dig A adg.seg.br.adg.seg.br a.auto.dns.br
;; ANSWER SECTION:
a.auto.dns.br. 3209 IN A 200.160.2.88
dig A www.adg.seg.br.adg.seg.br a.auto.dns.br
;; ANSWER SECTION:
a.auto.dns.br. 3201 IN A 200.160.2.88
It seems that all your entries have suffered the extra domain appended to the domain problem.
However, it did not work, or I may have misunderstood it. I don't know what I am supposed to add here, when I used cloudflare in another domain it work just fine.
@rg305 Apparently this domain registrar do the convertion automatically, I first typed _acme-challenge.adg.seg.br but after changed it to _acme-challenge but it did not work either. I guess it can be a problem in the DNS itself, it may take longer to the changes to make effect. I will monitor in the next minutes to see if it works.
Yup, me too, using a +trace that is. It probably took some time to propogate (internally). Although I also see Cloudflare DNS is currently being used, is that correct?
Note that it's not very useful to censor out the A records for the IP address: anyone on the public internet could resolve those: that's the whole idea behind DNS. Well, as Cloudflare is being used now and a.auto.dns.br seems to be emptied out, I guess it can be worth hiding the origin server now..
Note that with Cloudflare as your DNS provider, the dns-01 challenge is easily automated with the certbot-dns-cloudlare plugin. So no manual tinkering required!