Extra ACME TXT records preventing renewal

I have contacted my hosting (Cloudways) regarding this. They have notified me that phantom TXT records are showing from Cloudways (the same _acme-challenge records mentioned in initial post).

They have advised me to contact Cloudflare as there is nothing that they can do from their end. I cannot remove these as they are not on the DNS settings in Cloudflare.

Has anyone got any suggestions for how to resolve this. Let’s Encrypt SSL certificates are not renewing on my site due to this issue caused by Cloudflare.

Has anybody found a solution for this? I have tried disabling HSTS and SSL completely on Cloudflare, “grey cloud” all DNS records, and paused Cloudfalre completely.

However, for some reason my host is still telling me that Cloudflare is still adding a hidden acme-challenge TXT record that I cannot prevent.

This means I cannot renew my server-level SSL certificate, which expires in a few days.

Are you referring to your Universal SSL certificate expiring soon or an SSL cert on your origin server?

1 Like

Let’s Encrypt SSL certificate on my origin server will not validate or renew due to this additional _acme-challenge TXT entry added by Cloudflare.

I’m having this same problem. If I remove the _acme-challenge TXT (or CNAME, in the case of fly.io) record, Cloudflare still responds with a phantom TXT record that I can’t remove, and is preventing me from having certs issued for my domain (tiffr.com in this case).

I also have the same issue. I have deleted all of my TXT records in Cloudflare (both with the web portal and the API), but if I do a lookup using dns.google then there are two phantom _acme-challenge. TXT records. This seems to be breaking Let’s Encrypt certificate renewal, as you might imagine; it complains that it finds the wrong TXT record.

It’s affecting nine of my domains.

I raised a ticket with CF support asking for the records to be deleted, but I got an automated response saying I need to ask for community support. I reckon it’s some kind of misconfiguration behind the scenes. Is there any way I can escalate the ticket without having to pay?

Have any of you managed to get this resolved yet?

I’ve tried everything but move my DNS management over to my host. I’m hoping there is a solution to this ASAP

@mina , @olly1 , @TomSSL did you all tried to use “Pause Cloudflare for this site” option, wait for a few minutes, then retry the renewing process of issuing your origin Let’s Encrypt SSL certificate? :thinking:
Otherwise, you could temporary switch your DNS record to unproxied :grey: (DNS-only).
Upon success, switch them back to proxied :orange: (or make sure it’s un-paused).

Have you tried switching and using webroot method to renew them via CLI? :thinking:

webroot method works for me fine (once the DNS records are unproxied) since I started using Let’s Encrypt / Certbot / Acme.sh 3 years ago and I have both HTTP and HTTPS virtualhost configured so it passes normally the server security stuff and renews them.

I can’t reproduce this at my origin, I also use LE’s certificate for main domain and mail hostname at origin, while for Universal SSL there is ACM (multiple ones, all 3 Digicert, LE and Google, so if anything could happen, I think I should have an issue if so, but currently none).

These _acme-challenge you’re getting is from Cloudfalre’s Universal SSL (whic also uses either Digicert, Let’s Encrpyt or Google SSL).

Could you share your ticket number here with us so we could escalate it?

2 Likes

That makes sense. It seemed odd, as I am running pfSense and have the ACME cert renewal plugin doing the work (via DNS-01 method using a domain alias, so I have a CNAME record under each domain and it then creates TXT records for all of my domains under one separate domain that I just use for creating certificates and so on). I have one certificate for all of my .uk domains and recently it failed to renew because a few of them didn’t verify properly. That seemed weird, as they are all configured in much the same way. However, from what you’ve said, it sounds like perhaps Cloudflare had changed those few domains over to Let’s Encrypt, so they failed and the others didn’t.

My ticket number is 2533171. Thanks for your helpful reply and for offering to escalate the ticket.

1 Like

I have escalated your ticket.

2 Likes

That’s great, thank you :blush:

@olly1 @mina
Can you try turning off Universal SSL waiting ~5 minutes then turning it back on.

Hello.

Since our certificate was expired last Wednesday our website (nvda-addons[dot]org) was completely inaccessible. Today we noticed this incident and, since the edge certificates table was empty, we disabled and re-enabled universal SSL. then backup certificates were issued and the main one was awaiting T XT verification.
However, more than 12 hours later, the edge certificates table didn’t change: main certificate was waiting for T XT validation and backup certificates wheren’t used either, so our website was still inaccessible due to a SSL error, which we discarded which were our server’s fault. Because that, and to minimize as much as possible the downtime, and since our dashboard didn’t shown any T XT value and that adding them manually, with the values shown in the edge certificates table, gave an error (record limit exceeded), we decided to delete and re-add the domain to our account.
Now that we have re-added our domain, settings haven’t been reset, our edge certificate is “deleted” in the dashboard and our zone has actually 190 T XT records for _acme-challenge, although none of them is showing up in the DNS section of the dahsboard nor in a zone export from there. We have already tried to disable universal SSL, wait for an hour or so on and re-enable it, but certificate continues to be “deleted” (it seems it won’t regenerate) and we cannot delete this T XT entries, an action that deffinitely could do the trick and allow to validate the certificate.
during this process, we had to disable proxy and point the domain to another machine, because our main server’s firewall blocks connections from any IP not belonging to Cloudflare, and that’s why the domain is currently working. However, we’d like to re-enable proxy and SSL from Cloudflare as soon as possible, and cannot open a ticket as we are on the free plan.

Thank you in advance and regards!

P.s.: I separate T XT to prevent the forum from considering is as a link.

1 Like

@ivnc You should still be able to make a ticket. Please make sure you are using the new support portal

It might get auto closed, but please share the ticket number here, and we will escalate.

2 Likes

I’ve had to use the account category, but finally achieved to open a ticket. Its ID is 2533425.

thanks!

1 Like

Thank you for sharing. I’ve added it to escalation.

1 Like

I was trying to generate some wildcard certs for my domain (hackinside[.]net) with CertBot and kept getting verification failed messages even after checking the TXT records would populate in the Cloudflare portal. After some troubleshooting I ran a dig targeting cloudflares 1.1.1.1, and my domain and it returned 90+ _acme-challenge TXT records. I followed the instructions of some other forum posts (to disable Universal SSL) but that did not resolve the issue. It seems like the only other way to address this has been to escalate to support.

Just created a ticket ( * Ticket ID: [2533515]) under the account category for escalation.

1 Like

Thank you. I’ve added it to the escalation.

2 Likes

Yes, I have tried to “Pause Cloudflare for this site”, waited for an hour.

I also have tried to switch all DNS records to unproxied and waited an hour, which results in the same issue renewing the SSL certificate with Cloudways (host).

I have tried generating a ticket but I don’t see an option for this. I simply get a prompt to access Cloudflare community. I am using the free plan with Cloudflare APO.

I have HSTS enabled on Cloudflare, and I’m very concerned that there will be an issue if the server’s Lets Encrypt fails to renew in a few days.

Is there a way to create a ticket?