Put the first one in DNS for americanbar.org , for several other domains I have had to eventually turn off then turn on Universal SSL.
This is not an option here - need to get the correct _acme-challenge and prevent the multiple versions in the futhre.
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Off
What are the steps to reproduce the issue?
Using the dashboard I noticed this behavior on several other domains ( have 100+ ) ,
for americanbar.org
e-mail @6:43
Create a DNS record _acme-challenge.americanbar.org TXT IF6xiWAO82Vx_ApQ4RvlhkUX4jU3uCZw35eOyISd1Sw
Create a DNS record _acme-challenge.americanbar.org TXT hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0
e-mail @7:48
Create a DNS record _acme-challenge.americanbar.org TXT hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0
Create a DNS record _acme-challenge.americanbar.org TXT kxPqZArZ_MvWH9tnuc4N6XqziZFZQW9w1M5ccg8QVK0
e-mail @05:08
Create a DNS record _acme-challenge.americanbar.org TXT IF6xiWAO82Vx_ApQ4RvlhkUX4jU3uCZw35eOyISd1Sw
Create a DNS record _acme-challenge.americanbar.org TXT hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0
Your _acme-challengeTXT records should be ephemeral. This means that there will never be one permanent “correct” value. The ACME client that creates the record should remove it after it completes the challenge. Do you know if they are your DNS-01 challenges that are lingering longer than desired?
Yes the challenges are lingering longer than desired on dns01 - our internal DNS box. I would expect this. ( now that you pointed it out ).
Still not sure why I am getting multiple _acme-challenge values - could more than one universals cert ( eg dev.americanbar.org and americanbar.org ) cause multiple _acme-challenge req for _acme-challenge.americanbar.org ?
Non-authoritative answer:
_acme-challenge.americanbar.org text = “hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0”
_acme-challenge.americanbar.org text = “IF6xiWAO82Vx_ApQ4RvlhkUX4jU3uCZw35eOyISd1Sw”
_acme-challenge.americanbar.org text = “kxPqZArZ_MvWH9tnuc4N6XqziZFZQW9w1M5ccg8QVK0”
Domain Control Validation (DCV) has failed for the certificate with the ID cb64aed5-3b93-442c-ae0c-c19e090ec1b9 belonging to Zone ID c8687a3cxxxxxxxxxxx0e55. The DCV method is currently set to txt.
Since the DCV method is set to TXT, please be sure to update your zone’s nameservers at the registrar to the nameservers assigned to your zone in the Cloudflare Dashboard, or manually add a DNS TXT record to your authoritative DNS provider. For more help with changing nameservers, refer to https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/.
Create a DNS record _acme-challenge.americanbar.org TXT hXXQr96OxzjQJR8yivTkc7rWPCdo-9UavJeTj7vctW0
Create a DNS record _acme-challenge.americanbar.org TXT kxPqZArZ_MvWH9tnuc4N6XqziZFZQW9w1M5ccg8QVK0
According to this documentation, they can be deleted via the dashboard or API. I’ve not needed to do that, so I don’t have a firsthand experience to add any additional detail.
Further investigation on the delete ( not apparent from dashboard ), but for the thread topic…
published all 3 _acme-challenges - then waited for a few hours, and one more set of reminders.