Not getting ACME-Challenge when generating certificate for my domain

Hi everyone,

Im using the following command to generate a new certificate for my domain:

certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --domain DOMAIN

But im not getting the ACME-CHALLENGE and its value for adding it to my DNS records, i only get the fullchain.pem and the privkey.pem.

Any ideas for getting the ACME Challenge and its value?

Did you get a certificate using that method within the last 30 days?

Because Let's Encrypt caches successful validations for that long. Certbot won't prompt for new values if they are not needed for a fresh challenge.

You could add --dry-run to that command to use the Let's Encrypt staging system. Certbot invalidates the staging system's cache each time. You won't get a valid public cert with dry-run. It is only for testing flows.

If you got the cert, why do you need to run it again anyway?

2 Likes

I want to emphasize this. Using manual mode already means you're doing something weird and off the beaten path. What is your actual goal?

2 Likes

The thing is that i ran that command i got those 2 files, but not the challenge. And for another test i was doing yesterday i did get the challenge for adding it to my dns records.

My goal is to deploy a test application with a custom domain, but im not getting any txt record for adding it to my dns records.

Should probably be using --dry-run for testing.

But, I described the 30-day cache. Was this for same cert you got yesterday?

Show this

sudo certbot certificates
3 Likes

Why are you TESTING on a PRODUCTION server? Please use the staging environment for testing. (Which is automatically selected by the --dry-run option if you don't specify a --server option.)

I don't think he meant to test certificate issuance, but to get a production certificate for a public domain that he wants to test some web application on, which sounds reasonable. But I agree that manual mode is not the way to do this, unless there are custom hooks in place to automate the verification process.

@sfrippibm If you already did this before, your old challenge data might still be valid, so you can just leave it in the DNS untouched. If you're getting a fullchain.pem, I guess that means your request succeeded, because you can't get a certificate if you fail the challenge.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.