Hi @kumar.argentra,
Thanks for the explanation.
It seems to me that you've found a subtle bug in Certbot, which I can understand as a former Certbot developer but which is not at all obvious from a user's perspective.
sudo certbot certonly --manual --preferred-challenges dns -d xxxxxx
This command succeeds because you manually completed the steps that Certbot instructed you to perform (by creating DNS TXT records).
sudo certbot certonly --standalone --preferred-challenges dns -d xxxxx
This command would normally not succeed, because --standalone
is incompatible with --preferred-challenges dns
. However, Certbot failed to detect this condition, probably because of something called a cached authorization (where the certificate authority is willing to give out a duplicate certificate within a short period of time after the original certificate without repeating the validation). Therefore, Certbot succeeded in getting this certificate, too, even though the command-line options you used would normally be inconsistent and unsuccessful (under other circumstances).
Unfortunately, since this request succeeded due to the cached authorizations, I expect that Certbot concluded that the --standalone
and --preferred-challenges dns
options "worked" (since the certificate was successfully issued) and therefore saved them into the file in /etc/letsencrypt/renewal
to be used in the future.
But once the cached authorization expired on the certificate authority side, the renewal could no longer succeed. Nonetheless, the /etc/letsencrypt/renewal
file had an unhelpful set of non-working defaults saved because they appeared to have worked before.
My short-term recommendations would be:
(1) If you just need to perform the renewal right away, repeat this command
sudo certbot certonly --manual --preferred-challenges dns -d xxxxxx
Note that it will require you to create new DNS TXT records. This is always the case after cached authorizations expire, which is why this form of the certbot
command doesn't work for setting up automated, unattended renewals. However, it will still work manually.
(2) Decide whether --preferred-challenges dns
is really what you want. Normally this is only useful if you're requesting a wildcard certificate, or running Certbot on a machine that can't receive incoming connections from the public Internet, or running Certbot on a machine that isn't authoritative for one or more of the names on the certificate, at least as seen by the public Internet.
(3) If you need --preferred-challenges dns
, you'll need an --auth-hook
shell script or a DNS API plugin for Certbot in order to get automated renewals. The TXT records that must be posted for domain ownership confirmation are different for every renewal, so it must be possible to create them purely from software.
(4) If you don't need --preferred-challenges dns
, you can switch to a different authentication method, including --standalone
, --webroot
, or whichever method is most suitable for your environment. In that case, you can delete the preferred challenges line from the file in /etc/letsencrypt/renewal
.