You must use DNS-01 authentication [integration] with the DNS servers that serve your DNS zone:
trood.com nameserver = dns1.yandex.net
trood.com nameserver = dns2.yandex.net
You can use HTTP-01 authentication with the web hosted site.
But you said you needed a wildcard cert.
Thank you!
Though as I said: I just removed NS from /yandex.net and put TXT there, but it's still "Non-authoritative answer"
(just in case you would like to try diagnosing - they have a poor support and made me to change _acme-challenge.em record to _acme-challenge, so not the TXT is _acme-challenge.trood.com, which does not work as authoritative as well)
This makes no sense to me:
(if applicable)
Please state your old DNS Provider
what the state of NS and TXT DNS Records were
(now)
Please state your present DNS Provider
what the state of NS and TXT DNS Records are presently
Global DNS still shows:
trood.com nameserver = dns1.yandex.net
trood.com nameserver = dns2.yandex.net
Yes @rg305 you are correct, thanks! 
Raw Registry RDAP Response
{
"objectClassName": "domain",
"handle": "1586101111_DOMAIN_COM-VRSN",
"ldhName": "TROOD.COM",
"links": [
{
"value": "https://rdap.verisign.com/com/v1/domain/TROOD.COM",
"rel": "self",
"href": "https://rdap.verisign.com/com/v1/domain/TROOD.COM",
"type": "application/rdap+json"
},
{
"value": "https://rdap.reg.com/rdap/domain/TROOD.COM",
"rel": "related",
"href": "https://rdap.reg.com/rdap/domain/TROOD.COM",
"type": "application/rdap+json"
}
],
"status": [
"pending transfer"
],
"entities": [
{
"objectClassName": "entity",
"handle": "1606",
"roles": [
"registrar"
],
"publicIds": [
{
"type": "IANA Registrar ID",
"identifier": "1606"
}
],
"vcardArray": [
"vcard",
[
[
"version",
{},
"text",
"4.0"
],
[
"fn",
{},
"text",
"REGISTRAR OF DOMAIN NAMES REG.RU LLC"
]
]
],
"entities": [
{
"objectClassName": "entity",
"roles": [
"abuse"
],
"vcardArray": [
"vcard",
[
[
"version",
{},
"text",
"4.0"
],
[
"fn",
{},
"text",
""
],
[
"tel",
{
"type": "voice"
},
"uri",
"tel:+74955801111"
],
[
"email",
{},
"text",
"abuse@reg.ru"
]
]
]
}
]
}
],
"events": [
{
"eventAction": "registration",
"eventDate": "2010-02-20T19:51:52Z"
},
{
"eventAction": "expiration",
"eventDate": "2023-02-20T19:51:52Z"
},
{
"eventAction": "last changed",
"eventDate": "2023-01-29T01:56:42Z"
},
{
"eventAction": "last update of RDAP database",
"eventDate": "2023-01-31T16:33:15Z"
}
],
"secureDNS": {
"delegationSigned": false
},
"nameservers": [
{
"objectClassName": "nameserver",
"ldhName": "DNS1.YANDEX.NET"
},
{
"objectClassName": "nameserver",
"ldhName": "DNS2.YANDEX.NET"
}
],
"rdapConformance": [
"rdap_level_0",
"icann_rdap_technical_implementation_guide_0",
"icann_rdap_response_profile_0"
],
"notices": [
{
"title": "Terms of Use",
"description": [
"Service subject to Terms of Use."
],
"links": [
{
"href": "https://www.verisign.com/domain-names/registration-data-access-protocol/terms-service/index.xhtml",
"type": "text/html"
}
]
},
{
"title": "Status Codes",
"description": [
"For more information on domain status codes, please visit https://icann.org/epp"
],
"links": [
{
"href": "https://icann.org/epp",
"type": "text/html"
}
]
},
{
"title": "RDDS Inaccuracy Complaint Form",
"description": [
"URL of the ICANN RDDS Inaccuracy Complaint Form: https://icann.org/wicf"
],
"links": [
{
"href": "https://icann.org/wicf",
"type": "text/html"
}
]
}
]
}
Thus the Authoritative DNS Name Servers are responding as follows for me,
not finding _acme-challenge.em.trood.com so the OP might have a DNS problem.
$ nslookup -q=txt _acme-challenge.em.trood.com dns1.yandex.net.
Server: dns1.yandex.net.
Address: 213.180.204.213#53
** server can't find _acme-challenge.em.trood.com: NXDOMAIN
$ nslookup -q=txt _acme-challenge.em.trood.com dns2.yandex.net.
Server: dns2.yandex.net.
Address: 93.158.134.213#53
** server can't find _acme-challenge.em.trood.com: NXDOMAIN
I mean I've put TXT record _acme-challenge directly to dns1.yandex.net records, and it is still a non-authoritative answer (as on the screenshot above)
There are for the domain name trood.com not the domain name em.trood.com
$ nslookup -q=txt _acme-challenge.trood.com dns1.yandex.net.
Server: dns1.yandex.net.
Address: 213.180.204.213#53
_acme-challenge.trood.com text = "uobe2Wz4lRR29ERxrk_9R2QHpF8QaJUg0VNiQbb01pk"
_acme-challenge.trood.com text = "FRWf7QDlrNR7n-1fQheUT4uokLqWpX-3KdBEjvL9hXM"
$ nslookup -q=txt _acme-challenge.trood.com dns2.yandex.net.
Server: dns2.yandex.net.
Address: 93.158.134.213#53
_acme-challenge.trood.com text = "uobe2Wz4lRR29ERxrk_9R2QHpF8QaJUg0VNiQbb01pk"
_acme-challenge.trood.com text = "FRWf7QDlrNR7n-1fQheUT4uokLqWpX-3KdBEjvL9hXM"
The domain trood.com has 2 Authoritative DNS Name Servers:
trood.com nameserver = dns1.yandex.net.
trood.com nameserver = dns2.yandex.net.
$ nslookup
> set q=soa
> trood.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
trood.com
origin = dns1.yandex.net
mail addr = dns-hosting.yandex.ru
serial = 73
refresh = 900
retry = 90
expire = 86400
minimum = 900
Authoritative answers can be found from:
> set q=ns
> trood.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
trood.com nameserver = dns2.yandex.net.
trood.com nameserver = dns1.yandex.net.
Authoritative answers can be found from:
dns1.yandex.net internet address = 213.180.204.213
dns2.yandex.net internet address = 93.158.134.213
> server dns1.yandex.net.
Default server: dns1.yandex.net.
Address: 213.180.204.213#53
Default server: dns1.yandex.net.
Address: 2a02:6b8::213#53
> set q=soa
> trood.com
Server: dns1.yandex.net.
Address: 213.180.204.213#53
trood.com
origin = dns1.yandex.net
mail addr = dns-hosting.yandex.ru
serial = 73
refresh = 900
retry = 90
expire = 86400
minimum = 900
> set q=ns
> trood.com
Server: dns1.yandex.net.
Address: 213.180.204.213#53
trood.com nameserver = dns1.yandex.net.
trood.com nameserver = dns2.yandex.net.
>
What is 172.18.10.1?
What does that server have to do with your authoritative DNS servers?
Yes, as I said I just had to follow the DNS provider support recommendation, to show them it's not working.
So now the txt is _acme-challenge.trood.com, but the answer of dns1.yandex.net is still non-authoritative
Please show the command and output of this "non-authoritative" result.
Using this online tool https://unboundtest.com/ here are the results for
_acme-challenge.trood.com https://unboundtest.com/m/TXT/_acme-challenge.trood.com/SH445E3C and
_acme-challenge.em.trood.com https://unboundtest.com/m/TXT/_acme-challenge.em.trood.com/QVCSOUE7
as on the screenshot above:
szverev$ nslookup -q=txt _acme-challenge.trood.com
Server: 2001:1998:f00:2::1
Address: 2001:1998:f00:2::1#53
Non-authoritative answer:
_acme-challenge.trood.com text = "uobe2Wz4lRR29ERxrk_9R2QHpF8QaJUg0VNiQbb01pk"
_acme-challenge.trood.com text = "FRWf7QDlrNR7n-1fQheUT4uokLqWpX-3KdBEjvL9hXM"
Authoritative answers can be found from:
This nslookup will use your default name server
Where this I told it to use dns1.yandex.net. as the name server.
There are tens of thousands of DNS servers on the Internet [if not more].
With regards to your specific DNS request, their replies can be grouped into five distinct categories:
You seem to be doing #2.
When you should be doing #1.
Yes, but letsencrypt is supposed to use its own, and I believe there should be a chain of authoritative servers from the requestor to the final destination
So maybe there is no such a chain for now to yandex.net
