Windows "certbot certonly" fails

My domain is:, *

I ran this command:
certbot certonly --standalone with webserver off, and
certbot certonly --webroot with it on, same result

It produced this output:
Obtaining a new certificate
Performing the following challenges:
?[31mClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.?[0m
?[31mClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.?[0m

My web server is (include version):
Apache 2.4.18 Win64

The operating system my web server runs on is (include version):
Windows 7 x64 Enterprise

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.6.0

Just installed a fresh certbot for the first time from the link on the certbot Apache-Windows help page. Tried executing the two commands listed there. Both fail with the same message above.

This system is directly on the internet, not going through any firewall or router. And for the --webroot command, I have verified this file can be accessed:

So is some kind of authenticator plugin needed? Where would I find the docs for that? I am new to certbot, and the docs for Windows are terse at best. Thanks!

Hi @MediaDog,

It’s explained in more depth on, but for a wildcard identifier, you have to authenticate the domain using DNS (TXT challenge).

If you can make do without a wildcard (instead naming each domain on the certificate), that would mean you could use --webroot or --standalone.

Otherwise, you would need to find a client that supports talking to the Network Solutions API for the DNS challenge, though I am not sure if any exist, let alone for Windows.

1 Like

@MediaDog -

Generally this is the syntax I use to obtain the certificates on certbot windows

For DNS Challenges:

certbot certonly --manual -d -d * --preferred-challenge dns

For HTTP Challenges:

certbot certonly --manual -d -d * --preferred-challenge http

I have CloudFlare and there is a DNS plugin framework which when I get around I might configure.

I don’t think the windows version works as seamlessly as the linux version, but once again I haven’t done full testing so take that statement with a grain of salt.

There are a few other PowerShell and Windows based clients which may be easier to use


Specific Windows limitations and configuration

  • All usual operations to create and manage an account, manage existing certificates, or select the ACME server, are supported.
  • Only standalone, manual and webroot authenticator plugins are supported. DNS plugins will be available soon. This means that Certbot for Windows is currently unable to automatically renew wildcard certificates, since these require a DNS plugin in order to be renewed without user intervention.
  • No installer plugins are supported. The Apache and Nginx plugins will be available soon, and a plugin to install certificates into IIS is under development.
  • Automated certificate renewals (using standalone and webroot plugins) are supported.

Note for Windows Apache or Nginx users

As described in section 5 above, Certbot for Windows currently cannot install the certificate in Apache or Nginx for you. As of the most recent release, you will have to edit your web server application’s configuration to install the certificate yourself after Certbot has obtained it. If this limitation is acceptable to you, please start from the beginning of this document to learn more about installing and using Certbot on Windows.

Thanks @_az, then the docs on the certbot site are incorrect. For when you click the “wildcard” tab there, it shows you the exact some info as for the default, which is to use --standalone or --webroot. Thanks, for now I’ll enumerate all the hosts.

Thanks @ ahaw021, I’ll give those a shot. And yeah I knew I’ll have to manually install the certificates and that DNS was not available, part of my confusion when the documented process resulted in saying I needed to do DNS!

Thanks @MediaDog, I created that documentation based on a draft documentation version from the Windows developer, who wasn’t thinking about how to make it parallel to the other Unix-oriented documentation on the site (which does indeed have separate versions for wildcard and non-wildcard). I agree that this is a mistake in our Windows documentation and needs to be fixed.

Sorry for the inconvenience, and thank you for letting us know!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.