ACME DNS validation - get 'incorrect TXT' error with the correct value

My domain is:

I ran this command:

It produced this output:

"identifier": {
"type": "dns",
"value": ""
"status": "invalid",
"expires": "2022-06-28T13:43:09Z",
"challenges": [
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "DM-FfJAjetBnS1a9IX-wmtxOmjhjceN1SMTg7nZtmq0" found at",
"status": 403
"url": "",
"token": "DM-FfJAjetBnS1a9IX-wmtxOmjhjceN1SMTg7nZtmq0",
"validated": "2022-06-21T13:48:52Z"

Note that the TXT record in the error is the same as the token, what I am doing wrong?

The value of the TXT record isn't just the token: it's the base64url-encoded sha256 of a key authorization.

RFC 8555 documents how to construct this in sections 8.1 (for the key authorization) and 8.4, for the DNS challenge type:

rfc8555 section 8.1

rfc8555 section 8.4


Just went over it now,

Thank you

1 Like

It’s worded very formally, please feel free to ask any questions if there’s anything unclear or you’re having trouble with still.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.