Changing nameservers /_acme-challenge key?


I have recently transferred a few domains and now have to change the nameservers. While changing the DNS I've found the Let's encrypt "_acme-challenge" entry and I was wondering if the key will still work after changing the nameservers or do I have to order a new one from my hoster?
All other records remain the same.

Thank you very much


1 Like

Hello @MustaHasen, welcome to the Let's Encrypt community. :slightly_smiling_face:

Please read DNS-01 challenge of the Challenge Types - Let's Encrypt as well as RFC 8555 - Automatic Certificate Management Environment (ACME).

Edit: the "8.4. DNS Challenge" link RFC 8555 - Automatic Certificate Management Environment (ACME).

1 Like

Thank you very much for your quick reply.

I had read the DNS-01 challenge and found this:
"After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!"

And I wasn't totally sure if looking up the token was all that is required. tbh I'm not really sure and a bit nervous that this won't work after changing the NS. Although it looks like it would still work, it won't renew this way, because a new key is issued every time?

I'm sorry - I'm a total newbie and am a bit scared that there will be a security warning after the ns change. I've tried to read up on this but it's hard to find concrete information about ns changes.

1 Like

Two main things come to mind

  1. What ACME Client is being used for the DNS-01 challenge?
  2. What Domain Name Service Provider is being used?

Here is a list of DNS providers who easily integrate with Let's Encrypt DNS validation

1 Like

Yes, no worries. The TXT record is only used to prove your control of the domain name. Once the cert is issued the TXT record should be removed. I say "should" but it is really "must" as if TXT records are allowed to accumulate it will eventually cause a cert request failure due to a too-large packet of info.

  1. What ACME Client is being used for the DNS-01 challenge ?
    I have to admit, that I don't know this. Is there a way to look it up?

  2. What Domain Name Service Provider is being used?
    It's a smaller swiss hoster called hoststar, wich is not on the linked list. They do offer Let's Encrypt certificates tho.

Thank you! This is helpful. That means I have to issue a new one, I guess.


The DNS-01 authentication TXT records are "one time use only".
They should be deleted immediately after use - there is no other use for them [ever].


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.