[GH-ISSUE #69] txt record contains dot char . will update fail #26

New issue

Closed

opened 2026-03-13 15:24:26 +03:00 by kerem · 2 comments

kerem commented

2026-03-13 15:24:26 +03:00

Owner

Originally created by @kuyagic on GitHub (Apr 9, 2018).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/69

CA need the txt record contains the dot char ,but acme-dns returns bad_txt
using auth.acme-dns.io for reproduce this error
Thank you

Originally created by @kuyagic on GitHub (Apr 9, 2018). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/69 CA need the txt record contains the dot char ,but acme-dns returns bad_txt using auth.acme-dns.io for reproduce this error Thank you

kerem

2026-03-13 15:24:26 +03:00

closed this issue
added the
question
label

kerem commented

2026-03-13 15:24:42 +03:00

Author

Owner

@joohoi commented on GitHub (Apr 9, 2018):

Are you validating against non-ACME CA? If so, could you link me to the specs so I could modify the code accordingly.

When it comes to Let's Encrypt, or other CAs implementing ACME protocol, the challenge tokens for DNS validation use only characters in base64url character set, which does not include dot.

Relevant documentation here: https://tools.ietf.org/html/draft-ietf-acme-acme-11#section-8.4

 token (required, string):  A random value that uniquely identifies
      the challenge.  This value MUST have at least 128 bits of entropy.
      It MUST NOT contain any characters outside the base64url alphabet,
      including padding characters ("=").

And the base64url alphabet: https://tools.ietf.org/html/rfc4648#section-5

@joohoi commented on GitHub (Apr 9, 2018): Are you validating against non-ACME CA? If so, could you link me to the specs so I could modify the code accordingly. When it comes to Let's Encrypt, or other CAs implementing ACME protocol, the challenge tokens for DNS validation use only characters in base64url character set, which does not include dot. Relevant documentation here: https://tools.ietf.org/html/draft-ietf-acme-acme-11#section-8.4 ``` token (required, string): A random value that uniquely identifies the challenge. This value MUST have at least 128 bits of entropy. It MUST NOT contain any characters outside the base64url alphabet, including padding characters ("="). ``` And the base64url alphabet: https://tools.ietf.org/html/rfc4648#section-5

kerem commented

2026-03-13 15:24:47 +03:00

Author

Owner

@mshafer1 commented on GitHub (Dec 24, 2025):

7 years later, I'm running into this again (new for me, but same issue).

I'm using Let's Encrypt with certbot...

A particular domain I'm trying to get a cert for is consistently yielding a challenge with a . in it.

(NOTE: running into this issue got me reading into the example certbot client and joohoi/acme-dns a lot more, and I now understand that I should be running my own instance of joohoi/acme-dns, so I am, but get the same error)

Let me know if I should open this as a separate issue

@mshafer1 commented on GitHub (Dec 24, 2025): 7 years later, I'm running into this again (new for me, but same issue). I'm using Let's Encrypt with certbot... A particular domain I'm trying to get a cert for is consistently yielding a challenge with a `.` in it. (NOTE: running into this issue got me reading into the example certbot client and joohoi/acme-dns a lot more, and I now understand that I should be running my own instance of joohoi/acme-dns, so I am, but get the same error) Let me know if I should open this as a separate issue