Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?

P van Dijk machlar at hotmail.com
Thu Sep 18 11:15:13 UTC 2025


Dear All,

Has anyone encountered the error message 'There was a problem with a DNS query during identifier validation' while trying the complete a ACME dns-01 challenge? If so, could you help me by pointing me towards a solution. I have tried multiple things but I am completely lost where the issue might reside. Google and the GitLab issue page does not show me any results.

My setup is the following three machines:

  *   ns1; running Bind9
  *   certificates; running Step CA
  *   testhost; Debian 12 on which I am trying to get a TLS certificate. (Once it works on the testhost, I would like to implement it on Truenas Scale. Meaning this Debian machine will be replaced by the machine running Truenas Scale.)

I want to get a TLS certificate on the testhost. To achieve this, I ran acme.sh and cerbot on the testhost. Both result in the error message 'There was a problem with a DNS query during identifier validation'.

Please find below my configuration and commands run.

BIND9 configuration
named.conf.local
        zone "myown.home" {
          type primary;
          file "/var/lib/bind/db.myown.home"; # Zone path file
          inline-signing yes;
          update-policy {
            grant myown_wildcard. name _acme-challenge.testhost.myown.home. txt;
          };
        };

        [redacted reversed-mapped zone]

/var/lib/bind/db.myown.home
        $ORIGIN .
        $TTL 86400      ; 1 day
        myown.home     IN SOA  ns1.myown.home. info.myown.home. (
                                        2025091716 ; serial
                                        43200            ; refresh (12 hours)
                                        900                ; retry (15 minutes)
                                        345600         ; expire (4 days)
                                        172800         ; minimum (2 days)
                                        )
                                NS      ns1.myown.home.
        $ORIGIN myown.home.
        testhost         A       [redacted].23
        ns1                 A       [redacted].21
        certificates    A       [redacted].22

Step CA configuration
[redacted step path]/config/ca.json
        "root": "/[redacted step path]/certs/root_ca.crt",
        "federatedRoots": null,
        "crt": "/[redacted step path]/certs/intermediate_ca.crt",
        "key": "/[redacted step path]/secrets/intermediate_ca_key",
        "address": ":443",
        "insecureAddress": "",
        "dnsNames": [
                "[redacted].22",
                "certificates.myown.home"
        ],
        "logger": {
                "format": "text"
        },
        "db": {
                "type": "badgerv2",
                "dataSource": "/etc/step-ca/db",
                "badgerFileLoadingMode": ""
        },
        "authority": {
                "provisioners": [
...
                        {
                                "type": "ACME",
                                "name": "acme-dns",
                                "challenges": [
                                        "dns-01"
                                ],
                                "claims": {
                                        "enableSSHCA": false,
                                        "disableRenewal": false,
                                        "allowRenewalAfterExpiry": false,
                                        "disableSmallstepExtensions": false
                                },
                                "options": {
                                        "x509": {},
                                        "ssh": {}
                                }
                        }
...


WORKFLOW
On the testhost I ran (as root) the following command to start the flow.
.acme.sh/acme.sh --issue --dns dns_nsupdate -d 'testhost.myown.home' --server https://[redacted].22/acme/acme/directory --dnssleep 300<https://[redacted].22/acme/acme/directory%20--dnssleep%20300>
REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/myown_root_ca.crt certbot certonly --dns-rfc2136 --dns-rfc2136-credentials certbot.ini -d testhost.myown.home --server https://[redacted].22/acme/acme/directory

This resulted in the following output (example for achme.sh).
[Wed Sep 17 12:49:03 PM CEST 2025] Using CA: https://[redacted].22/acme/acme/directory
[Wed Sep 17 12:49:03 PM CEST 2025] Account key creation OK.
[Wed Sep 17 12:49:04 PM CEST 2025] Registering account: https://[redacted].22/acme/acme/directory
[Wed Sep 17 12:49:04 PM CEST 2025] Registered
[Wed Sep 17 12:49:04 PM CEST 2025] ACCOUNT_THUMBPRINT='7juVi3uRQTaf2qUTEvOB9faQfCjoNUHUNj-VFxyC284'
[Wed Sep 17 12:49:04 PM CEST 2025] Creating domain key
[Wed Sep 17 12:49:04 PM CEST 2025] The domain key is here: /root/.acme.sh/testhost.myown.home_ecc/testhost.myown.home.key
[Wed Sep 17 12:49:04 PM CEST 2025] Single domain='testhost.myown.home'
[Wed Sep 17 12:49:05 PM CEST 2025] Getting webroot for domain='testhost.myown.home'
[Wed Sep 17 12:49:05 PM CEST 2025] Adding TXT value: JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk for domain: _acme-challenge.testhost.myown.home
[Wed Sep 17 12:49:05 PM CEST 2025] adding _acme-challenge.testhost.myown.home. 600 in txt "JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk"
[Wed Sep 17 12:49:05 PM CEST 2025] The TXT record has been successfully added.
[Wed Sep 17 12:49:05 PM CEST 2025] Sleeping for 300 seconds to wait for the the TXT records to take effect
[Wed Sep 17 12:54:07 PM CEST 2025] Verifying: testhost.myown.home
[Wed Sep 17 12:54:07 PM CEST 2025] Pending. The CA is processing your order, please wait. (1/30)
[Wed Sep 17 12:54:11 PM CEST 2025] Pending. The CA is processing your order, please wait. (2/30)
[Wed Sep 17 12:54:14 PM CEST 2025] Pending. The CA is processing your order, please wait. (3/30)
[Wed Sep 17 12:54:17 PM CEST 2025] Pending. The CA is processing your order, please wait. (4/30)
[Wed Sep 17 12:54:21 PM CEST 2025] Pending. The CA is processing your order, please wait. (5/30)
[Wed Sep 17 12:54:24 PM CEST 2025] Pending. The CA is processing your order, please wait. (6/30)
[Wed Sep 17 12:54:27 PM CEST 2025] Pending. The CA is processing your order, please wait. (7/30)
[Wed Sep 17 12:54:30 PM CEST 2025] Pending. The CA is processing your order, please wait. (8/30)
[Wed Sep 17 12:54:34 PM CEST 2025] Pending. The CA is processing your order, please wait. (9/30)
[Wed Sep 17 12:54:37 PM CEST 2025] Pending. The CA is processing your order, please wait. (10/30)
[Wed Sep 17 12:54:40 PM CEST 2025] Pending. The CA is processing your order, please wait. (11/30)
[Wed Sep 17 12:54:43 PM CEST 2025] Pending. The CA is processing your order, please wait. (12/30)
[Wed Sep 17 12:54:47 PM CEST 2025] Pending. The CA is processing your order, please wait. (13/30)
[Wed Sep 17 12:54:50 PM CEST 2025] Pending. The CA is processing your order, please wait. (14/30)
[Wed Sep 17 12:54:53 PM CEST 2025] Pending. The CA is processing your order, please wait. (15/30)
[Wed Sep 17 12:54:57 PM CEST 2025] Pending. The CA is processing your order, please wait. (16/30)
[Wed Sep 17 12:55:00 PM CEST 2025] Pending. The CA is processing your order, please wait. (17/30)
[Wed Sep 17 12:55:03 PM CEST 2025] Pending. The CA is processing your order, please wait. (18/30)
[Wed Sep 17 12:55:06 PM CEST 2025] Pending. The CA is processing your order, please wait. (19/30)
[Wed Sep 17 12:55:10 PM CEST 2025] Pending. The CA is processing your order, please wait. (20/30)
[Wed Sep 17 12:55:13 PM CEST 2025] Pending. The CA is processing your order, please wait. (21/30)
[Wed Sep 17 12:55:16 PM CEST 2025] Pending. The CA is processing your order, please wait. (22/30)
[Wed Sep 17 12:55:20 PM CEST 2025] Pending. The CA is processing your order, please wait. (23/30)
[Wed Sep 17 12:55:23 PM CEST 2025] Pending. The CA is processing your order, please wait. (24/30)
[Wed Sep 17 12:55:26 PM CEST 2025] Pending. The CA is processing your order, please wait. (25/30)
[Wed Sep 17 12:55:29 PM CEST 2025] Pending. The CA is processing your order, please wait. (26/30)
[Wed Sep 17 12:55:33 PM CEST 2025] Pending. The CA is processing your order, please wait. (27/30)
[Wed Sep 17 12:55:36 PM CEST 2025] Pending. The CA is processing your order, please wait. (28/30)
[Wed Sep 17 12:55:39 PM CEST 2025] Pending. The CA is processing your order, please wait. (29/30)
[Wed Sep 17 12:55:42 PM CEST 2025] testhost.myown.home: Timeout
[Wed Sep 17 12:55:42 PM CEST 2025] Removing DNS records.
[Wed Sep 17 12:55:42 PM CEST 2025] Removing txt: JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk for domain: _acme-challenge.testhost.myown.home
[Wed Sep 17 12:55:43 PM CEST 2025] removing _acme-challenge.testhost.myown.home. txt
[Wed Sep 17 12:55:43 PM CEST 2025] Successfully removed
[Wed Sep 17 12:55:43 PM CEST 2025] Please add '--debug' or '--log' to see more information.
[Wed Sep 17 12:55:43 PM CEST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh


During 12.49 PM when ACME.sh registered the account and added the TXT message, I got the following in the journalctl on the certificated.myown.home:
{
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fb;b=013473d30295440782ff29490d3dc9fe;m=2d2ac928bed;t=63efcfc2c08c2;x=efdcb09f0f131d1e",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_GID" : "996",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_CAP_EFFECTIVE" : "400",
        "__REALTIME_TIMESTAMP" : "1758106143688898",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_UID" : "999",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_PID" : "2226",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "SYSLOG_FACILITY" : "3",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_EXE" : "/usr/bin/step-ca",
        "_RUNTIME_SCOPE" : "system",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "_HOSTNAME" : "certificates",
        "_COMM" : "step-ca",
        "__MONOTONIC_TIMESTAMP" : "3103861672941",
        "_SYSTEMD_SLICE" : "system.slice",
        "MESSAGE" : "time=\"2025-09-17T12:49:03+02:00\" level=info duration=\"58.755µs\" duration-ns=58755 fields.time=\"2025-09-17T12:49:03+02:00\" method=GET name=ca path=/acme/acme/directory protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=a4421749-4cbd-4128-a22a-3de5ce439a4e response=\"{\\\"newNonce\\\":\\\https://[redacted].22/acme/acme/new-nonce\\\<https://[redacted].22/acme/acme/new-nonce/>,\\\"newAccount\\\":\\\https://[redacted].22/acme/acme/new-account\\\<https://[redacted].22/acme/acme/new-account/>,\\\"newOrder\\\":\\\https://[redacted].22/acme/acme/new-order\\\<https://[redacted].22/acme/acme/new-order/>,\\\"revokeCert\\\":\\\https://[redacted].22/acme/acme/revoke-cert\\\<https://[redacted].22/acme/acme/revoke-cert/>,\\\"keyChange\\\":\\\https://[redacted].22/acme/acme/key-change\\\<https://[redacted].22/acme/acme/key-change/>}\" size=282 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "PRIORITY" : "6",
        "_TRANSPORT" : "stdout"
}
{
        "_PID" : "2226",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_COMM" : "step-ca",
        "_GID" : "996",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=3.178139ms duration-ns=3178139 fields.time=\"2025-09-17T12:49:04+02:00\" method=HEAD name=ca nonce=UzROdnlhVXc2SHVnbkZOV1YxTVFlamxzV3U3ZVhFa0I path=/acme/acme/new-nonce protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=0063c780-2e22-4b3c-b0e3-e0a9e211619b size=0 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fc;b=013473d30295440782ff29490d3dc9fe;m=2d2ac998662;t=63efcfc330336;x=dab3e11aced4bad7",
        "_UID" : "999",
        "SYSLOG_FACILITY" : "3",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_CAP_EFFECTIVE" : "400",
        "_SYSTEMD_SLICE" : "system.slice",
        "_HOSTNAME" : "certificates",
        "_EXE" : "/usr/bin/step-ca",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_RUNTIME_SCOPE" : "system",
        "__REALTIME_TIMESTAMP" : "1758106144146230",
        "__MONOTONIC_TIMESTAMP" : "3103862130274",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "PRIORITY" : "6",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_TRANSPORT" : "stdout",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service"
}
{
        "PRIORITY" : "6",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_EXE" : "/usr/bin/step-ca",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "__REALTIME_TIMESTAMP" : "1758106144332324",
        "_SYSTEMD_SLICE" : "system.slice",
        "__MONOTONIC_TIMESTAMP" : "3103862316368",
        "_GID" : "996",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_HOSTNAME" : "certificates",
        "_COMM" : "step-ca",
        "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=10.229178ms duration-ns=10229178 fields.time=\"2025-09-17T12:49:04+02:00\" method=POST name=ca nonce=SWEwNVFNczcySlBlZUhwcFNpald0TmJrUEdEekh3V3g path=/acme/acme/new-account protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=3be4d4bb-5479-4904-8b73-b53f0fbbb150 response=\"{\\\"contact\\\":[\\\mailto:test at test.com\\\],\\\"status\\\":\\\"valid\\\",\\\"orders\\\":\\\https://[redacted].22/acme/acme/account/6J2ZJJSxnYO27u6bpFUtBrJ1CCtHkfcA/orders\\\<https://[redacted].22/acme/acme/account/6J2ZJJSxnYO27u6bpFUtBrJ1CCtHkfcA/orders/>}\" size=144 status=201 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_RUNTIME_SCOPE" : "system",
        "_CAP_EFFECTIVE" : "400",
        "_TRANSPORT" : "stdout",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_UID" : "999",
        "SYSLOG_FACILITY" : "3",
        "_PID" : "2226",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fd;b=013473d30295440782ff29490d3dc9fe;m=2d2ac9c5d50;t=63efcfc35da24;x=8d727976330d3e21"
}
{
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_COMM" : "step-ca",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_HOSTNAME" : "certificates",
        "_TRANSPORT" : "stdout",
        "_GID" : "996",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_UID" : "999",
        "SYSLOG_FACILITY" : "3",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_PID" : "2226",
        "PRIORITY" : "6",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "_CAP_EFFECTIVE" : "400",
        "__MONOTONIC_TIMESTAMP" : "3103862794284",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "__REALTIME_TIMESTAMP" : "1758106144810241",
        "_SYSTEMD_SLICE" : "system.slice",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_EXE" : "/usr/bin/step-ca",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fe;b=013473d30295440782ff29490d3dc9fe;m=2d2aca3a82c;t=63efcfc3d2501;x=d6ac118a2c53c6a4",
        "_RUNTIME_SCOPE" : "system",
        "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=17.863338ms duration-ns=17863338 fields.time=\"2025-09-17T12:49:04+02:00\" method=POST name=ca nonce=RmJ1Z0RkY0JXQk9LaEdLcU9PdDZId2NXUW5xcUdqekQ path=/acme/acme/new-order protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=3f8bd00e-6c59-4de8-b5b4-2c51cf2f6bd8 response=\"{\\\"id\\\":\\\"OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t\\\",\\\"status\\\":\\\"pending\\\",\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\",\\\"identifiers\\\":[{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"}],\\\"notBefore\\\":\\\"2025-09-17T10:48:04Z\\\",\\\"notAfter\\\":\\\"2025-09-18T10:49:04Z\\\",\\\"authorizations\\\":[\\\https://[redacted].22/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7\\\<https://[redacted].22/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/>],\\\"finalize\\\":\\\https://[redacted].22/acme/acme/order/OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t/finalize\\\<https://[redacted].22/acme/acme/order/OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t/finalize/>}\" size=414 status=201 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id="
}
{
        "_EXE" : "/usr/bin/step-ca",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_CAP_EFFECTIVE" : "400",
        "_PID" : "2226",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_GID" : "996",
        "SYSLOG_FACILITY" : "3",
        "_RUNTIME_SCOPE" : "system",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10ff;b=013473d30295440782ff29490d3dc9fe;m=2d2aca7f1fb;t=63efcfc416ed0;x=8c246ed311a302e",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_COMM" : "step-ca",
        "MESSAGE" : "time=\"2025-09-17T12:49:05+02:00\" level=info duration=5.975201ms duration-ns=5975201 fields.time=\"2025-09-17T12:49:05+02:00\" method=POST name=ca nonce=R3JoSUljRVU0cU5HcGhQeDdwRWJvV2o0RG9EQnBWdlg path=/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7 protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=21a5b8f1-2e06-4270-9c78-36756eed0454 response=\"{\\\"identifier\\\":{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"},\\\"status\\\":\\\"pending\\\",\\\"challenges\\\":[{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V/>},{\\\"type\\\":\\\"http-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp/>}],\\\"wildcard\\\":false,\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\"}\" size=542 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "__MONOTONIC_TIMESTAMP" : "3103863075323",
        "_SYSTEMD_SLICE" : "system.slice",
        "_HOSTNAME" : "certificates",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "PRIORITY" : "6",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "__REALTIME_TIMESTAMP" : "1758106145091280",
        "_TRANSPORT" : "stdout",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_UID" : "999"
}


While the ACME.sh script slept for 300 seconds, I ran on the DNS server: dig @192.168.2.21 TXT _acme-challenge.testhost.myown.home. Verifying that the TXT record was added correctly.
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @[redacted].21 TXT _acme-challenge.testhost.myown.home.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37924
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: db03a0646b58f1cf0100000068ca92262d763b3f9b6e48a7 (good)
;; QUESTION SECTION:
;_acme-challenge.testhost.myown.home. IN TXT

;; ANSWER SECTION:
_acme-challenge.testhost.myown.home. 600 IN TXT "JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk"

;; Query time: 0 msec
;; SERVER: [redacted].21#53([redacted].21) (UDP)
;; WHEN: Wed Sep 17 12:49:10 CEST 2025
;; MSG SIZE  rcvd: 155


>From 12.54 PM when ACME.sh tried to verify the the FQDN testhost.myown.home, I got the following output in the journalctl of the PKI of each of the 30 attempts:
{
        "_CAP_EFFECTIVE" : "400",
        "__MONOTONIC_TIMESTAMP" : "3104165836085",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "PRIORITY" : "6",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "_PID" : "2226",
        "__REALTIME_TIMESTAMP" : "1758106447852041",
        "SYSLOG_FACILITY" : "3",
        "_RUNTIME_SCOPE" : "system",
        "_HOSTNAME" : "certificates",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_TRANSPORT" : "stdout",
        "_COMM" : "step-ca",
        "MESSAGE" : "time=\"2025-09-17T12:54:07+02:00\" level=info duration=20.569994ms duration-ns=20569994 fields.time=\"2025-09-17T12:54:07+02:00\" method=POST name=ca nonce=M3dsVFlIV2dOR2ZNc0w4RlBkNjV4S3RxTGROMVdQZnE path=/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=cab15bca-630d-471e-953a-2e83afb36dfd response=\"{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V/>,\\\"error\\\":{\\\"type\\\":\\\"urn:ietf:params:acme:error:dns\\\",\\\"detail\\\":\\\"There was a problem with a DNS query during identifier validation\\\"}}\" size=322 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "_EXE" : "/usr/bin/step-ca",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_UID" : "999",
        "_GID" : "996",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=1100;b=013473d30295440782ff29490d3dc9fe;m=2d2beb3b535;t=63efd0e4d3209;x=4b57da03825cd994",
        "_SYSTEMD_SLICE" : "system.slice"
}
{
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=1101;b=013473d30295440782ff29490d3dc9fe;m=2d2bee58f91;t=63efd0e7f0c65;x=a9161de4e298eae5",
        "_RUNTIME_SCOPE" : "system",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_COMM" : "step-ca",
        "_SYSTEMD_SLICE" : "system.slice",
        "_PID" : "2226",
        "PRIORITY" : "6",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_CAP_EFFECTIVE" : "400",
        "__MONOTONIC_TIMESTAMP" : "3104169103249",
        "_GID" : "996",
        "SYSLOG_FACILITY" : "3",
        "__REALTIME_TIMESTAMP" : "1758106451119205",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_EXE" : "/usr/bin/step-ca",
        "_UID" : "999",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_HOSTNAME" : "certificates",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_TRANSPORT" : "stdout",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "MESSAGE" : "time=\"2025-09-17T12:54:11+02:00\" level=info duration=5.976054ms duration-ns=5976054 fields.time=\"2025-09-17T12:54:11+02:00\" method=POST name=ca nonce=aU9venZXaHJBOGNKRlBYcUU1WkM5U0NiUmVtczlwckk path=/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7 protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=97b6d3c0-7f70-4aec-a83a-8949c26617c6 response=\"{\\\"identifier\\\":{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"},\\\"status\\\":\\\"pending\\\",\\\"challenges\\\":[{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V/>,\\\"error\\\":{\\\"type\\\":\\\"urn:ietf:params:acme:error:dns\\\",\\\"detail\\\":\\\"There was a problem with a DNS query during identifier validation\\\"}},{\\\"type\\\":\\\"http-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp/>}],\\\"wildcard\\\":false,\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\"}\" size=669 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id="
}
...This last message is repeated 29 times, for attempt 2 till 30 as shown in the output of the acme.sh...

Kind regards,
Vinvar

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250918/d8c2e77d/attachment-0001.htm>


More information about the bind-users mailing list