On 2025-11-21 (Fr.) 12:55, William Lallemand wrote:
On Fri, Nov 21, 2025 at 12:46:11PM +0100, Aleksandar Lazic wrote:
Subject: Re: Some questions about ACME challenge dns-01
Hi William.
On 2025-11-21 (Fr.) 12:37, William Lallemand wrote:
On Fri, Nov 21, 2025 at 11:05:11AM +0100, Aleksandar Lazic wrote:
Subject: Re: Some questions about ACME challenge dns-01
Seems like a bug to me, since there are 2 domains it generated 2 challenges to
set but your wildcard has the same base as the 2nd domain so there's a
problem. I'll take a look.
The task seems stuck waiting for every challenge_ready. I think I'll add more
states in the `acme status` command so we can debug this more easily.
I just pushed a fix in master, you will have to set the 2 TXT entries with the
same domain name like explained in the
logs. But using `acme challenge_ready` will set every domain with the same name
ready.
Thanks. Have pulled and compiled.
Sorry I do not understand what you mean with 2 TXT records.
This one is set, which further TXT record do I need?
```
# dig @ns1.desec.io +short _acme-challenge.none.at txt
"uInm4ilCxq2ghvKYlu2GQTjFvs3cg5UaQM8l_0azSjA"
```
When using the debug mode or the traces, you are polluted by too much output,
it's difficult to see them.
There's 2 logs about a TXT record in your logs. You need to use the 2 of them.
Ah okay, I see.
I have now added both in the DNS but no change
HAProxy run.
```shell
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:15:16_CET
/datadisk/git-repos/haproxy $
# ./haproxy -W -db -f ../haproxy_acme.cfg
[NOTICE] (4047) : Initializing new worker (4049)
[NOTICE] (4049) : config : No certificate available for 'none.at.pem',
generating a temporary key pair before getting the ACME certificate
[NOTICE] (4049) : config : acme: generate account key 'DNS1.account.key' for
acme section 'DNS1'.
Sharing caphdr with caphdr
Sharing caphdr with caphdr
Sharing ptrcap with ptrcap
Sharing ptrcap with ptrcap
[NOTICE] (4049) : Automatically setting global.maxconn to 524263.
Sharing stk_ctr with caphdr
[NOTICE] (4047) : Loading success.
acme: none.at.pem: Starting update of the certificate.
-:- [21/Nov/2025:21:15:21.243] <ACME> -/- 3/0/321/161/483 200 152 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "GET
https://acme-staging-v02.api.letsencrypt.org/directory HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:15:21.727] <ACME> -/- 2/0/0/741/741 200 158 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "HEAD
https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:15:22.468] <ACME> -/- 2/0/0/178/178 400 963 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:15:22.647] <ACME> -/- 2/0/0/303/303 201 991 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:15:22.950] <ACME> -/- 2/0/0/168/168 201 870 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/new-order HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
acme: none.at.pem: dns-01 requires to set the "_acme-challenge.none.at" TXT
record to "Vbqf5UyduQlpoKDfLbxSa3b3YljtSYOW4cxtk15Ci-w" and use the "acme
challenge_ready none.at.pem domain none.at" command over the CLI
-:- [21/Nov/2025:21:15:23.118] <ACME> -/- 2/0/0/162/162 200 776 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/authz/244887833/20356587293
HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
acme: none.at.pem: dns-01 requires to set the "_acme-challenge.none.at" TXT
record to "cCWPWcuQBKp3ncDT4ayzyRC6HMc3Nhp8vPhdIoDGsUY" and use the "acme
challenge_ready none.at.pem domain none.at" command over the CLI
-:- [21/Nov/2025:21:15:23.281] <ACME> -/- 2/0/0/163/163 200 776 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/authz/244887833/20356587283
HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:18:06.706] <ACME> -/- 5/0/0/484/487 200 796 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/chall/244887833/20356587293/7JLxvw
HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
```
Check DNS
```shell
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:16:39_CET
/datadisk/git-repos/haproxy $
# dig @ns1.desec.io +short _acme-challenge.none.at txt
"Vbqf5UyduQlpoKDfLbxSa3b3YljtSYOW4cxtk15Ci-w"
"cCWPWcuQBKp3ncDT4ayzyRC6HMc3Nhp8vPhdIoDGsUY"
```
Challenge ready
```shell
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:18:03_CET
/datadisk/git-repos/haproxy $
# echo "acme challenge_ready none.at.pem domain none.at" | socat -
/tmp/hap-stats
Challenge Ready!
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:18:06_CET
/datadisk/git-repos/haproxy $
# echo "acme status" | socat - /tmp/hap-stats
# certificate section state expiration date (UTC) expires in scheduled date
(UTC) scheduled in
none.at.pem DNS1 Running 2025-11-20T20:15:21Z 0d 0h00m00s -
-
```
The certbot handle this in one challange and add the additional Domains into SAN
could this be also be handled like this in HAP?
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options
###
-d DOMAIN, --domains DOMAIN, --domain DOMAIN
Domain names to include. For multiple domains you can
use multiple -d flags or enter a comma separated list
of domains as a parameter. All domains will be
included as Subject Alternative Names on the
certificate. The first domain will be used as the
certificate name, unless otherwise specified or if you
already have a certificate with the same name. In the
case of a name conflict, a number like -0001 will be
appended to the certificate name. (default: Ask)
###
https://github.com/certbot/certbot/blob/main/certbot/src/certbot/_internal/cli/cli_utils.py#L105
Regards
Aleks
