ACME DNS validation - get 'incorrect TXT' error with the correct value

My domain is: acme-eilon-123.incaptest.co

I ran this command:

https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2772601574

It produced this output:

{
"identifier": {
"type": "dns",
"value": "acme-eilon-123.incaptest.co"
},
"status": "invalid",
"expires": "2022-06-28T13:43:09Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "DM-FfJAjetBnS1a9IX-wmtxOmjhjceN1SMTg7nZtmq0" found at _acme-challenge.acme-eilon-123.incaptest.co",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2772601574/RFgHdA",
"token": "DM-FfJAjetBnS1a9IX-wmtxOmjhjceN1SMTg7nZtmq0",
"validated": "2022-06-21T13:48:52Z"
}
]
}

Note that the TXT record in the error is the same as the token, what I am doing wrong?

The value of the TXT record isn't just the token: it's the base64url-encoded sha256 of a key authorization.

RFC 8555 documents how to construct this in sections 8.1 (for the key authorization) and 8.4, for the DNS challenge type:

rfc8555 section 8.1

rfc8555 section 8.4

Just went over it now,

Thank you

It’s worded very formally, please feel free to ask any questions if there’s anything unclear or you’re having trouble with still.