New Certificate Fails - None of the preferred challenges are supported by the selected plugin

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

sudo certbot --apache --preferred-challenges=dns -d -d * -d -d *

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): xxxxxxxxxxx

Please read the Terms of Service at You must
agree in order to register with the ACME server. Do you agree?

(Y)es/(N)o: Y

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: N
Account registered.
Requesting a certificate for and 3 more domains
None of the preferred challenges are supported by the selected plugin
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Server version: Apache/2.4.41 (Ubuntu)
Server built: 2022-03-16T16:52:53

The operating system my web server runs on is (include version):

Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

  • Yes
    I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
  • no
    The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I had old apt version of certbot (I think 0.9.0)
I uninstalled and reinstalled from snap (using Certbot Instructions | Certbot)
Now has certbot 1.27.0

I am obviously missing something - please help.

Many thanks

Found solution.

I need to remove --apache from command and replace with --manual

Therefore works with this, I can then manually install certificates in the apache config files.

sudo certbot certonly --manual --preferred-challenges=dns -d -d '*' -d -d '*'

The --apache option selects an installer as wel as an authenticator plugin. But the authenticator Apache cannot do the dns-01 challenge.

You could have opted to use the Apache installer and the manual authenticator using -i apache -a manual instead of using certonly.

Also note that the --manual plugin cannot be renewed automatically. You should try to automate the DNS challenge in some way, so you can also automate certificate renewal.


What Osiris says is true but you should only use the Apache plugin when running the Apache server. You seem to be running nginx (note the server response header):

curl -I

HTTP/2 200
server: nginx
date: Tue, 17 May 2022 15:44:51 GMT
content-type: text/html
content-length: 2274
(other headers omitted for brevity)

thanks @MikeMcQ - This is where current server is (old hosting company- I am moving to a local apache server.

Thanks @Osiris

Can you elaborate on what you mean by 'You should try to automate the DNS challenge in some way'

It seems something is missing as

  • I should use --apache - as I am using apache webserver.
  • But I cannot do dns challenge using apache - therefore cannot have automatic renewal.

Usually, one of the DNS plugins is used to automate the dns-01 challenge. See the Certbot documentation for the list of official (and third-party) DNS plugins.

I already mentioned above you can combine different authenticator and installer plugins. That said, I missed you were already using certonly from the beginning, so Certbot wouldn't have installed the cert into your webbrowser (which seems to be nginx and not Apache as mentioned by @MikeMcQ earlier). Therefore, there is no use in setting --apache or -i apache anyway.

Note that when using certonly (which requires manual installation of the certificate, which you've already done) does imply you should reload your webbrowser yourself after renewal (automated or not). Please see the Certbot documentation about "hooks" which you can use to automate this reloading.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.