CertAutoPilot logo CertAutoPilot
Get started

Manual DNS challenge

When CertAutoPilot cannot (or should not) automate your DNS provider — unsupported registrar, isolated network, change- management policy — use the manual DNS path. The backend computes the TXT record and shows it in the UI; you add it on your DNS side; you click Validate; the backend checks propagation and completes the ACME order.

01When to use

  • Your DNS provider is not one of the 12 supported providers and has no API at all.
  • Your change-management policy forbids automation writing to production DNS.
  • The zone is split-horizon or managed by a team that controls its own tooling.
  • You're issuing a one-off certificate with no intention to auto-renew.
Auto-renewal won't work

A manually-validated cert cannot auto-renew — the renewal workflow would need to publish a fresh TXT record 30 days from now, and there's nobody there to do it. Manual DNS is for one-shot issuance. If you renew, you go through the manual flow again.

02Issue with manual DNS

  1. Certificates → New.
  2. Configure issuer + subject + key type as usual.
  3. At the Validation step, toggle Manual DNS. Auto-renew turns off automatically.
  4. Submit. The backend opens an ACME order, receives the challenge tokens, and pauses the job in state awaiting_manual_dns.
  5. Open the certificate's detail page. The Manual DNS challenge panel lists one TXT record per identifier: 
    Record name:  _acme-challenge.api.example.com
Record type:  TXT
Record value: "LoqXcYV8...WxKz"  (copied exactly as shown)
TTL:          60 seconds recommended
  6. Publish each record on your DNS side.
  7. Verify propagation (recommended): 
    dig +short TXT _acme-challenge.api.example.com @1.1.1.1
  8. Click Validate on the detail page. The backend runs a validate_manual_dns job: it resolves each TXT, confirms the value, then tells the CA to verify.
  9. On success the cert is issued. On timeout (default 30 min) the job fails; you can retry once you've fixed the DNS record.

03Propagation tips

  • Keep the TTL low (60 s) on the challenge record so your change reaches the CA quickly.
  • If your DNS has a long negative-caching TTL, resolvers may cache "no TXT record exists" from before your add. Wait at least that long.
  • Check multiple public resolvers: Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9) — the CA picks one of several.

04Cleanup

After issuance succeeds, the challenge records serve no purpose. You can delete them from the DNS side. The backend does not issue cleanup calls for manual DNS (it couldn't — no API credential) — deletion is on you. Leaving them in place causes no harm.

05Multi-identifier certs

A certificate with five SANs needs five TXT records (one per identifier). Wildcard identifiers (*.example.com) contribute a single TXT at _acme-challenge.example.com — validated against the apex. If a cert mixes example.com and *.example.com, the CA requires two separate TXT values at the same record name (use a multi-value TXT; most DNS providers accept an RRset with multiple strings).

06Troubleshooting

"DNS record not found" after publishing

Propagation delay. Retry after a minute. If still absent after 5 minutes, confirm you added the record to the right zone — a domain at registrar.com may have delegated DNS elsewhere.

"DNS record value mismatch"

Common cause: the record was saved with surrounding quotes stripped, or with line breaks. The UI's Copy button produces the exact value.

"Validation timed out after 30 minutes"

Click Validate again once the record is actually live. The ACME order stays valid for hours even after a failed validation — restarting usually works.