_noob.tools
My IP
Return to Matrix Dashboard

🛡️ACME DNS-01 Challenge Debugger

Trace and validate Let's Encrypt / ACME TXT records across global resolvers to troubleshoot certificate renewal failures.

Trace DNS-01 Challenge

The engine will automatically prefix and query _acme-challenge.yourdomain.com

Understanding the ACME DNS-01 Challenge

The DNS-01 challenge is a verification method specified by the Automated Certificate Management Environment (ACME) protocol (standardized in RFC 8555) and utilized by Certificate Authorities like Let's Encrypt. It proves that you control a domain name by requiring you to place a specific token value in a DNS TXT record under that domain name.

Unlike the HTTP-01 challenge, which requires a web server to serve a file on port 80, the DNS-01 challenge does not require inbound internet access to your web servers, making it ideal for firewalled internal networks. Furthermore, it is the only challenge type supported for issuing wildcard certificates (e.g., *.example.com).

How the DNS-01 Validation Process Works

1. The ACME client requests a certificate and receives a random challenge token from the CA.
2. The client calculates the SHA-256 fingerprint of the key authorization string.
3. The client creates a DNS TXT record named _acme-challenge.yourdomain.com containing that token fingerprint.
4. The client tells the ACME server that the record is ready.
5. The ACME server queries global DNS resolvers for the TXT record. If the value matches, the certificate is issued!

Common Troubleshooting Steps:

  • Propagation Delays: DNS propagation is not instantaneous. After publishing the TXT record, it may take several seconds to hours for all resolvers to reflect the update. Use this tool to verify that all four global providers return the same TXT token value.
  • Wildcard vs Subdomain Placement: For a wildcard certificate like *.example.com, the challenge record MUST be placed at _acme-challenge.example.com (not _acme-challenge.*.example.com).
  • CNAME Delegation: If you delegate challenge handling to another DNS server or ACME-dedicated domain using a CNAME record, ensure that the CNAME target resolves properly and returns the TXT record directly.
  • Multiple TXT Records: If you are issuing certificates that cover both the base domain (example.com) and wildcard (*.example.com) at the same time, the ACME server will require two distinct TXT records with different tokens under the same name (_acme-challenge.example.com). The DNS resolver will return both values in a single response, which is fully supported by this debugger.