TransIP: Verification URL is not working. Keep generating new TXT value

My problem look at this:

Also the same domain provider. So i already did what the solution in the above topic is.

My problem is when i hit Issue in PfSense ACME it generated a TXT value. When i put this in my domain DNS ( and i wait a while and hit Renew ACME generates a new TXT value.

When i hit Renew AFTER issue, it tells me:

Sat Mar 25 13:41:30 CET 2023] Renew: ''
[Sat Mar 25 13:41:30 CET 2023] Renew to Le_API=
[Sat Mar 25 13:41:31 CET 2023] Using CA:
[Sat Mar 25 13:41:31 CET 2023] Single domain=''
[Sat Mar 25 13:41:31 CET 2023] Getting domain auth token for each domain
[Sat Mar 25 13:41:33 CET 2023] Getting webroot for domain=''
[Sat Mar 25 13:41:33 CET 2023] Add the following TXT record:
[Sat Mar 25 13:41:33 CET 2023] Domain: ''
[Sat Mar 25 13:41:33 CET 2023] TXT value: 'ErXlGjiZ-HATqKOiLLmfIlcFt0ZjcUD2JMWfnjefkcU'
[Sat Mar 25 13:41:33 CET 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sat Mar 25 13:41:33 CET 2023] so the resulting subdomain will be:
[Sat Mar 25 13:41:33 CET 2023] Please add the TXT records to the domains, and re-run with --renew.
[Sat Mar 25 13:41:33 CET 2023] Please check log file for more details: 

I have changed the value in something random.

Log output is far easier to read when you use </> Preformatted text available in the extended menu found by clicking :gear:.

Your log output suggests that you have selected a manual DNS-01 challenge. The DNS-01 challenge, like all acme challenges, is far better when automated. My pfSense ACME clients are all set to update the required DNS records via API. Did you have a DNS provider configured previously?


My provider does have an API for DNS... but this API is outdated and advice is not to use it anymore. Plus my provider is not stated in the available list.

So yes i am use DNS-Manual. But isnt this also automatic? (When it works)

Plus even if API is the better option, which i don't disagree :slight_smile: But the DNS-manual should also work right?

I apologize, but what do you mean with this question?

Did you have a DNS provider configured previously

I'm not sure how it could be both manual and automatic. Those sound mutually exclusive to me.

You wrote:

That made me curious if what you had changed might have been a setting that previously updated your DNS records programmatically. Based on your detailed answer, it seems that you did not have a DNS provider configured for automatic update.

I woud consider moving to another DNS provider, at least for your DNS-01 challenges. This is supported in the pfSense ACME package.


I get what you are saying, but why does ACME keeps generating new TXT? From what i read, it should not do that. I should generate one when you hit ISSUE not when hitting RENEW. Or am i wrong?

I can add as many TXT records as i want, so why would this problem be with my DNS provider?

Because you are using the DNS-01 challenge.

1 Like

Here is a list DNS providers who easily integrate with Let's Encrypt DNS validation

1 Like

Am so i picked the wrong one? I am trying to follow a HAPROXY + ACME howto from Lawrence on YT and he spoke about DNS-manual. And accoring to him it should work this way.

But to be honest i don't get how this works than.
I cannot add the TXT value before i see it, and when i see it it failed but when i try to redo it i come into the same circle.

The way i added to my DNS might be wrong, i hit RENEW again: error:DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain

I don't feel like move my domain at the moment. I would like to get this manual way working for now. There is a manual way, so this so work right? So i am doing something wrong.

You are to use the <TOKEN> supplied each challenge run for that run, thus the _acme-challenge.<YOUR_DOMAIN> TXT Record needs updating between receiving the <TOKEN> with the <TOKEN> and DNS Propagate before the actual challenge happens.


With this issue being specific, not only to a particular client, but also an explicit procedure, the Lawrence Systems forum may be better suited to provide insight.


Thanks but not really. He uses Ocean.... for this DNS so he uses an API and only quickly mentions the DNS manual way.

A well maybe i will also try it there :slight_smile:

1 Like

Yes so issue it, get the TOKEN and put it in my DNS. And hit RENEW after a while. But for some reason it is not finding the TXT.

Could be similair to this problem. But i already tried this solution.

I suspect that if he mentions the manual method, he has some amount of familiarity.

I still recommend that you explore using CNAMES to point to a challenge domain with DNS hosted at a compatible DNS host. There are free options such as if cost is a concern.


How many DNS Records are allowed?
How many DNS TXT Records are allowed for an entry; some DNS Providers only allow 1 at a time.

1 Like

No it is not costs. I live in The Netherlands so i have a Dutch provider (the largest here). Which makes it easier timezone wise when i need something.

But in the end if i really cannot get it to work in any other way than moving the domain i still probably will do it.

Don't know how many, but for sure at least 10. So this is not an issue.

You don't have to move the whole domain. This article covers the approach I am suggesting.


You should check the DNS system for the entry you made to ensure the world can see it before hitting enter.


Using this online tool yields results
This is the present DNS TXT record 0 IN TXT "8xrPEBk13b2MqhPUafHyhbunhoE3VjaLbYiZx7ghsFc"

Query results for TXT

;; opcode: QUERY, status: NOERROR, id: 14628
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0


;; ANSWER SECTION:	0	IN	TXT	"8xrPEBk13b2MqhPUafHyhbunhoE3VjaLbYiZx7ghsFc"

----- Unbound logs -----
Mar 25 17:49:35 unbound[848150:0] notice: init module 0: validator
1 Like

YES! I figured it out a couple of minutes ago.
So i issued a new one, and this worked!

My error was:

In the other topic i mentioned they said (same DNS provider):
At the NAME when you do:

It doesn't work.
So i tried:

This didn't work. The solution was:

Thanks everyone, and i do get that via an API is better. But for now i am just following the HowTo and i will see in the end if i will really use this.