I have a domain, example.org, managed in Cloudflare. I am trying to validate ACME certs with it, but the Cloudflare DNS servers keep responding with two TXT entries that I never put in there:
_acme-challenge.example.org. 123 IN TXT "HkxIazqN7GYz-QvefeS6WFBlaokWmVYRq5NNAgxPiBk"
_acme-challenge.example.org. 123 IN TXT "pA0lf7P9rc_V6ffCyZ94m26X7yKuKqCZJ0qf2f-O2ic"
I did add a CNAME entry for _acme-challenge.example.org and it does show up, but the LE server queries for TXT records first and gets the wrong entries. I tried clearing the cache but the entries don’t go away.
Cloudflare Universal SSL for proxied hostnames (DNS records) also uses LE’s certificate, therefrom it might be a collision with which would result you’re not able to renew your LE’s certificate’s on your origin for your domain name.
You can have many, many TXT records for the same label without creating an issue with AVME validation. The ACME specification only requires that one of the TXT records is correct, and any extras are ignored.
Boulder (the Lets Encrypt implementation of the ACME protocol) has a limit of about 4kb for the TXT record, but that is 10s of records. It is recommended to delete (de-provision in the specification) any validation records after use.
The issue here is that a CNAME cannot co-exist with any other record type, this is not something ACME specific. The workaround is to use HTTP-01, or a direct DNS-01 TXT record (not CNAME).