--preferred-challenges is really list?



certbot --version
certbot 0.26.1

certbot certonly --non-interactive --test-cert
–cert-name domain.com
–manual-auth-hook manual-auth-hook.py
–manual-cleanup-hook manual-cleanup-hook.py
-d domain.com -d www.domain.com

my question is related to --preferred-challenges option

because --preferred-challenges is a list, I assumed certbot can try in order specified challenges
I assumed it tries DNS challenge and if it fails it will try HTTP challenge.
But it’s not like that, my script failed on DNS challenge and stop.

Can certbot try one auth challenge and if it fails try another auth challenge?
it not, can you explain why --preferred-challenges is a list
because currently certbot only uses the first challenge from the preferred-challenges list.

Thanks in advance !


Hi @grubberr

this does not work. But this is not a Certbot-feature. It’s a Letsencrypt / probably ACME-Protocol-feature.

The ACME-server defines a list of challenges.

The client sends a POST and confirms, that this challenge is ok.

The ACME-server tries to check that. If this doesn’t work -->> the challenge is invalid -->> the order is invalid.

So you have to start a new order.


I don’t remember how the different versions of ACME handle this, but also in Certbot the preferred challenges are used to mean “pick the first one in this list that the CA offers us”. For example if you specified “http,dns” and requested a non-wildcard cert, the CA would offer http-01, tls-alpn-01, and dns-01, and Certbot would pick http-01 and use that. If you specified “http,dns” and requested a wildcard cert, the CA would offer only dns-01, and Certbot would use that. In other words, this option only specifies the client’s preference order but does not refer to any option to retry failed challenges.


it make sense, thanks for explanation


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.