DNS-01 challenge
The DNS-01 challenge is less widely used than HTTP-01 and requires more configuration to automate. By default, you must manually create the DNS TXT record. The ACME client then adds the required DNS validation parameter along with the DigiCert-generated random value to the record.
When validating a domain using the DNS-01 challenge, include --preferred-challenges dns in your certbot command. For a complete Certbot example, see Issue and install a certificate for NGINX using DNS-01 domain validation.
Requirements
The ACME client must have API access to the domain's DNS provider to create and remove TXT records automatically. Without API access, you must create the DNS TXT record manually each time.
DNS propagation time must be accounted for before DigiCert checks for the record.
Automating the DNS-01 challenge
For the DNS-01 challenge to be effective in a fully automated workflow, automate the DNS TXT record creation using one of the following options:
Check with your DNS provider to see if they have a supported API for automating the creation of DNS TXT records.
Check whether your DNS provider supports Certbot plugins. For example, Certbot has plugins for many widely used DNS providers such as DNS Made Easy.
Create a custom script for making DNS updates.
Common configuration issues
The TXT record is created on the wrong hostname.
The DigiCert-generated random value is copied incorrectly or modified.
Additional characters are added to the record value.
DNS propagation is incomplete. Allow additional time before DigiCert checks for the record.
The ACME client does not have API access to the DNS provider. Configure DNS provider API access or create the record manually.
What's next
DNS-01 challenge for wildcard domains to validate wildcard domains as part of an automated certificate workflow