Re: Some questions about ACME challenge dns-01

Fri, 21 Nov 2025 13:23:28 -0800 



On 2025-11-21 (Fr.) 21:58, William Lallemand wrote:

On Fri, Nov 21, 2025 at 09:30:55PM +0100, Aleksandar Lazic wrote:

```shell
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:15:16_CET
/datadisk/git-repos/haproxy $
# ./haproxy -W -db -f ../haproxy_acme.cfg
[NOTICE]   (4047) : Initializing new worker (4049)
[NOTICE]   (4049) : config : No certificate available for 'none.at.pem',
generating a temporary key pair before getting the ACME certificate
[NOTICE]   (4049) : config : acme: generate account key 'DNS1.account.key'
for acme section 'DNS1'.
Sharing caphdr with caphdr
Sharing caphdr with caphdr
Sharing ptrcap with ptrcap
Sharing ptrcap with ptrcap
[NOTICE]   (4049) : Automatically setting global.maxconn to 524263.
Sharing stk_ctr with caphdr
[NOTICE]   (4047) : Loading success.
acme: none.at.pem: Starting update of the certificate.
-:- [21/Nov/2025:21:15:21.243] <ACME> -/- 3/0/321/161/483 200 152 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "GET
https://acme-staging-v02.api.letsencrypt.org/directory HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:15:21.727] <ACME> -/- 2/0/0/741/741 200 158 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "HEAD
https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:15:22.468] <ACME> -/- 2/0/0/178/178 400 963 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:15:22.647] <ACME> -/- 2/0/0/303/303 201 991 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:15:22.950] <ACME> -/- 2/0/0/168/168 201 870 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/new-order HTTP/1.1"
0/0000000000000000/-/-/0 -/-/-
acme: none.at.pem: dns-01 requires to set the "_acme-challenge.none.at" TXT
record to "Vbqf5UyduQlpoKDfLbxSa3b3YljtSYOW4cxtk15Ci-w" and use the "acme
challenge_ready none.at.pem domain none.at" command over the CLI
-:- [21/Nov/2025:21:15:23.118] <ACME> -/- 2/0/0/162/162 200 776 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/authz/244887833/20356587293
HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
acme: none.at.pem: dns-01 requires to set the "_acme-challenge.none.at" TXT
record to "cCWPWcuQBKp3ncDT4ayzyRC6HMc3Nhp8vPhdIoDGsUY" and use the "acme
challenge_ready none.at.pem domain none.at" command over the CLI
-:- [21/Nov/2025:21:15:23.281] <ACME> -/- 2/0/0/163/163 200 776 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
https://acme-staging-v02.api.letsencrypt.org/acme/authz/244887833/20356587283
HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:21:18:06.706] <ACME> -/- 5/0/0/484/487 200 796 - - ----
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/chall/244887833/20356587293/7JLxvw
HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
```

Check DNS
```shell
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:16:39_CET
/datadisk/git-repos/haproxy $
# dig @ns1.desec.io +short _acme-challenge.none.at txt
"Vbqf5UyduQlpoKDfLbxSa3b3YljtSYOW4cxtk15Ci-w"
"cCWPWcuQBKp3ncDT4ayzyRC6HMc3Nhp8vPhdIoDGsUY"
```

Challenge ready
```shell
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:18:03_CET
/datadisk/git-repos/haproxy $
# echo "acme challenge_ready none.at.pem domain none.at" | socat - 
/tmp/hap-stats
Challenge Ready!

alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:18:06_CET
/datadisk/git-repos/haproxy $
# echo "acme status" | socat - /tmp/hap-stats
# certificate   section state   expiration date (UTC)   expires in      
scheduled date
(UTC)   scheduled in
none.at.pem     DNS1    Running 2025-11-20T20:15:21Z    0d 0h00m00s     -       
-
```


Are you sure you recompiled with the latest master version ? It does not
process the 2nd domain like if you didn't applied my fix?


Yes.
I have now done the following to be 100% sure.
Now I get another message.


> acme: none.at.pem: challenge error: "Incorrect TXT record 
"Vbqf5UyduQlpoKDfLbxSa3b3YljtSYOW4cxtk15Ci-w" (and 1 more) found at 
_acme-challenge.none.at" (urn:ietf:params:acme:error:unauthorized) (HTTP status 
code 200) Aborting.



I will delete all _acme-challenge records and wait over night that the TTL 
expires and will then test it tomorrow again.

Thank you for your time and patience.


```shell
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 22:11:55_CET ~ $
# cd /datadisk/git-repos/haproxy

alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 22:11:57_CET 
/datadisk/git-repos/haproxy $

# git pull
Already up to date.


alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 22:12:11_CET 
/datadisk/git-repos/haproxy $

# make distclean

alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 22:12:14_CET 
/datadisk/git-repos/haproxy $
# make TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE2=1 USE_ZLIB=1 
DEBUG=-DDEBUG_FULL USE_PCRE2_JIT=1


Compile


alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 22:17:11_CET 
/datadisk/git-repos/haproxy $

# rm DNS1.account.key /tmp/none.at.pem
rm: cannot remove '/tmp/none.at.pem': No such file or directory

alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 22:17:13_CET 
/datadisk/git-repos/haproxy $

# ./haproxy -W -db -f ../haproxy_acme.cfg
[NOTICE]   (12880) : Initializing new worker (12882)

[NOTICE]   (12882) : config : No certificate available for 'none.at.pem', 
generating a temporary key pair before getting the ACME certificate
[NOTICE]   (12882) : config : acme: generate account key 'DNS1.account.key' for 
acme section 'DNS1'.

Sharing caphdr with caphdr
Sharing caphdr with caphdr
Sharing ptrcap with ptrcap
Sharing ptrcap with ptrcap
[NOTICE]   (12882) : Automatically setting global.maxconn to 524263.
Sharing stk_ctr with caphdr
[NOTICE]   (12880) : Loading success.
acme: none.at.pem: Starting update of the certificate.

-:- [21/Nov/2025:22:17:15.802] <ACME> -/- 3/0/319/163/483 200 152 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "GET 
https://acme-staging-v02.api.letsencrypt.org/directory HTTP/1.1" 
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:22:17:16.285] <ACME> -/- 2/0/0/157/157 200 158 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "HEAD 
https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce HTTP/1.1" 
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:22:17:16.442] <ACME> -/- 2/0/0/264/264 400 963 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1" 
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:22:17:16.707] <ACME> -/- 2/0/0/329/329 201 991 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1" 
0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:22:17:17.036] <ACME> -/- 2/0/0/168/168 201 870 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/new-order HTTP/1.1" 
0/0000000000000000/-/-/0 -/-/-
acme: none.at.pem: dns-01 requires to set the "_acme-challenge.none.at" TXT 
record to "_gfL4k7T_K5mt6JI0Lk5jz9HBkyk016NLfG6E5M26no" and use the "acme 
challenge_ready none.at.pem domain none.at" command over the CLI
-:- [21/Nov/2025:22:17:17.205] <ACME> -/- 2/0/0/160/160 200 776 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/authz/244897093/20357183863 
HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
acme: none.at.pem: dns-01 requires to set the "_acme-challenge.none.at" TXT 
record to "HbKSx784q5OiqVv6Aw6Jl1kyQtyM9AXC7LUuFfTWGo4" and use the "acme 
challenge_ready none.at.pem domain none.at" command over the CLI
-:- [21/Nov/2025:22:17:17.366] <ACME> -/- 2/0/0/161/161 200 776 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/authz/244897093/20357183853 
HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
-:- [21/Nov/2025:22:18:46.573] <ACME> -/- 4/0/0/478/480 200 796 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/chall/244897093/20357183863/wR79vQ 
HTTP/1.1" 0/0000000000000000/-/-/1 -/-/-
-:- [21/Nov/2025:22:18:47.054] <ACME> -/- 2/0/0/162/162 200 796 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/chall/244897093/20357183853/359rOg 
HTTP/1.1" 0/0000000000000000/-/-/1 -/-/-
acme: none.at.pem: challenge error: "Incorrect TXT record 
"Vbqf5UyduQlpoKDfLbxSa3b3YljtSYOW4cxtk15Ci-w" (and 1 more) found at 
_acme-challenge.none.at" (urn:ietf:params:acme:error:unauthorized) (HTTP status 
code 200) Aborting.
-:- [21/Nov/2025:22:18:52.217] <ACME> -/- 2/0/0/215/215 200 793 - - ---- 
0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
https://acme-staging-v02.api.letsencrypt.org/acme/chall/244897093/20357183863/wR79vQ 
HTTP/1.1" 0/0000000000000000/-/-/1 -/-/-

```

Second shell

```shell
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 22:18:33_CET ~ $
# dig @ns1.desec.io +short _acme-challenge.none.at txt
"HbKSx784q5OiqVv6Aw6Jl1kyQtyM9AXC7LUuFfTWGo4"
"_gfL4k7T_K5mt6JI0Lk5jz9HBkyk016NLfG6E5M26no"
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 22:18:34_CET ~ $
# echo "acme challenge_ready none.at.pem domain none.at" | socat - 
/tmp/hap-stats
Challenge Ready!
```
























					Reply via email to