There is the problem that I found:
Someone want to apply the LetsEncrypt certificate for domain *.cre.com.hk.
Then he set a CNAME record for _acme-challenge.cre.com.hk and the value is example.com.
And example.com had set the right TXT value that LetsEncrypt expected.
I use dig
cmd to check the TXT value of example.com. It worked and it's correct.
Then I dig _acme-challenge.cre.com.hk but the expected TXT value was not found.
Why ?
This is first time that I found CNAME type validation could be come up with this situation.