certbot: error: unrecognized arguments: --dns-digitalocean-credentials

Question

Trying to execute this command

sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/digitalocean.ini -d "*.example.com" --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

i get this error: certbot: error: unrecognized arguments: --dns-digitalocean-credentials

The operating system my web server runs on is: Ubuntu 16.04.3 LTS

certbot --version output: certbot 0.31.0

And the dashes in command "--dns-digitalocean-credentials" entered correctly.

Also dns plugin installed too:

python3-certbot-dns-digitalocean/xenial 0.23.0-2ubuntu0ppa1~ubuntu16.04.1 

Help solve the problem.

Answer 1

I received the unrecognized arguments: --dns-digitalocean-credentials error even with Certbot version 0.40.0 (default deb package for Ubuntu 20.04). The man page describes --dns-digitalocean-credentials but it isn't recognized.

The solution is to install via a snap:

sudo apt purge -y certbot
sudo snap install --classic certbot
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-digitalocean

As of this posting, this yields Certbot 1.9.0, which worked well to generate and install my wildcard TLS certificate.

You didn't ask, but here is the full Certbot command I used:

sudo certbot run --domain example.com --domain '*.example.com' --authenticator dns-digitalocean --installer apache --dns-digitalocean-credentials /root/.certbot.token --dns-digitalocean-propagation-seconds 60 --agree-tos --keep-until-expiring --redirect --hsts --uir --email webmaster@example.com --no-eff-email

Answer 2

I think the problem is that automated DNS certificate renewal methods were only introduced in versions of certbot later than 0.31.0.

The current version is 1.3.0-5, but this hasn't found its way into your Ubuntu release. I don't know that for sure, but I do know that it hasn't yet made it into Debian Buster which I use.

I switched to acme.sh. I found this at least as easy to implement as certbot and more transparent. You just need to export your DigitalOcean key into a variable before running acme.sh.