Issues with multiple TXT records (*.domain.tld + domain.tld)

Hi guys

I am having problems issueing a certificate for *.domain.tld and domain.tld in one request. Even though I created both TXT DNS records and both records match the required acme-challenge values, it won’t check all TXT records I created in Cloudflare DNS settings.

/letsencrypt/certbot-auto -d -d * --manual --preferred-challenges dns-01 --server certonly

FailedChallenges: Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “O########################A” found at

Any ideas what I am doing wrong?

Hi @dahlecr,

Are you sure you are putting both TXT records at the same time?. I mean, as you want to issue a cert covering and * you must put two txt records for every one with its respective token. Also, you need to wait a few seconds or minutes till your authoritative dns servers answer the same when the txt records are requested.

dig txt

should give the same answer as the other one:

dig txt

And of course, both servers must answer with at least the 2 txt records you have added.

Also, checking your real domain I can see only 1 txt record for


You are right, even though both TXT DNS records were created, it only gives back one of them.

For everyone else experiencing the same problem using Cloudflare: it can take up to five minutes, before multiple TXT DNS records are propagated properly.

Problem solved.

Thanks again for your help!

1 Like

This behavior happens with multiple cloud/enterprise providers. I think the first set of a TXT for a given key (or an A record) writes to an internal cache, and then is stuck for several minutes until it expires (usually the TTL).

With Cloudflare, I sleep 5 seconds after adding each record. It almost always works.

I haven’t used them. Namecheap takes 90-120s on a 60s TTL. I had access to Linode and Dreamhost accounts, both were about 5mins for the second record to happen.

Until I finalize a move to acme-dns, I patched certbot to sleep after writing all the auths (and before verification. that solves all my problems.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.