Incorrect TXT record "..." found at _acme-challenge.domain.com.au

[Novex]

I'm having trouble generating a certificate for a base domain and wildcard SAN - it keeps failing with and error like Error 403 - urn:ietf:params:acme:error:unauthorized - Incorrect TXT record "MZU..." found at _acme-challenge.domain.com.au.

I've tried it a few times and the TXT record does change (so Terraform does have access through the environment variables to update Cloudflare) but unfortunately that's about the extent of what I can think of to debug.

Any other ideas? Or is there any more information I can provide?

Terraform config:

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "[email protected]"
}

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "domain.com.au"
  subject_alternative_names = ["*.domain.com.au"]

  dns_challenge {
    provider = "cloudflare"
  }
}

Log:

...
acme_registration.reg: Creation complete after 4s (ID: https://acme-staging-v02.api.letsencrypt.org/acme/acct/8371243)
acme_certificate.certificate: Creating...
  account_key_pem:                      "<sensitive>" => "<sensitive>"
  account_ref:                          "" => "<computed>"
  certificate_domain:                   "" => "<computed>"
  certificate_pem:                      "" => "<computed>"
  certificate_url:                      "" => "<computed>"
  common_name:                          "" => "domain.com.au"
  dns_challenge.#:                      "" => "1"
  dns_challenge.2049738136.provider:    "" => "cloudflare"
  issuer_pem:                           "" => "<computed>"
  key_type:                             "" => "2048"
  min_days_remaining:                   "" => "7"
  must_staple:                          "" => "false"
  private_key_pem:                      "<sensitive>" => "<sensitive>"
  subject_alternative_names.#:          "" => "1"
  subject_alternative_names.1512744266: "" => "*.domain.com.au"
acme_certificate.certificate: Still creating... (10s elapsed)
acme_certificate.certificate: Still creating... (20s elapsed)

Error: Error applying plan:

1 error(s) occurred:

* acme_certificate.certificate: 1 error(s) occurred:

* acme_certificate.certificate: error creating certificate: acme: Error -> One or more domains had a problem:
[domain.com.au] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - Incorrect TXT record "MZU...oe0" found at _acme-challenge.domain.com.au

[Novex]

I'm not sure if it was just a temporary problem, or whether this fixed it but this is now working for me once I added another domain to the SAN list.

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.insight.account_key_pem}"
  common_name               = "domain.com.au"
  subject_alternative_names = ["*.domain.com.au", "${sha1(module.shared.environment)}.environments.domain.com.au"]

  dns_challenge {
    provider = "cloudflare"
  }
}