diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
index 89113629b..fa2db1e9a 100644
--- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
@@ -1,11 +1,16 @@
 #jinja2: lstrip_blocks: "True"
 #!/bin/bash
 
-# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
+# Certificates renewal allows both HTTP or DNS challenges based on renewal configuration
+# generated when certificates have been issued using `certonly` command.
+#
+# For renewal relying on HTTP challenge to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
 # need to forward requests for `/.well-known/acme-challenge` to the certbot container.
 #
 # This can happen inside the container network by proxying to `http://matrix-certbot:8080`
 # or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`.
+#
+# For renewal relying on DNS challenge to work, certbot docker image must have the associated DNS plugins configured.
 
 docker run \
 	--rm \
@@ -13,20 +18,20 @@ docker run \
 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 	--cap-drop=ALL \
 	--network="{{ matrix_docker_network }}" \
-	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
+	--publish 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
 	--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \
+	{% if (matrix_ssl_lets_encrypt_dns_config is defined) and (matrix_ssl_lets_encrypt_dns_config|length > 0) %}
+	--mount type=bind,src={{ matrix_ssl_dns_config_dir_path }},dst=/etc/letsencrypt-dns-config,readonly \
+	{% endif %}
 	--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \
 	{{ matrix_ssl_lets_encrypt_certbot_docker_image }} \
 	renew \
 		--non-interactive \
 		--work-dir=/tmp \
-		--http-01-port 8080 \
 		{% if matrix_ssl_lets_encrypt_staging %}
 		--staging \
 		{% endif %}
 		--key-type {{ matrix_ssl_lets_encrypt_key_type }} \
-		--standalone \
-		--preferred-challenges http \
 		--agree-tos \
 		--email={{ matrix_ssl_lets_encrypt_support_email }} \
 		--no-random-sleep-on-renew