TXT DCV method
TXT record validation requires the creation of a TXT record in the hostname’s authoritative DNS.
When to use
Generally, you need to perform TXT-based DCV when your certificate requires DCV and you cannot perform Delegated DCV.
Setup
Specify DCV method
If you want to use a Universal SSL certificate, you will need to edit the validation_method
via the API and specify your chosen validation method.
Alternatively, you could order an advanced certificate via the dashboard or the API.
Get DCV values
Once you create a new certificate and choose the validation method of TXT, your tokens will be ready after a few seconds.
These tokens can be fetched through the API or the dashboard when the certificates are in a pending validation state during custom hostname creation or during certificate renewals.
You can access these tokens using the API with the GET
request and including status=pending_validation
as a request parameter.
For example, here are two tokens highlighted in the API response for a wildcard certificate.
Response{ "result": [ { "id": "<CERTIFICATE_ID>", "type": "advanced", "hosts": ["*.<DOMAIN>.com", "<DOMAIN>.com"], "primary_certificate": "0", "status": "pending_validation", "certificates": [], "created_on": "2022-10-12T21:46:21.979150Z", "validity_days": 90, "validation_method": "txt", "validation_records": [ { "status": "pending", "txt_name": "_acme-challenge.best3.com", "txt_value": "lXLOcN6cPv0nproViNcUHcahD9TrIPlNgdwesj0pYpk" }, { "status": "pending", "txt_name": "_acme-challenge.best3.com", "txt_value": "O0o8VgJu_OGu-T30_cvT-4xO5ZX1_2WsVNUrpUKE6ns" } ], "certificate_authority": "google" } ]
}
- Log in to the Cloudflare dashboard.
- Choose your account and domain.
- Navigate to SSL/TLS > Edge Certificates.
- Select a certificate.
- Copy the values for Certificate validation TXT name and Certificate validation TXT value.
If you had created a wildcard certificate, you would need to copy the values for two different validation TXT records.
Update DNS records
At your authoritative DNS provider, create a TXT record named the txt_name
and containing the txt_value
.
Repeat this process for all the DCV records returned in the validation_records
field to your Authoritative DNS provider.
If one or more of the hostnames on the certificate fail to validate, the certificate will not be issued or renewed.
This means that a wildcard certificate covering example.com
and *.example.com
will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.
Complete DCV
Once you update your DNS records, you can either wait for the next retry or request an immediate recheck.
To request an immediate recheck, send another PATCH request with the same validation_method
as your current validation method.
Renew DCV tokens
If possible, DCV tokens for proxied hostnames are always renewed via HTTP.
However, some certificates — for example, if you are using wildcard certificates or certificates with multiple SANs or your hostname is not proxied — are not eligible for HTTP validation.
If your certificate is not eligible for HTTP validation, you will need to repeat the DCV process with your chosen method. Cloudflare generates these renewal TXT tokens 30 days before certificate expiration.