Skip to content

TXT

TXT record validation requires the creation of a TXT record in the hostname’s authoritative DNS.



When to use

Generally, you need to perform TXT-based DCV when your certificate requires DCV and you cannot perform Delegated DCV.


Setup

Specify DCV method

If you want to use a Universal SSL certificate, you will need to edit the validation_method via the API and specify your chosen validation method.

Alternatively, you could order an advanced certificate via the dashboard or the API.

Get DCV values

Once you create a new certificate and choose the validation method of TXT, your tokens will be ready after a few seconds.

These tokens can be fetched through the API or the dashboard when the certificates are in a pending validation state during custom hostname creation or during certificate renewals.

You can access these tokens using the API with the GET request and including status=pending_validation as a request parameter.

For example, here are two tokens highlighted in the API response for a wildcard certificate.

Response
{
"result": [
{
"id": "<CERTIFICATE_ID>",
"type": "advanced",
"hosts": ["*.<DOMAIN>.com", "<DOMAIN>.com"],
"primary_certificate": "0",
"status": "pending_validation",
"certificates": [],
"created_on": "2022-10-12T21:46:21.979150Z",
"validity_days": 90,
"validation_method": "txt",
"validation_records": [
{
"status": "pending",
"txt_name": "_acme-challenge.<DOMAIN>.com",
"txt_value": "lXLOcN6cPv0nproViNcUHcahD9TrIPlNgdwesj0pYpk"
},
{
"status": "pending",
"txt_name": "_acme-challenge.<DOMAIN>.com",
"txt_value": "O0o8VgJu_OGu-T30_cvT-4xO5ZX1_2WsVNUrpUKE6ns"
}
],
"certificate_authority": "google"
}
]
}

Update DNS records

At your authoritative DNS provider, create a TXT record named the txt_name and containing the txt_value.

Repeat this process for all the DCV records returned in the validation_records field to your Authoritative DNS provider.

If one or more of the hostnames on the certificate fail to validate, the certificate will not be issued or renewed.

This means that a wildcard certificate covering example.com and *.example.com will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.

Complete DCV

Once you update your DNS records, you can either wait for the next retry or request an immediate recheck.

To request an immediate recheck, send another PATCH request with the same validation_method as your current validation method.

TXT records used for DCV can be removed from your authoritative DNS provider as soon as the certificate is issued.

Renewal

Even if you manually handle DCV when issuing certificates in a partial DNS setup, at certificate renewal, Cloudflare will attempt to automatically perform DCV via HTTP.

If all of the following conditions are confirmed at the first attempt, the renewal happens automatically via HTTP.

  • Hostnames are proxied.
  • Hostnames on the certificate resolve to the IPs assigned to the zone.
  • The certificate does not contain wildcards.

If any one of the conditions is not met, the certificate renewal falls back to your chosen method and you will need to repeat the DCV process manually.

Cloudflare generates renewal tokens 30 days before certificate expiration.