ACME DNS validation for Let's Encrypt SSL certificates
Use DNS validation to issue SSL certificates via ACME. How DNS-01 challenge works, wildcard certs, DNS automation.
UnderHost NOC
Network Operations
On this page
ACME DNS validation is a method for proving domain ownership to certificate authorities (CA) like Let's Encrypt. Instead of placing a file on your web server, you add a DNS record proving you control the domain.
HTTP vs DNS validation
| Method | How It Works | Pros | Cons |
|---|---|---|---|
| HTTP-01 (HTTP validation) |
Place file at /.well-known/acme-challenge/ | Simple, no DNS needed, fast | Requires website to be live, fails if port 80 blocked |
| DNS-01 (DNS validation) |
Add TXT record to DNS | Works even if site is down, wildcard support, behind firewall | Requires DNS access, slower propagation |
Wildcard certificates (DNS only)
Wildcard certs (*.example.com) cover all subdomains with one certificate. Only DNS validation works for wildcards:
- Regular: example.com → covers that domain only
- Wildcard: *.example.com → covers subdomain.example.com, api.example.com, etc.
- Cost: Let's Encrypt wildcards are free (like regular certs)
How DNS-01 challenge works
- You request a certificate for example.com from Let's Encrypt
- Let's Encrypt generates a random token
- You add this token as a TXT record in your DNS:
- Record name: _acme-challenge.example.com
- Record type: TXT
- Record value: token from Let's Encrypt
- Let's Encrypt queries DNS and verifies the token is there
- If verified, Let's Encrypt issues the certificate
- You can remove the TXT record (certificate is now valid)
Setting up DNS validation
Step 1: Request certificate with DNS validation
Using Certbot (command line):
certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.comStep 2: Add TXT record to DNS
Certbot will output something like:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
abcd1234efgh5678ijkl9012mnopAdd this TXT record to your DNS provider (cPanel Zone Editor, GoDaddy DNS, etc.):
- Name: _acme-challenge.example.com
- Type: TXT
- Value: abcd1234efgh5678ijkl9012mnop
- TTL: 300 (or default)
Step 3: Verify DNS propagation
Wait for DNS propagation (usually 5-60 seconds):
nslookup -type=TXT _acme-challenge.example.com
dig TXT _acme-challenge.example.comStep 4: Press Enter in Certbot
Once you've confirmed DNS propagation, press Enter in Certbot. It will verify and issue the certificate.
Automate DNS validation
Manual DNS validation requires you to add TXT records each renewal. Automating uses API access to your DNS provider:
Certbot with DNS plugins:
# CloudFlare automation
certbot certonly --dns-cloudflare -d example.com -d *.example.com
# Route53 automation
certbot certonly --dns-route53 -d example.com -d *.example.com
# Generic DNS automation
certbot certonly --authenticator manual --install-certbot-plugin-dns-plugin -d example.comTroubleshooting DNS validation
"DNS query failed" - Record not found after propagation
- Wait longer for DNS to propagate globally (up to 60 seconds)
- Verify record name is exactly _acme-challenge.example.com
- Use DNS Check tool to verify record is live
"Challenges did not pass validation" - DNS record is wrong
- Double-check the token value matches exactly (case-sensitive)
- Ensure record type is TXT (not other types)
- Delete any old TXT records for _acme-challenge that might conflict
"Permission denied" in Certbot - Run with sudo
sudo certbot certonly --manual --preferred-challenges dns -d example.comUse DNS validation when:
• You need a wildcard certificate
• Your site is behind a firewall/proxy
• Your web server isn't live yet
• You want to automate renewals via DNS API
Related: AutoSSL setup | Advanced SSL | Configure DNS
Need security-focused hosting?
UnderHost services include DDoS-aware infrastructure, SSL support, account isolation, backups, and security guidance.
