New cert fail - encountered exception during recovery

My domain is:

I ran this command:

certbot certonly --authenticator dns-godaddy --dns-godaddy-credentials /opt/certbot/credentials.ini --keep-until-expiring --non-interactive --expand --server -d '' -d '*' -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.7 support will be dropped in the next planned release of Certbot - please upgrade your Python version.
Plugins selected: Authenticator dns-godaddy, Installer None
Requesting a certificate for and *
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
Cleaning up challenges
Encountered exception during recovery: lexicon.exceptions.LexiconError: Could not find record matching type: TXT, name:, content: a0zmTfeJnCYrVh-vg44_v885TCpoRPHLfA9bp3Pnsm0
Error adding TXT record: 422 Client Error: Unprocessable Entity for url:

Also, when curling "" I get the response "{"code":"MISSING_CREDENTIALS","message":"Unauthorized : Credentials must be specified"}(certbot) [root@ip-172-31-37-205 ec2-user]#"

My web server is (include version): wordpress 6.3.2

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.7.4

So it logs in to GoDaddy and adds/deletes records ok, just can't retrieve the cert and I'm stumped

This command is for but the error is for How did that happen?

The error says the DNS TXT record could not be added. Which domain name are you talking about?


Hi @jamesj711, and welcome to the LE community forum :slight_smile:

I see:

But I don't see which certificate (name) is being expanded.
Was there more input that hasn't been shown?


Hi Mike, So we use this method a lot and it's always worked fine. I did a test server last week and installed the cert on that, but encountered this error when performing the same task on this server. My last attempt at troubleshooting/digging was to try with a different domain, in case the other install confused the issue. It didn't work with a different domain ( so here I am

Hi Rg, Thanks! I've pasted all the command that I used. We use the same command on previous servers fine, here it is again:

certbot certonly --authenticator dns-godaddy --dns-godaddy-credentials /opt/certbot/credentials.ini --keep-until-expiring --non-interactive --expand --server -d '' -d '*'

1 Like

If you are going to --expand, there must be a cert to expand.
What shows?:
certbot certificates


I don't know, it's just the command we use and it's working on other servers, just not this one.

Looking at the debug from a successful server and comparing with this one, the good one uses python:

2023-11-08 11:59:27,535:DEBUG:filelock:Attempting to acquire lock 139725667050960 on /root/.cache/python-tldextract/3.7.16.final__certbot__45d1d6__tldextract-3.4.4/publicsuffix.or

Whereas the failed one uses lexicon (whatever that is):

2023-11-08 12:06:25,088:DEBUG:filelock:Attempting to acquire lock 140630620691920 on /root/.lexicon_tld_set/

both setups are exactly the same this relevant?

Certbot is a python script.

How did you install Certbot on Amazon Linux 2? Because I don't believe the snap install works on that without great effort.

Did you install using a pip venv? Or some other method?

Last I looked the version of Certbot in EPEL on AL2 was 1.12 but you show version 2.7.4


We've used these commands to install certbot:

# create an isolated python environment for certbot purposes alone 
python3 -m venv /opt/certbot 
# Modify environment for the current shell only to make python modify 
# the virtual environment and not your system libraries 
source /opt/certbot/bin/activate 
#needed an older version of urllib for this to work 
pip install urllib3==1.26.6 
# Install certbot 
pip install certbot 
#upgrade   pip 
/opt/certbot/bin/python3 -m pip install --upgrade pip 
#install gd plugin 
pip install certbot-dns-godaddy 

Any idea why the failed server is using .lexicon_tld_set instead of python-tldextract?

Not sure that is currently accurate.
For which version of certbot where these instructions designed to work with?

Latest version shown: 2.0.7 [Oct 17, 2023]


Hi Guys,

Thanks for your help with this, I managed to fix this by downgrading the Certbot version from 2.7.x to 2.6.0, which is the same as on our other servers

1 Like

Hmm.. If it's just Certbot, you might have found a bug.

It would be helpful if you'd file a bug report as an issue on the Certbot Github repository. Preferably with detailed logs with a working Certbot (2.6.0) and a non-working Certbot (2.7.x). Might also be useful to add the output of pip freeze from within the venv.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.