my question is related to --preferred-challenges option
because --preferred-challenges is a list, I assumed certbot can try in order specified challenges
I assumed it tries DNS challenge and if it fails it will try HTTP challenge.
But it’s not like that, my script failed on DNS challenge and stop.
Can certbot try one auth challenge and if it fails try another auth challenge?
it not, can you explain why --preferred-challenges is a list
because currently certbot only uses the first challenge from the preferred-challenges list.
I don’t remember how the different versions of ACME handle this, but also in Certbot the preferred challenges are used to mean “pick the first one in this list that the CA offers us”. For example if you specified “http,dns” and requested a non-wildcard cert, the CA would offer http-01, tls-alpn-01, and dns-01, and Certbot would pick http-01 and use that. If you specified “http,dns” and requested a wildcard cert, the CA would offer only dns-01, and Certbot would use that. In other words, this option only specifies the client’s preference order but does not refer to any option to retry failed challenges.