Incorrect TXT record "" found at


I’ve set up an ACME-DNS server and I’m trying to use it to validate a wildcard certificate through Certify The Web but it keeps failing. Test runs fine though. What am I doing wrong?

Here’s the DNS records for my domain:

A record auth -> 162.XXX.XXX.XXX
NS record auth ->
CNAME record _acme-challenge ->

And here’s the logs - (it wouldn’t let me paste here because I’m a new user)

Hi, so it’s worth checking what your current DNS response for isusing dig (on linux, WSL or mac os) , acme-dns is running as a simple DNS server so your CNAME direction should just be redirecting to your acme dns record and acme-dns should in turn be responding. An empty record is pretty weird, normally if it wasn’t found you’d get NXDOMAIN. Check you don’t also have a TXT record in your primary DNS zone (i.e. the one that’s hosting the CNAME) that might be confusing things.

If you need more help I’d need details of your domain so I can check the dig response etc.

Appreciate your response webprofusion! The only TXT record I have for the root domain is just simple SPF stuff. That shouldn’t cause issues right?

Here’s a Certify The Web log from latest attempt:

Acme-dns log from the same cert request:

Dig results using acme-dns to resolve, as well as Google dns:

And because why not, here’s my acme-dns config.cfg file: (domain = “mydomain .com” used to be auth.mydomain .com but I noticed NXDOMAIN in acme-dns logs so I switched to just mydomain .com and now it’s all clear from the looks of it)

Thank you for your time!!

The dig answer section seems to say that _acme-challenge is a CNAME to, it should be a CNAME to (according to your previous log)

Your log: 1798 IN CNAME

Here is a working example:

dig -t TXT 0 IN  CNAME 0 IN TXT "HdHx_pkl0SBsw_r0Z9jjqo2DQQklh1Obc4ThanUqPFI"
1 Like

That worked, thank you! Although won’t the part before change at next renewal?

The reason I used a CNAME to was because I read on various sites and blogs that it would just forward the _acme-challenge request to ACME-DNS server which would provide the correct record. Is that wrong?

So your acme-dns server internally has a database of registered domains that are using it, this happens for each domain the first time you use it, each domain (or subdomain) will get a different CNAME entry that you will have to set up the first time. Subsequent renewals use the same acme-dns registration details (stored under C:\ProgramData\Certify\acmedns) per domain.

It’s a pain to have to create each CNAME initially, but you don’t have to change them later (unless your acme-dns server was changed).

1 Like