TXT records propagating even though none are visible in the UI

I have a domain, example.org, managed in Cloudflare. I am trying to validate ACME certs with it, but the Cloudflare DNS servers keep responding with two TXT entries that I never put in there:

_acme-challenge.example.org. 123	IN TXT	"HkxIazqN7GYz-QvefeS6WFBlaokWmVYRq5NNAgxPiBk"
_acme-challenge.example.org. 123	IN TXT	"pA0lf7P9rc_V6ffCyZ94m26X7yKuKqCZJ0qf2f-O2ic"

I did add a CNAME entry for _acme-challenge.example.org and it does show up, but the LE server queries for TXT records first and gets the wrong entries. I tried clearing the cache but the entries don’t go away.

Cloudflare Universal SSL for proxied :orange: hostnames (DNS records) also uses LE’s certificate, therefrom it might be a collision with which would result you’re not able to renew your LE’s certificate’s on your origin for your domain name.

Helpful article:

1 Like

You can have many, many TXT records for the same label without creating an issue with AVME validation. The ACME specification only requires that one of the TXT records is correct, and any extras are ignored.

Boulder (the Lets Encrypt implementation of the ACME protocol) has a limit of about 4kb for the TXT record, but that is 10s of records. It is recommended to delete (de-provision in the specification) any validation records after use.

The issue here is that a CNAME cannot co-exist with any other record type, this is not something ACME specific. The workaround is to use HTTP-01, or a direct DNS-01 TXT record (not CNAME).

1 Like

Thanks. It resolved itself now, but yes, it might have been that I set up the CNAME record “too early” after adding the domain to Cloudflare, so their LE validation was still up.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.