Cannot pass DNS challenge - No txt record found


I’m developing a client to manage certificates. I use the lego/acme package for the communication with the CA server (I’m working in Go).

My problem is that I cannot pass the DNS challenge. For example, let’s say my domain is On my side, it seems like everything is correctly set.
I set the TXT record, and when i run

host -t TXT

I get the correct answer with the correct token.
But after, the answer from the CA server is :

No TXT record found at

"Challenge":{"id":1,"type":"dns-01","status":"invalid","error":{"type":"unauthorized","detail":"No TXT record found at","status":403}

As I am still in development, I am working with the boulder

I’m really lost because I don’t understand this error.
Why does the boulder answer that while I can get the txt record ?

Thanks for answers



Can you please share us the actual domain? (Since this sindns related… No domain means no data…)

Thank you


My actual domain is


Hi @iAmoric

actual, I can find a txt-entry. text =


When changing the dns-entry: Wait longer.

PS: New certificate order -> new txt-entry


@JuergenAuer yes it’s what I said. The txt record is set, but the boulder cannot find it.
It get the error above. And I don’t understand why.


How long after setting the record are you submitting the challenge? If you’re doing it immediately, then Boulder may be getting a stale read from Cloudflare.

Also, are you using the staging Boulder server or your own instance? If you’re using your own instance, then it may be affected by the cache of your local resolver.


I submit the challenge only once I’ve checked the txt record myself. So the record is set and the boulder should get the same information as me.
I’m using my own instance of the boulder. How to clear the cache ?


If you’re running local Boulder using the default docker-compose environment, then it doesn’t actually have a real DNS resolver - it uses something called challtestsrv, which is just a simple test/fake responder. Real Boulder environments should point their dnsResolvers to an actual rescursive, non-caching resolver (see /test/config/va.json).

I’m not sure that actually running Boulder is a viable way to go about developing a client. You should use the staging server or at the very least Pebble, as they perform real DNS lookups.


If I add “” in the field “dnsResolvers” in /test/config/va.json, could it work ?
I don’t use the staging server because there is a rate limit, right ?

#10 is a caching resolver, it will work once and then give you caching problems. If you want to do it like Let’s Encrypt, you can run Unbound locally with something like this config.

The staging server has pretty high rate limits to allow for testing. Unless you’re going to be hitting more than 60 validation failures per hour, I think it’s by far your best and easiest option. Even Pebble is a far better choice than Boulder.


Ok thanks, I will try with the staging server.


@_az it is not really about the original question but when I try to use the staging endpoint ( I have a EOF error when I create a new account. It works very well with the boulder
Do you have any idea why ?


Show your code and I’ll check it out.


It’s a little bit complicated it is a big project. But I use lego/acme package for the communication with the CA server (currently the boulder), and I call the method Register. What is weird is that it works well with the boulder and I change nothing. Just the endpoint url to

  1. Check you are on lego v1.0.0 or higher and that you have not vendored a previous version. ACME v2 support was not present in previous versions
  2. Don’t call Register if you’ve already registered that key.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.