Hello
I have recently transferred a few domains and now have to change the nameservers. While changing the DNS I've found the Let's encrypt "_acme-challenge" entry and I was wondering if the key will still work after changing the nameservers or do I have to order a new one from my hoster?
All other records remain the same.
Thank you very much
Musta
Hello @MustaHasen, welcome to the Let's Encrypt community. 
Please read DNS-01 challenge of the Challenge Types - Let's Encrypt as well as RFC 8555 - Automatic Certificate Management Environment (ACME).
Edit: the "8.4. DNS Challenge" link RFC 8555 - Automatic Certificate Management Environment (ACME).
Thank you very much for your quick reply.
I had read the DNS-01 challenge and found this:
"After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!"
And I wasn't totally sure if looking up the token was all that is required. tbh I'm not really sure and a bit nervous that this won't work after changing the NS. Although it looks like it would still work, it won't renew this way, because a new key is issued every time?
I'm sorry - I'm a total newbie and am a bit scared that there will be a security warning after the ns change. I've tried to read up on this but it's hard to find concrete information about ns changes.
Two main things come to mind
Here is a list of DNS providers who easily integrate with Let's Encrypt DNS validation
Yes, no worries. The TXT record is only used to prove your control of the domain name. Once the cert is issued the TXT record should be removed. I say "should" but it is really "must" as if TXT records are allowed to accumulate it will eventually cause a cert request failure due to a too-large packet of info.
What ACME Client is being used for the DNS-01 challenge ?
I have to admit, that I don't know this. Is there a way to look it up?
What Domain Name Service Provider is being used?
It's a smaller swiss hoster called hoststar, wich is not on the linked list. They do offer Let's Encrypt certificates tho.
Thank you! This is helpful. That means I have to issue a new one, I guess.
The DNS-01 authentication TXT records are "one time use only".
They should be deleted immediately after use - there is no other use for them [ever].
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.