tenant system, using a wildcard certificate is essential.

If there is a way to use the HTTP challenge for wildcard certificates, I’d appreciate it if you could point me to any documentation or resources. I'm already planning to automate to simplify certificate renewal.

1 Like

Ah, sorry, my mistake. I missed the wildcard in your first post. You're correct that for a wildcard certificate the dns-01 is mandatory.

1 Like

Thank you for confirming! I’m using Namecheap for DNS— is it possible to automate the DNS challenge with it?

2 Likes

There is a third party DNS plugin at GitHub - iHamsterball/certbot-dns-namecheap: Certbot plugin to provide dns-01 challenge support for namecheap.com, but apparently NameCheap has some criteria to be able to use their API. See the link.

Alternatively you could use GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. to run an instance of acme-dns on your host and use a CNAME to redirect the challenge to that acme-dns instance. Note that there is also a free acme-dns instance usable, but it's much safer to use your own instance. You can use GitHub - joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns or GitHub - acme-dns/acme-dns-client: A client software for https://github.com/joohoi/acme-dns as the Certbot DNS plugin to work with your acme-dns instance.

3 Likes

@Osiris Thank you for the suggestion! I’ll look into it and give it a try. Appreciate your help!

3 Likes