There is the problem that I found:
Someone want to apply the LetsEncrypt certificate for domain *.cre.com.hk.
Then he set a CNAME record for _acme-challenge.cre.com.hk and the value is example.com.
And example.com had set the right TXT value that LetsEncrypt expected.
dig cmd to check the TXT value of example.com. It worked and it's correct.
Then I dig _acme-challenge.cre.com.hk but the expected TXT value was not found.
This is first time that I found CNAME type validation could be come up with this situation.