Calculate the TXT record for a domain

My domain is:

I ran this command: --issue -d \* --dns --server  letsencrypt --yes-I-know-dns-manual-mode-enough-go-ahead-please --test

It produced this output:

[qua 20 abr 2022 18:30:54 -03] Using CA:
[qua 20 abr 2022 18:30:54 -03] Single domain='*'
[qua 20 abr 2022 18:30:54 -03] Getting domain auth token for each domain
[qua 20 abr 2022 18:30:56 -03] Getting webroot for domain='*'
[qua 20 abr 2022 18:30:56 -03] Add the following TXT record:
[qua 20 abr 2022 18:30:56 -03] Domain: ''
[qua 20 abr 2022 18:30:56 -03] TXT value: 'DxAWNViga7DAbOEyAYEkS2rdnCVsza2xq5ZilUd9pQ4'
[qua 20 abr 2022 18:30:56 -03] Please be aware that you prepend _acme-challenge. before your domain
[qua 20 abr 2022 18:30:56 -03] so the resulting subdomain will be:
[qua 20 abr 2022 18:30:56 -03] Please add the TXT records to the domains, and re-run with --renew.
[qua 20 abr 2022 18:30:56 -03] Please add '--debug' or '--log' to check more details.
[qua 20 abr 2022 18:30:56 -03] See:

My web server is (include version):
Not Important
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

./ --version                                                                                              

hello there, I want to know how to calculate the TXT record that a domain should have to generate the certificates. I tried base64, base32, Sha1, Sha256 but none of those seems to work...

How can I generate this value?

1 Like

Hi @lmtr0,

The value is not a deterministic representation of your domain name, but rather a random value that was chosen by the Let's Encrypt certificate authority and delivered over its API (when connected to that API to request a certificate). The value is different every time (for some notions of "every time"); you can't calculate it yourself without using the Let's Encrypt API.

It is used to prove that the person (or device) requesting a certificate really controls the domain name. For instance, I could request a certificate for your domain, but Let's Encrypt would give me a different random value from the one it gives you, and I wouldn't have any way of getting your site to serve the random value that was given to me, because I have no access to your site. That distinguishes you (the legitimate operator of that site) from me (a stranger).

See also


Hey there,

Thanks for the heads-up and quick response!

Got it, I will study the API more :slight_smile:


Além disso, bom dia!


Bom dia?
Aqui já é noite...

1 Like

If that was possible, it would likely always be the same number and wouldn't be very secure - especially for DNS certificates!
Everyone requesting a DNS cert from your domain would automatically be authorized once you put the "right" TXT record in place.

Bom noite!


Makes sense. Thanks

Are we all Portuguese speakers??


Estou na Califórnia, aqui é dia ainda. :slight_smile:


I'm a non-native Portuguese speaker and @rg305 is a Spanish-speaker who can understand Portuguese.


Oh, Interesting! Btw how did you discover that I spoke pt?
I'm in Brazil :slight_smile:

1 Like

Your operating system is set to Portuguese because it outputs dates like

qua 20 abr 2022

If it were set to English this would look like

Wed 20 Apr 2022


Oh, Nice

1 Like

It worked! Thanks


If you really want to know how the DNS token is made, you can look at RFC 8555 which describes the ACME protocol including the dns-01 challenge.


thank you very much


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.