If you're issuing a cert for hostname.example.com, the TXT record needs to be for _acme-challenge.hostname.example.com, and that DNS record needs to be visible from the public Internet. hostname.example.com itself doesn't have to be visible, but the DNS TXT record does.
1 Like