ACME DNS validation - get 'incorrect TXT' error with the correct value

My domain is:

I ran this command:

It produced this output:

"identifier": {
"type": "dns",
"value": ""
"status": "invalid",
"expires": "2022-06-28T13:43:09Z",
"challenges": [
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "DM-FfJAjetBnS1a9IX-wmtxOmjhjceN1SMTg7nZtmq0" found at",
"status": 403
"url": "",
"token": "DM-FfJAjetBnS1a9IX-wmtxOmjhjceN1SMTg7nZtmq0",
"validated": "2022-06-21T13:48:52Z"

Note that the TXT record in the error is the same as the token, what I am doing wrong?

The value of the TXT record isn't just the token: it's the base64url-encoded sha256 of a key authorization.

RFC 8555 documents how to construct this in sections 8.1 (for the key authorization) and 8.4, for the DNS challenge type:

rfc8555 section 8.1

rfc8555 section 8.4


Just went over it now,

Thank you

1 Like

It’s worded very formally, please feel free to ask any questions if there’s anything unclear or you’re having trouble with still.