TXT
TXT record validation requires the creation of a TXT record in the hostname’s authoritative DNS.
一般的に、証明書がDCVを必要とする場合、かつ委任DCVを実行できない場合に、TXTベースのDCVを実行する必要があります。
If you want to use a Universal SSL certificate, you will need to edit the validation_method via the API and specify your chosen validation method.
Alternatively, you could order an advanced certificate via the dashboard or the API.
Once you create a new certificate and choose the validation method of TXT, your tokens will be ready after a few seconds.
These tokens can be fetched through the API or the dashboard when the certificates are in a pending validation state during custom hostname creation or during certificate renewals.
You can access these tokens using the API with the GET request and including status=pending_validation as a request parameter.
For example, here are two tokens highlighted in the API response for a wildcard certificate.
{ "result": [ { "id": "<CERTIFICATE_ID>", "type": "advanced", "hosts": ["*.<DOMAIN>.com", "<DOMAIN>.com"], "primary_certificate": "0", "status": "pending_validation", "certificates": [], "created_on": "2022-10-12T21:46:21.979150Z", "validity_days": 90, "validation_method": "txt", "validation_records": [ { "status": "pending", "txt_name": "_acme-challenge.<DOMAIN>.com", "txt_value": "lXLOcN6cPv0nproViNcUHcahD9TrIPlNgdwesj0pYpk" }, { "status": "pending", "txt_name": "_acme-challenge.<DOMAIN>.com", "txt_value": "O0o8VgJu_OGu-T30_cvT-4xO5ZX1_2WsVNUrpUKE6ns" } ], "certificate_authority": "google" } ]}- Log in to the Cloudflare dashboard ↗.
- Choose your account and domain.
- Go to SSL/TLS > Edge Certificates.
- Select a certificate.
- Copy the values for Certificate validation TXT name and Certificate validation TXT value.
If you had created a wildcard certificate, you would need to copy the values for two different validation TXT records.
権威DNSプロバイダーで、txt_nameという名前のTXTレコードを作成し、txt_valueを含めます。
validation_recordsフィールドに返されたすべてのDCVレコードについて、このプロセスを権威DNSプロバイダーで繰り返します。
証明書のホスト名の1つ以上が検証に失敗した場合、証明書は発行または更新されません。
これは、example.comと*.example.comをカバーするワイルドカード証明書が、権威DNSプロバイダーに2つのDCVトークンを配置する必要があることを意味します。同様に、SANに5つのホスト名(ワイルドカードを含む)を持つ証明書は、権威DNSプロバイダーに5つのDCVトークンを配置する必要があります。
DNSレコードを更新したら、次の再試行を待つか、即時再チェックをリクエストできます。
To request an immediate recheck, send another PATCH request with the same validation_method as your current validation method.
DCVに使用されるTXTレコードは、証明書が発行されるとすぐに権威DNSプロバイダーから削除できます。
Even if you manually handle DCV when issuing certificates in a partial DNS setup, at certificate renewal, Cloudflare will attempt to automatically perform DCV via HTTP.
If all of the following conditions are confirmed at the first attempt, the renewal happens automatically via HTTP.
- Hostnames are proxied.
- Hostnames on the certificate resolve to the IPs assigned to the zone.
- The certificate does not contain wildcards.
If any one of the conditions is not met, the certificate renewal falls back to your chosen method and you will need to repeat the DCV process manually.
Cloudflare generates renewal tokens 30 days before certificate expiration.