diff --git a/.github/workflows/run-backend-bdd-tests.yml b/.github/workflows/run-backend-bdd-tests.yml
index 0ce5baea67..7b54aa44e8 100644
--- a/.github/workflows/run-backend-bdd-tests.yml
+++ b/.github/workflows/run-backend-bdd-tests.yml
@@ -51,6 +51,9 @@ jobs:
           echo "ACME_DEVELOPMENT_MODE=true" >> .env
           echo "ACME_DEVELOPMENT_HTTP01_CHALLENGE_HOST_OVERRIDES={\"localhost\": \"host.docker.internal:8087\", \"infisical.com\": \"host.docker.internal:8087\", \"example.com\": \"host.docker.internal:8087\"}" >> .env
           echo "BDD_NOCK_API_ENABLED=true" >> .env
+          # Skip upstream validation, otherwise the ACME client for the upstream will try to
+          # validate the DNS records, which will fail because the DNS records are not actually created.
+          echo "ACME_SKIP_UPSTREAM_VALIDATION=true" >> .env
           # We are not using FIPS mode, need a different encryption key for BDD tests
           NEW_ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
           sed -i "s#ENCRYPTION_KEY=.*#ENCRYPTION_KEY=$NEW_ENCRYPTION_KEY#" .env
diff --git a/backend/src/lib/config/env.ts b/backend/src/lib/config/env.ts
index b02a9d4dc7..96107306f7 100644
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -108,6 +108,7 @@ const envSchema = z
     DAILY_RESOURCE_CLEAN_UP_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
     BDD_NOCK_API_ENABLED: zodStrBool.default("false").optional(),
     ACME_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
+    ACME_SKIP_UPSTREAM_VALIDATION: zodStrBool.default("false").optional(),
     ACME_DEVELOPMENT_HTTP01_CHALLENGE_HOST_OVERRIDES: zpStr(
       z
         .string()
diff --git a/backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts b/backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts
index ff06afde93..436e37f3b0 100644
--- a/backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts
+++ b/backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts
@@ -243,7 +243,7 @@ export const orderCertificate = async (
     challengePriority: ["dns-01"],
     // For ACME development mode, we mock the DNS challenge API calls. So, no real DNS records are created.
     // We need to disable the challenge verification to avoid errors.
-    skipChallengeVerification: getConfig().isAcmeDevelopmentMode,
+    skipChallengeVerification: getConfig().isAcmeDevelopmentMode && getConfig().ACME_SKIP_UPSTREAM_VALIDATION,
     termsOfServiceAgreed: true,
 
     challengeCreateFn: async (authz, challenge, keyAuthorization) => {
diff --git a/backend/src/services/certificate-authority/acme/dns-providers/cloudflare.ts b/backend/src/services/certificate-authority/acme/dns-providers/cloudflare.ts
index ab87ee1136..f4b12e657a 100644
--- a/backend/src/services/certificate-authority/acme/dns-providers/cloudflare.ts
+++ b/backend/src/services/certificate-authority/acme/dns-providers/cloudflare.ts
@@ -68,8 +68,6 @@ export const cloudflareDeleteTxtRecord = async (
       },
       params: {
         type: "TXT",
-        // TODO: this is incorrect. The domain seems need to be fqdn, but we are passing just the record name here.
-        //       as a result, we are not deleting the record correctly.
         name: domain,
         content: value
       }