Unable to generate a DNS-01 wildcard SSL cert using rfc2136 documentation

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Prefer not to say (using exampledomain.com)

I ran this command: certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ~/rfc2136.ini -d *.exampledomain.com

It produced this output: certbot: error: unrecognized arguments: --dns-rfc2136-credentials /root/rfc2136.ini

My web server is (include version): No webserver since this is generating a cert only

The operating system my web server runs on is (include version): Ubuntu 18.04.2 LTS

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.23.0


does godaddy actually use rfc2136 for its api?
and acme.sh has better support in DNS apis then certbot
See 4. Use GoDaddy domain API to automatically issue cert

Unfortunately, that’s not a matter of Certbot versions but of plugin installation. Please see the section “Installing DNS plugins” at

You will probably just need to install an additional operating system package in order for this command to work.

1 Like

Thanks Schoen. I’m trying to do this without referencing any particular web server platform (Apache, NGINX, etc) to just get the cert itself. Even though I mentioned GoDaddy, I’m looking for a way to have certbot check my internal DNS server, not GoDaddy for the _acme-challenge.

The instructions in that particular paragraph are applicable regardless of whether you’re using Apache or not and don’t create a dependency on Apache—I just had to choose some web server from the menu in order to bring up the instruction page. But

Certbot is the one completing the challenge, but the one verifying the challenge is the Let’s Encrypt CA. How will the CA know that your internal DNS server is authoritative for this domain? Will it be able to talk to it from the public Internet?

Correct. I think I have things working now. Thanks for the help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.