Introduction

A Let's Encrypt DNS-01 challenge fails when the certificate authority cannot see the exact TXT record it expects at the exact _acme-challenge hostname. In most cases, the problem is not Let's Encrypt itself. The usual causes are wrong record names, stale authoritative DNS answers, delegated validation zones, or DNS provider input rules that silently change what gets published. The fix is to verify the live authoritative TXT answer instead of trusting the control panel alone.

Symptoms

  • Let's Encrypt reports a DNS-01 challenge failure or says the TXT record was not found
  • Certificate issuance or renewal works for some names but not for others
  • The TXT record appears in your DNS dashboard, but validation still fails
  • Wildcard certificate requests fail even though standard certificates worked before
  • The issue started after changing DNS providers, nameservers, or certificate automation

Common Causes

  • The TXT record was added under the wrong host name instead of _acme-challenge
  • The DNS provider auto-appended the domain name and created the wrong record path
  • A CNAME or delegated _acme-challenge zone points to a different place than expected
  • Authoritative nameservers still serve an old TXT value or inconsistent answers
  • Renewal automation created a new token, but the old TXT record remained in place

Step-by-Step Fix

  1. Copy the exact hostname and TXT value that Let's Encrypt or your ACME client expects for the current challenge.
  2. Check whether the validation target is the apex domain, a subdomain, or a wildcard request, because each one may use a different _acme-challenge name.
  3. Query the authoritative nameservers directly and confirm the live TXT answer at _acme-challenge matches the current token exactly.
  4. Review your DNS provider's host field rules so you do not accidentally publish _acme-challenge.example.com.example.com or another incorrect name.
  5. If _acme-challenge uses a CNAME or delegated validation zone, follow that chain and verify the final authoritative TXT answer exists where Let's Encrypt will actually look.
  6. Remove outdated or conflicting TXT records only after confirming which token belongs to the active validation attempt.
  7. Wait for propagation only after every authoritative nameserver returns the correct TXT value, because retrying too early usually produces the same failure.
  8. Retry certificate issuance once the public authoritative answer is correct and stable for the exact hostname being validated.
  9. Document how your DNS provider handles _acme-challenge, delegation, and wildcard validation so the next renewal does not fail for the same reason.