i'm trying to renew a wildcard certificate using dns-01,and i comfirmed that I created the TXT in the dns configuration with TTL = 180 seconds, after i wait for 600 seconds i got this:
order status: invalid
error status: 403
error type: urn:ietf:params:acme:error:unauthorized
error detail: No TXT record found at _acme-challenge.cloud.st.meituan.com
but the record exists
For me dig -t TXT _acme-challenge.cloud.st.meituan.com says:
dig -t TXT _acme-challenge.cloud.st.meituan.com
; <<>> DiG 9.16.1-Ubuntu <<>> -t TXT _acme-challenge.cloud.st.meituan.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56079
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.cloud.st.meituan.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.cloud.st.meituan.com. 120 IN CNAME hlb.st.sankuai.com.
hlb.st.sankuai.com. 120 IN CNAME offlinebeijing-bj.st.vip.sankuai.com.
;; AUTHORITY SECTION:
sankuai.com. 135 IN SOA dns1.sankuai.com. hostmaster.sankuai.com. 2016104917 18000 400 72000 1800
;; Query time: 400 msec
;; SERVER: 172.30.96.1#53(172.30.96.1)
;; WHEN: Fri Sep 17 12:11:31 AWST 2021
;; MSG SIZE rcvd: 185
Your DNS is not returning the TXT record. What command did you use to get your results in your screenshot, it's obviously different to mine, because those are not your actual authoritative name servers.
I think you may need to ask the actual authoritative nameservers to be sure of the response.
I get:
dig -t TXT _acme-challenge.cloud.st.meituan.com @ns3.dnsv5.com
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t TXT _acme-challenge.cloud.st.meituan.com @ns3.dnsv5.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51263
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.cloud.st.meituan.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.cloud.st.meituan.com. 180 IN TXT "8d3bar2L-NLT_cZOY1pJaEtUqmUTMePhFDzpIFI9rFw"
;; AUTHORITY SECTION:
meituan.com. 86400 IN NS ns4.dnsv5.com.
meituan.com. 86400 IN NS ns3.dnsv5.com.
;; Query time: 236 msec
;; SERVER: 129.211.176.212#53(129.211.176.212)
;; WHEN: Fri Sep 17 04:25:32 UTC 2021
;; MSG SIZE rcvd: 175
That said, they may employ some type of global anycast IP system (who knows).
And depending on where you are on the Internet, you might have to wait longer for the synchronization to be visible.
OK, there is (always) more than meets the eye!
Depending on who you ask, you get a different set of authoritative nameservers.
nslookup -q=ns meituan.com e.gtld-servers.net
Shows four:
meituan.com nameserver = ns3.dnsv5.com
meituan.com nameserver = ns4.dnsv5.com
meituan.com nameserver = edns1.sankuai.com
meituan.com nameserver = edns2.sankuai.com
But...
nslookup -q=ns meituan.com ns3.dnsv5.com
Shows only two:
meituan.com nameserver = ns3.dnsv5.com
meituan.com nameserver = ns4.dnsv5.com
Long story short: Your DNS is in a bad state.
Go to your registrar and ensure they only list the nameservers that are expected.
i got TXT record:DNS Checker - DNS Check Propagation Tool
Yes, it works for me now as well, so maybe you have fixed it, or maybe you have really slow DNS propagation across your nameservers. You'll find out when you next have to change that value.
why the number of nameserver lead to certficate failure?
I haven't solved fixed it,maybe DNS propagation is really slow
The number of nameservers isn't the problem.
It fails, because LE will walk the DNS tree and find four authoritative nameservers.
Two of which work and two that fail.
All nameservers must work.
I repeat:
I contacted the registrar to solve this problem,thanks 
but Why does LE require all nameservers to work properly?
I can't say with certainty that all nameservers must work properly.
So I dare say that is NOT a requirement.
But I can say that for each failing system in a four nameserver configuration, the odds of success are reduced by at least 37/64 (or 57.8%).
And when two systems are failing (as in your case) the odds of failure are at least 7/8 (or 87.5%).
After registrar solves this problem, it still returns "No TXT Record found"
domain:_acme-challenge.cloud.st.sankuai.com
I don't see any change with the authoritative nameservers.
Why are you checking against domain "sankuai.com" ?
[when the cert request is on domain "meituan.com"]
I think you have a wildcard CNAME record which is taking priority over the TXT record and redirecting everything to hlb.st.sankuai.com which in turns points to offlinebeijing-bj.st.vip.sankuai.com:
https://dnsviz.net/d/_acme-challenge.cloud.st.sankuai.com/dnssec/
https://unboundtest.com/m/TXT/_acme-challenge.cloud.st.sankuai.com/2DLZAVEP
So if you specifically query for TXT records only, you get your value, but if you query for CNAME or TXT, then you get the CNAME
They are not synchronized:
nslookup -q=soa meituan.com ns3.dnsv5.com
Server: UnKnown
Address: 59.36.120.148
meituan.com
primary name server = ns3.dnsv5.com
responsible mail addr = enterprise3dnsadmin.dnspod.com
serial = 1631950111
nslookup -q=soa meituan.com edns1.sankuai.com
Server: UnKnown
Address: 103.37.136.254
meituan.com
primary name server = edns1.sankuai.com
responsible mail addr = edp.networkrd.meituan.com
serial = 1
You're not allowed to combine CNAMEs with other DNS resource records according to the RFCs (I once learned.)
Fatal: Inconsistency between delegation and zone.
The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns3.dnsv5.com (129.211.176.212):
Delegation: edns1.sankuai.com, edns2.sankuai.com, ns3.dnsv5.com, ns4.dnsv5.com,
Zone: ns3.dnsv5.com, ns4.dnsv5.com.
Name Servers defined in Delegation, missing in Zone: edns1.sankuai.com, edns2.sankuai.com.
i try to issue a Multi Domain Wildcard certificate,this certificate contains [sankuai.com] and [meituan.com]。
I solved this problem,The cause of the problem is TTL。
It works when i touch off the challenge after 2TTL,I guess DNS propagation is really slow
Thanks All 
Hi @amber, Just want to point out you have mixed content on your site - some images are being over http through your two subdomains of p0.meituan.net and p1.meituan.net sites. Either change those to https or force https and you'll be all set. 
s0.meituan.net seems to be serving all images over https. 