Phantom TXT _acme-challenge records

For 2 of our pro domains Cloudflare ns returns ghost TXT _acme-challenge records:


Those records don’t actually exist according to the web console and API, so I can’t remove them.
Let’s Encrypt certificates’ expiration date is coming, but they can’t be renewed because of this issue. I found another recent post on this topic (Got strange TXT records behavior) and submitted a support request (#2510378) 10 days ago. But there’s still no answer.
Here is the public DNS results: 1, 2

I have escalated your ticket.

I have the same problem,my domain is fengqi.tk

Support replied with this topic
https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare#h_4YRLxoKhabVXTfmjbJZi0D

Are you seeing any errors because of these records?

A post was split to a new topic: SSL certs not validating due to ACME TXT records

2 posts were split to a new topic: Extra ACME TXT records preventing renewal

Thank you Cyb3r-Jak3. Yes, in acme.sh logs the error from LE was
familywithkids.com:Verify error:No TXT record found at _acme-challenge.familywithkids.com

I’ve put our websites off of Cloudflare proxy temporarily and disabled the Universal SSL, but those 84 DNS TXT records remained there for the next 2.5 weeks.
Support hasn’t been particularly helpful, but eventually, they told me the SSL team is aware of this issue and is working on a fix. A day or two later those phantom records finally disappeared, and I was able to pass DNS challenges and obtained a wildcard certificate with acme.sh. Then I enabled the Universal SSL, and after some time Edge Certificates were displayed: LE marked as a Backup and a new one from Google Trust Services. There were 4 additional TXT records during the provisioning, but they disappeared some minutes later.
So it looks like a bug that’s hopefully fixed now :crossed_fingers:

1 Like