The rest of the world cannot resolve .home names. ACME does domain verification. If the name does not resolve for the rest of the world the process will fail.
-- Mark Andrews > On 18 Sep 2025, at 21:48, P van Dijk <[email protected]> wrote: > > Hi Mark, > > Thank you for your reply. Maybe I do not understand what you mean, but Step > CA (https://smallstep.com/docs/step-ca/) which I self-host in my homelab is > capable of issuing .home certificates via their cli and with their ACME > http-01 challenge. Bind9 is not issuing the certificate. So, I do not expect > any top level domain limitation on Bind9 (if any) with regards to this issue. > Did I misinterpreted your reply? > > Warm regards > > > -----Oorspronkelijk bericht----- > Van: Mark Andrews <[email protected]> > Verzonden: donderdag 18 september 2025 14:28 > Aan: P van Dijk <[email protected]> > CC: [email protected] > Onderwerp: Re: Bind9 gives me error 'There was a problem with a DNS query > during identifier validation'. Where to look for a solution? > > .HOME does not exist so you will NEVER get a CERT for a .HOME name. > Use registered names. > > Mark > >> On 18 Sep 2025, at 13:15, P van Dijk <[email protected]> wrote: >> >> Dear All, >> Has anyone encountered the error message 'There was a problem with a DNS >> query during identifier validation' while trying the complete a ACME dns-01 >> challenge? If so, could you help me by pointing me towards a solution. I >> have tried multiple things but I am completely lost where the issue might >> reside. Google and the GitLab issue page does not show me any results. >> My setup is the following three machines: >> * ns1; running Bind9 >> * certificates; running Step CA >> * testhost; Debian 12 on which I am trying to get a TLS >> certificate. (Once it works on the testhost, I would like to implement it on >> Truenas Scale. Meaning this Debian machine will be replaced by the machine >> running Truenas Scale.) I want to get a TLS certificate on the testhost. To >> achieve this, I ran acme.sh and cerbot on the testhost. Both result in the >> error message 'There was a problem with a DNS query during identifier >> validation'. >> Please find below my configuration and commands run. >> BIND9 configuration >> named.conf.local >> zone "myown.home" { >> type primary; >> file "/var/lib/bind/db.myown.home"; # Zone path file >> inline-signing yes; >> update-policy { >> grant myown_wildcard. name _acme-challenge.testhost.myown.home. >> txt; >> }; >> }; >> [redacted reversed-mapped zone] /var/lib/bind/db.myown.home >> $ORIGIN . >> $TTL 86400 ; 1 day >> myown.home IN SOA ns1.myown.home. info.myown.home. ( >> 2025091716 ; serial >> 43200 ; refresh (12 hours) >> 900 ; retry (15 >> minutes) >> 345600 ; expire (4 days) >> 172800 ; minimum (2 days) >> ) >> NS ns1.myown.home. >> $ORIGIN myown.home. >> testhost A [redacted].23 >> ns1 A [redacted].21 >> certificates A [redacted].22 >> Step CA configuration >> [redacted step path]/config/ca.json >> "root": "/[redacted step path]/certs/root_ca.crt", >> "federatedRoots": null, >> "crt": "/[redacted step path]/certs/intermediate_ca.crt", >> "key": "/[redacted step path]/secrets/intermediate_ca_key", >> "address": ":443", >> "insecureAddress": "", >> "dnsNames": [ >> "[redacted].22", >> "certificates.myown.home" >> ], >> "logger": { >> "format": "text" >> }, >> "db": { >> "type": "badgerv2", >> "dataSource": "/etc/step-ca/db", >> "badgerFileLoadingMode": "" >> }, >> "authority": { >> "provisioners": [ >> ... >> { >> "type": "ACME", >> "name": "acme-dns", >> "challenges": [ >> "dns-01" >> ], >> "claims": { >> "enableSSHCA": false, >> "disableRenewal": false, >> "allowRenewalAfterExpiry": false, >> "disableSmallstepExtensions": false >> }, >> "options": { >> "x509": {}, >> "ssh": {} >> } >> } >> ... >> WORKFLOW >> On the testhost I ran (as root) the following command to start the flow. >> .acme.sh/acme.sh --issue --dns dns_nsupdate -d 'testhost.myown.home' >> --serverhttps://[redacted].22/acme/acme/directory --dnssleep 300 >> REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/myown_root_ca.crt >> certbot certonly --dns-rfc2136 --dns-rfc2136-credentials certbot.ini >> -d testhost.myown.home >> --serverhttps://[redacted].22/acme/acme/directory >> This resulted in the following output (example for achme.sh). >> [Wed Sep 17 12:49:03 PM CEST 2025] Using CA: >> https://[redacted].22/acme/acme/directory >> [Wed Sep 17 12:49:03 PM CEST 2025] Account key creation OK. >> [Wed Sep 17 12:49:04 PM CEST 2025] Registering >> account:https://[redacted].22/acme/acme/directory >> [Wed Sep 17 12:49:04 PM CEST 2025] Registered [Wed Sep 17 12:49:04 PM >> CEST 2025] ACCOUNT_THUMBPRINT='7juVi3uRQTaf2qUTEvOB9faQfCjoNUHUNj-VFxyC284' >> [Wed Sep 17 12:49:04 PM CEST 2025] Creating domain key [Wed Sep 17 >> 12:49:04 PM CEST 2025] The domain key is here: >> /root/.acme.sh/testhost.myown.home_ecc/testhost.myown.home.key >> [Wed Sep 17 12:49:04 PM CEST 2025] Single domain='testhost.myown.home' >> [Wed Sep 17 12:49:05 PM CEST 2025] Getting webroot for >> domain='testhost.myown.home' >> [Wed Sep 17 12:49:05 PM CEST 2025] Adding TXT value: >> JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk for domain: >> _acme-challenge.testhost.myown.home >> [Wed Sep 17 12:49:05 PM CEST 2025] adding >> _acme-challenge.testhost.myown.home. 600 in txt >> "JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk" >> [Wed Sep 17 12:49:05 PM CEST 2025] The TXT record has been successfully >> added. >> [Wed Sep 17 12:49:05 PM CEST 2025] Sleeping for 300 seconds to wait >> for the the TXT records to take effect [Wed Sep 17 12:54:07 PM CEST >> 2025] Verifying: testhost.myown.home [Wed Sep 17 12:54:07 PM CEST >> 2025] Pending. The CA is processing your order, please wait. (1/30) >> [Wed Sep 17 12:54:11 PM CEST 2025] Pending. The CA is processing your >> order, please wait. (2/30) [Wed Sep 17 12:54:14 PM CEST 2025] Pending. >> The CA is processing your order, please wait. (3/30) [Wed Sep 17 >> 12:54:17 PM CEST 2025] Pending. The CA is processing your order, >> please wait. (4/30) [Wed Sep 17 12:54:21 PM CEST 2025] Pending. The CA >> is processing your order, please wait. (5/30) [Wed Sep 17 12:54:24 PM >> CEST 2025] Pending. The CA is processing your order, please wait. >> (6/30) [Wed Sep 17 12:54:27 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (7/30) [Wed Sep 17 12:54:30 PM >> CEST 2025] Pending. The CA is processing your order, please wait. >> (8/30) [Wed Sep 17 12:54:34 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (9/30) [Wed Sep 17 12:54:37 PM >> CEST 2025] Pending. The CA is processing your order, please wait. >> (10/30) [Wed Sep 17 12:54:40 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (11/30) [Wed Sep 17 12:54:43 PM >> CEST 2025] Pending. The CA is processing your order, please wait. >> (12/30) [Wed Sep 17 12:54:47 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (13/30) [Wed Sep 17 12:54:50 PM >> CEST 2025] Pending. The CA is processing your order, please wait. >> (14/30) [Wed Sep 17 12:54:53 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (15/30) [Wed Sep 17 12:54:57 PM >> CEST 2025] Pending. The CA is processing your order, please wait. >> (16/30) [Wed Sep 17 12:55:00 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (17/30) [Wed Sep 17 12:55:03 PM >> CEST 2025] Pending. The CA is processing your order, please wait. >> (18/30) [Wed Sep 17 12:55:06 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (19/30) [Wed Sep 17 12:55:10 PM >> CEST 2025] Pending. The CA is processing your order, please wait. >> (20/30) [Wed Sep 17 12:55:13 PM CEST 2025] Pending. The CA is processing >> your order, please wait. (21/30) [Wed Sep 17 12:55:16 PM CEST 2025] Pending. >> The CA is processing your order, please wait. (22/30) [Wed Sep 17 12:55:20 >> PM CEST 2025] Pending. The CA is processing your order, please wait. (23/30) >> [Wed Sep 17 12:55:23 PM CEST 2025] Pending. The CA is processing your order, >> please wait. (24/30) [Wed Sep 17 12:55:26 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (25/30) [Wed Sep 17 12:55:29 PM CEST >> 2025] Pending. The CA is processing your order, please wait. (26/30) [Wed >> Sep 17 12:55:33 PM CEST 2025] Pending. The CA is processing your order, >> please wait. (27/30) [Wed Sep 17 12:55:36 PM CEST 2025] Pending. The CA is >> processing your order, please wait. (28/30) [Wed Sep 17 12:55:39 PM CEST >> 2025] Pending. The CA is processing your order, please wait. (29/30) [Wed >> Sep 17 12:55:42 PM CEST 2025] testhost.myown.home: Timeout [Wed Sep 17 >> 12:55:42 PM CEST 2025] Removing DNS records. >> [Wed Sep 17 12:55:42 PM CEST 2025] Removing txt: >> JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk for domain: >> _acme-challenge.testhost.myown.home >> [Wed Sep 17 12:55:43 PM CEST 2025] removing >> _acme-challenge.testhost.myown.home. txt [Wed Sep 17 12:55:43 PM CEST >> 2025] Successfully removed [Wed Sep 17 12:55:43 PM CEST 2025] Please add >> '--debug' or '--log' to see more information. >> [Wed Sep 17 12:55:43 PM CEST 2025] See: >> https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh >> During 12.49 PM when ACME.sh registered the account and added the TXT >> message, I got the following in the journalctl on the >> certificated.myown.home: >> { >> "__CURSOR" : >> "s=5819b12a49b64582a726181e92d271cb;i=10fb;b=013473d30295440782ff29490d3dc9fe;m=2d2ac928bed;t=63efcfc2c08c2;x=efdcb09f0f131d1e", >> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file >> /[redacted step path]/secrets/password", >> "_GID" : "996", >> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e", >> "_CAP_EFFECTIVE" : "400", >> "__REALTIME_TIMESTAMP" : "1758106143688898", >> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e", >> "_SYSTEMD_UNIT" : "step-ca.service", >> "_UID" : "999", >> "SYSLOG_IDENTIFIER" : "step-ca", >> "_PID" : "2226", >> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe", >> "_SELINUX_CONTEXT" : "unconfined\n", >> "SYSLOG_FACILITY" : "3", >> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92", >> "_EXE" : "/usr/bin/step-ca", >> "_RUNTIME_SCOPE" : "system", >> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service", >> "_HOSTNAME" : "certificates", >> "_COMM" : "step-ca", >> "__MONOTONIC_TIMESTAMP" : "3103861672941", >> "_SYSTEMD_SLICE" : "system.slice", >> "MESSAGE" : "time=\"2025-09-17T12:49:03+02:00\" level=info >> duration=\"58.755µs\" duration-ns=58755 >> fields.time=\"2025-09-17T12:49:03+02:00\" method=GET name=ca >> path=/acme/acme/directory protocol=HTTP/2.0 referer= >> remote-address=[redacted].23 request-id=a4421749-4cbd-4128-a22a-3de5ce439a4e >> response=\"{\\\"newNonce\\\":\\\https://[redacted].22/acme/acme/new-nonce\\\,\\\"newAccount\\\":\\\https://[redacted].22/acme/acme/new-account\\\,\\\"newOrder\\\":\\\https://[redacted].22/acme/acme/new-order\\\,\\\"revokeCert\\\":\\\https://[redacted].22/acme/acme/revoke-cert\\\,\\\"keyChange\\\":\\\https://[redacted].22/acme/acme/key-change\\\}\"; >> size=282 status=200 user-agent=\"acme.sh/3.1.2 >> (https://github.com/acmesh-official/acme.sh)\" user-id=", >> "PRIORITY" : "6", >> "_TRANSPORT" : "stdout" >> } >> { >> "_PID" : "2226", >> "_SYSTEMD_UNIT" : "step-ca.service", >> "_COMM" : "step-ca", >> "_GID" : "996", >> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file >> /[redacted step path]/secrets/password", >> "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info >> duration=3.178139ms duration-ns=3178139 >> fields.time=\"2025-09-17T12:49:04+02:00\" method=HEAD name=ca >> nonce=UzROdnlhVXc2SHVnbkZOV1YxTVFlamxzV3U3ZVhFa0I path=/acme/acme/new-nonce >> protocol=HTTP/2.0 referer= remote-address=[redacted].23 >> request-id=0063c780-2e22-4b3c-b0e3-e0a9e211619b size=0 status=200 >> user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\" >> user-id=", >> "__CURSOR" : >> "s=5819b12a49b64582a726181e92d271cb;i=10fc;b=013473d30295440782ff29490d3dc9fe;m=2d2ac998662;t=63efcfc330336;x=dab3e11aced4bad7", >> "_UID" : "999", >> "SYSLOG_FACILITY" : "3", >> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe", >> "SYSLOG_IDENTIFIER" : "step-ca", >> "_CAP_EFFECTIVE" : "400", >> "_SYSTEMD_SLICE" : "system.slice", >> "_HOSTNAME" : "certificates", >> "_EXE" : "/usr/bin/step-ca", >> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e", >> "_RUNTIME_SCOPE" : "system", >> "__REALTIME_TIMESTAMP" : "1758106144146230", >> "__MONOTONIC_TIMESTAMP" : "3103862130274", >> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e", >> "PRIORITY" : "6", >> "_SELINUX_CONTEXT" : "unconfined\n", >> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92", >> "_TRANSPORT" : "stdout", >> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service" >> } >> { >> "PRIORITY" : "6", >> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92", >> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe", >> "SYSLOG_IDENTIFIER" : "step-ca", >> "_EXE" : "/usr/bin/step-ca", >> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service", >> "__REALTIME_TIMESTAMP" : "1758106144332324", >> "_SYSTEMD_SLICE" : "system.slice", >> "__MONOTONIC_TIMESTAMP" : "3103862316368", >> "_GID" : "996", >> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e", >> "_HOSTNAME" : "certificates", >> "_COMM" : "step-ca", >> "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info >> duration=10.229178ms duration-ns=10229178 >> fields.time=\"2025-09-17T12:49:04+02:00\" method=POST name=ca >> nonce=SWEwNVFNczcySlBlZUhwcFNpald0TmJrUEdEekh3V3g >> path=/acme/acme/new-account protocol=HTTP/2.0 referer= >> remote-address=[redacted].23 request-id=3be4d4bb-5479-4904-8b73-b53f0fbbb150 >> response=\"{\\\"contact\\\":[\\\mailto:[email protected]\\\],\\\"status\\\":\\\"valid\\\",\\\"orders\\\":\\\https://[redacted].22/acme/acme/account/6J2ZJJSxnYO27u6bpFUtBrJ1CCtHkfcA/orders\\\}\"; >> size=144 status=201 user-agent=\"acme.sh/3.1.2 >> (https://github.com/acmesh-official/acme.sh)\" user-id=", >> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e", >> "_SELINUX_CONTEXT" : "unconfined\n", >> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file >> /[redacted step path]/secrets/password", >> "_RUNTIME_SCOPE" : "system", >> "_CAP_EFFECTIVE" : "400", >> "_TRANSPORT" : "stdout", >> "_SYSTEMD_UNIT" : "step-ca.service", >> "_UID" : "999", >> "SYSLOG_FACILITY" : "3", >> "_PID" : "2226", >> "__CURSOR" : >> "s=5819b12a49b64582a726181e92d271cb;i=10fd;b=013473d30295440782ff29490d3dc9fe;m=2d2ac9c5d50;t=63efcfc35da24;x=8d727976330d3e21" >> } >> { >> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe", >> "_COMM" : "step-ca", >> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92", >> "_HOSTNAME" : "certificates", >> "_TRANSPORT" : "stdout", >> "_GID" : "996", >> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file >> /[redacted step path]/secrets/password", >> "_UID" : "999", >> "SYSLOG_FACILITY" : "3", >> "_SYSTEMD_UNIT" : "step-ca.service", >> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e", >> "_PID" : "2226", >> "PRIORITY" : "6", >> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service", >> "_CAP_EFFECTIVE" : "400", >> "__MONOTONIC_TIMESTAMP" : "3103862794284", >> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e", >> "__REALTIME_TIMESTAMP" : "1758106144810241", >> "_SYSTEMD_SLICE" : "system.slice", >> "SYSLOG_IDENTIFIER" : "step-ca", >> "_EXE" : "/usr/bin/step-ca", >> "_SELINUX_CONTEXT" : "unconfined\n", >> "__CURSOR" : >> "s=5819b12a49b64582a726181e92d271cb;i=10fe;b=013473d30295440782ff29490d3dc9fe;m=2d2aca3a82c;t=63efcfc3d2501;x=d6ac118a2c53c6a4", >> "_RUNTIME_SCOPE" : "system", >> "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info >> duration=17.863338ms duration-ns=17863338 >> fields.time=\"2025-09-17T12:49:04+02:00\" method=POST name=ca >> nonce=RmJ1Z0RkY0JXQk9LaEdLcU9PdDZId2NXUW5xcUdqekQ path=/acme/acme/new-order >> protocol=HTTP/2.0 referer= remote-address=[redacted].23 >> request-id=3f8bd00e-6c59-4de8-b5b4-2c51cf2f6bd8 >> response=\"{\\\"id\\\":\\\"OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t\\\",\\\"status\\\":\\\"pending\\\",\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\",\\\"identifiers\\\":[{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"}],\\\"notBefore\\\":\\\"2025-09-17T10:48:04Z\\\",\\\"notAfter\\\":\\\"2025-09-18T10:49:04Z\\\",\\\"authorizations\\\":[\\\https://[redacted].22/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7\\\],\\\"finalize\\\":\\\https://[redacted].22/acme/acme/order/OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t/finalize\\\}\"; >> size=414 status=201 user-agent=\"acme.sh/3.1.2 >> (https://github.com/acmesh-official/acme.sh)\" user-id=" >> } >> { >> "_EXE" : "/usr/bin/step-ca", >> "_SELINUX_CONTEXT" : "unconfined\n", >> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92", >> "_CAP_EFFECTIVE" : "400", >> "_PID" : "2226", >> "SYSLOG_IDENTIFIER" : "step-ca", >> "_GID" : "996", >> "SYSLOG_FACILITY" : "3", >> "_RUNTIME_SCOPE" : "system", >> "__CURSOR" : >> "s=5819b12a49b64582a726181e92d271cb;i=10ff;b=013473d30295440782ff29490d3dc9fe;m=2d2aca7f1fb;t=63efcfc416ed0;x=8c246ed311a302e", >> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e", >> "_COMM" : "step-ca", >> "MESSAGE" : "time=\"2025-09-17T12:49:05+02:00\" level=info >> duration=5.975201ms duration-ns=5975201 >> fields.time=\"2025-09-17T12:49:05+02:00\" method=POST name=ca >> nonce=R3JoSUljRVU0cU5HcGhQeDdwRWJvV2o0RG9EQnBWdlg >> path=/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7 protocol=HTTP/2.0 >> referer= remote-address=[redacted].23 >> request-id=21a5b8f1-2e06-4270-9c78-36756eed0454 >> response=\"{\\\"identifier\\\":{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"},\\\"status\\\":\\\"pending\\\",\\\"challenges\\\":[{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\},{\\\"type\\\":\\\"http-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp\\\}],\\\"wildcard\\\":false,\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\"}\"; >> size=542 status=200 user-agent=\"acme.sh/3.1.2 >> (https://github.com/acmesh-official/acme.sh)\" user-id=", >> "__MONOTONIC_TIMESTAMP" : "3103863075323", >> "_SYSTEMD_SLICE" : "system.slice", >> "_HOSTNAME" : "certificates", >> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e", >> "PRIORITY" : "6", >> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe", >> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service", >> "__REALTIME_TIMESTAMP" : "1758106145091280", >> "_TRANSPORT" : "stdout", >> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file >> /[redacted step path]/secrets/password", >> "_SYSTEMD_UNIT" : "step-ca.service", >> "_UID" : "999" >> } >> While the ACME.sh script slept for 300 seconds, I ran on the DNS server: >> dig @192.168.2.21 TXT _acme-challenge.testhost.myown.home. Verifying that >> the TXT record was added correctly. >> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @[redacted].21 TXT >> _acme-challenge.testhost.myown.home. >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37924 ;; flags: qr >> aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT >> PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 1232 >> ; COOKIE: db03a0646b58f1cf0100000068ca92262d763b3f9b6e48a7 (good) ;; >> QUESTION SECTION: >> ;_acme-challenge.testhost.myown.home. IN TXT ;; ANSWER SECTION: >> _acme-challenge.testhost.myown.home. 600 IN TXT >> "JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk" >> ;; Query time: 0 msec >> ;; SERVER: [redacted].21#53([redacted].21) (UDP) ;; WHEN: Wed Sep 17 >> 12:49:10 CEST 2025 ;; MSG SIZE rcvd: 155 >> From 12.54 PM when ACME.sh tried to verify the the FQDN >> testhost.myown.home, I got the following output in the journalctl of the PKI >> of each of the 30 attempts: >> { >> "_CAP_EFFECTIVE" : "400", >> "__MONOTONIC_TIMESTAMP" : "3104165836085", >> "_SYSTEMD_UNIT" : "step-ca.service", >> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92", >> "PRIORITY" : "6", >> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e", >> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service", >> "_PID" : "2226", >> "__REALTIME_TIMESTAMP" : "1758106447852041", >> "SYSLOG_FACILITY" : "3", >> "_RUNTIME_SCOPE" : "system", >> "_HOSTNAME" : "certificates", >> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file >> /[redacted step path]/secrets/password", >> "_TRANSPORT" : "stdout", >> "_COMM" : "step-ca", >> "MESSAGE" : "time=\"2025-09-17T12:54:07+02:00\" level=info >> duration=20.569994ms duration-ns=20569994 >> fields.time=\"2025-09-17T12:54:07+02:00\" method=POST name=ca >> nonce=M3dsVFlIV2dOR2ZNc0w4RlBkNjV4S3RxTGROMVdQZnE >> path=/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V >> protocol=HTTP/2.0 referer= remote-address=[redacted].23 >> request-id=cab15bca-630d-471e-953a-2e83afb36dfd >> response=\"{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\,\\\"error\\\":{\\\"type\\\":\\\"urn:ietf:params:acme:error:dns\\\",\\\"detail\\\":\\\"There >> was a problem with a DNS query during identifier validation\\\"}}\" >> size=322 status=200 user-agent=\"acme.sh/3.1.2 >> (https://github.com/acmesh-official/acme.sh)\" user-id=", >> "_EXE" : "/usr/bin/step-ca", >> "SYSLOG_IDENTIFIER" : "step-ca", >> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe", >> "_UID" : "999", >> "_GID" : "996", >> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e", >> "_SELINUX_CONTEXT" : "unconfined\n", >> "__CURSOR" : >> "s=5819b12a49b64582a726181e92d271cb;i=1100;b=013473d30295440782ff29490d3dc9fe;m=2d2beb3b535;t=63efd0e4d3209;x=4b57da03825cd994", >> "_SYSTEMD_SLICE" : "system.slice" >> } >> { >> "__CURSOR" : >> "s=5819b12a49b64582a726181e92d271cb;i=1101;b=013473d30295440782ff29490d3dc9fe;m=2d2bee58f91;t=63efd0e7f0c65;x=a9161de4e298eae5", >> "_RUNTIME_SCOPE" : "system", >> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service", >> "SYSLOG_IDENTIFIER" : "step-ca", >> "_COMM" : "step-ca", >> "_SYSTEMD_SLICE" : "system.slice", >> "_PID" : "2226", >> "PRIORITY" : "6", >> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file >> /[redacted step path]/secrets/password", >> "_CAP_EFFECTIVE" : "400", >> "__MONOTONIC_TIMESTAMP" : "3104169103249", >> "_GID" : "996", >> "SYSLOG_FACILITY" : "3", >> "__REALTIME_TIMESTAMP" : "1758106451119205", >> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92", >> "_EXE" : "/usr/bin/step-ca", >> "_UID" : "999", >> "_SYSTEMD_UNIT" : "step-ca.service", >> "_HOSTNAME" : "certificates", >> "_SELINUX_CONTEXT" : "unconfined\n", >> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe", >> "_TRANSPORT" : "stdout", >> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e", >> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e", >> "MESSAGE" : "time=\"2025-09-17T12:54:11+02:00\" level=info >> duration=5.976054ms duration-ns=5976054 >> fields.time=\"2025-09-17T12:54:11+02:00\" method=POST name=ca >> nonce=aU9venZXaHJBOGNKRlBYcUU1WkM5U0NiUmVtczlwckk >> path=/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7 protocol=HTTP/2.0 >> referer= remote-address=[redacted].23 >> request-id=97b6d3c0-7f70-4aec-a83a-8949c26617c6 >> response=\"{\\\"identifier\\\":{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"},\\\"status\\\":\\\"pending\\\",\\\"challenges\\\":[{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\,\\\"error\\\":{\\\"type\\\":\\\"urn:ietf:params:acme:error:dns\\\",\\\"detail\\\":\\\"There >> was a problem with a DNS query during identifier >> validation\\\"}},{\\\"type\\\":\\\"http-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp\\\}],\\\"wildcard\\\":false,\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\"}\"; >> size=669 status=200 user-agent=\"acme.sh/3.1.2 >> (https://github.com/acmesh-official/acme.sh)\" user-id=" >> } >> ...This last message is repeated 29 times, for attempt 2 till 30 as >> shown in the output of the acme.sh... Kind regards, Vinvar >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list. > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
