Need manual acme_challenge now

I have a valid certificate which is not due for renewal, but I need the acme key to enter it under

I was using

sudo certbot certonly --manual -d *

but only get to know, that my domain is not due for renewal and no acme_key. Is there a way the get this key?

Thank you

Why would you need it?


Because the entry is missing at my hoster.

Why would your hoster need it?


It feels like there's something not being communicated somewhere.

Ideally, you configure certbot with a DNS plugin which can update your DNS zone automatically as needed. If that's not possible and you need to do things manually, then it will prompt you with the value to set if needed. But the value is only good for one validation, and that validation is only good for 30 days (with Let's Encrypt's current implementation). If your certificate isn't due for renewal, then there isn't some acme-challenge value which can do anything.


In other words, the domain is unusable until the next renewal date? Seriously? There must be another way.

No, but nobody here has any idea what problem you're actually facing.

Maybe you should start from the beginning, on what you're trying to do, what you've tried, and what errors you're getting? Since if certbot says your certificate isn't due for renewal, than you probably already have a certificate just fine that you can use.


The domain should be fully usable as is was prior; it is only the TLS Certificate I believe is at issue here.

As for the TLS Certificate there are other Free ACME Certificate Authorities to choose from:


Why would the domain be unusable and what does the "acme_challenge" have to do with it?

Please explain your issue from start to end in more details, because we have almost no information to go on.

Also note that in the questionnaire (which you seem to have deleted) there's a part where it says it's mandatory to provide the domain name to actually get help:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:



Thank for trying to help with my issue.

For some reason, the at my hoster was empty. I don't know the reason, but the certificate wasn't working anymore. I'm using LE certs since 4 years and never had an issue. I was hoping that is it possible to retrieve this key somehow, but obviously that's not possible.

However, I found out, that my hoster makes dozens of copies of the DNS zone, so I was able to find the old key from last September, copied it back in and now everything is back to speed.

I'm failing to see how an old _acme-challenge TXT resource record suddenly would fix a "not working certificate". Those _acme-challenge tokens are one-time use only: once used it cannot be used again.

I'm very certain it was something else that fixed this.

The _acme-challenge TXT RR, with a fresh, brand new token, is only used when a new certificate is going to be issued. After issuance you should REMOVE the _acme-challenge TXT RR. If you leave the old TXT RRs, the DNS reply for the request would grow and grow until it's too large for DNS to handle with validation errors as a result.


As you probably might haved guessed by now, I'm not super sophisticated with this whole LE cert thing. I got to work what I needed and was fine with that.

What totally makes sense to me is, that without an entry in the DNS-zone the cert can't work. And the key was not old, it was the current one issued at the last renewal a couple of weeks ago. This was not a renewal, the cert is not up for renewal until somewhere in January.

I was hoping that I could force a renewal to get a new key, but that was not the case.

That totally does NOT make sense to me, sorry. The _acme-challenge resource is ONLY used when a new certificate needs to be issued. Any EXISTING certificates can and DO operate fine without it. An existing certificate does NOT require the _acme-challenge value. Or any other DNS resource for that matter: the certificate itself does not require DNS per se for it to work.

If that value was used a couple of weeks ago, it is currently invalid and useless.

That doesn't make any sense.

It's no problem to not be super sophisticated with anything. However, it does help if one provides as much information as possible.

Even 12 posts in this thread, we still have NO clue what issue you had exactly. It is very, VERY common for people on this Community to request something, thinking that's the solution to their problem, while the solution was something completely different in the end. That's OK, it happens. We can work around that. However, we need INFORMATION to provide proper help. Way more information than provided in this current thread for example.

The only things I know with regard to your issue is:

  • "the domain is unusable" :arrow_right: unusable how?
  • "the certificate wasn't working anymore" :arrow_right: "not working" how exactly?

The provided problems are suuuuuuuuuuper vague. Without actual error messages or a detailed problem description we can't work with the above.

But you say everything is good now, so that's good I guess.


Yes, I hear you and you're right: I'm guilty as charged - mea culpa. But before I posted this, I was super angry since I had absolutly no time to deal with this !@x#-issue.

What you write regarding the _acme-challenge value makes lots of sense and got me worried a bit. But for now it works and next time I will reveal everything. Bye for now.

1 Like

If you have to use DNS validation, use an automated DNS provider instead of manual DNS, that way renewals can happen automatically (which is how they're supposed to work). HTTP validation is usually easiest if you are just running a website though.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.