Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?

P van Dijk machlar at hotmail.com
Fri Sep 19 13:39:35 UTC 2025


Hi Ondrej, Mark,

Thank you for your reply.  I agree that it was/is a lot of text. I do not know if attachments are allowed on this mailing list, but when drafting the message I was worried my question would not come across because of the amount of text. Sorry for the inconvenience.

With regards to your remark ‘whether you configured the CA machine to use any custom DNS to actually reach the DNS server with the tokens’, I checked and double-checked the DNS settings on the CA machine. The DNS pointed to my second name server which should get all the data from the master. But let me test that. 😊Unfortunately, I shall not able to test it within the next week. Therefore, if these tests will not solve it, I shall respond later.

Warm regards,
Vinvar


Van: Ondřej Surý <ondrej at isc.org>
Verzonden: donderdag 18 september 2025 22:52
CC: bind-users at lists.isc.org
Onderwerp: Re: Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?

Hi,

I snipped the whole message as it seems like in a phase “how do I debug the CA”.

Your email didn’t contain any information about the rest of the DNS configuration in your network, so it is kind of hard to help you. We don’t know whether you configured the CA machine to use any custom DNS to actually reach the DNS server with the tokens. It will not happen on its own, but this information was missing (or buried in a ton of text related to ACME, not DNS).

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

Verzonden: donderdag 18 september 2025 13:15
Aan: 'bind-users at lists.isc.org' bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Onderwerp: Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?

Dear All,

Has anyone encountered the error message ‘There was a problem with a DNS query during identifier validation’ while trying the complete a ACME dns-01 challenge? If so, could you help me by pointing me towards a solution. I have tried multiple things but I am completely lost where the issue might reside. Google and the GitLab issue page does not show me any results.

My setup is the following three machines:

  *   ns1; running Bind9
  *   certificates; running Step CA
  *   testhost; Debian 12 on which I am trying to get a TLS certificate. (Once it works on the testhost, I would like to implement it on Truenas Scale. Meaning this Debian machine will be replaced by the machine running Truenas Scale.)

I want to get a TLS certificate on the testhost. To achieve this, I ran acme.sh and cerbot on the testhost. Both result in the error message ‘There was a problem with a DNS query during identifier validation’.

Please find below my configuration and commands run.

BIND9 configuration
named.conf.local
        zone "myown.home" {
          type primary;
          file "/var/lib/bind/db.myown.home"; # Zone path file
          inline-signing yes;
          update-policy {
            grant myown_wildcard. name _acme-challenge.testhost.myown.home. txt;
          };
        };

        [redacted reversed-mapped zone]

/var/lib/bind/db.myown.home
        $ORIGIN .
        $TTL 86400      ; 1 day
        myown.home     IN SOA  ns1.myown.home. info.myown.home. (
                                        2025091716 ; serial
                                        43200            ; refresh (12 hours)
                                        900                ; retry (15 minutes)
                                        345600         ; expire (4 days)
                                        172800         ; minimum (2 days)
                                        )
                                NS      ns1.myown.home.
        $ORIGIN myown.home.
        testhost         A       [redacted].23
        ns1                 A       [redacted].21
        certificates    A       [redacted].22

Step CA configuration
[redacted step path]/config/ca.json
        "root": "/[redacted step path]/certs/root_ca.crt",
        "federatedRoots": null,
        "crt": "/[redacted step path]/certs/intermediate_ca.crt",
        "key": "/[redacted step path]/secrets/intermediate_ca_key",
        "address": ":443",
        "insecureAddress": "",
        "dnsNames": [
                "[redacted].22",
                "certificates.myown.home"
        ],
        "logger": {
                "format": "text"
        },
        "db": {
                "type": "badgerv2",
                "dataSource": "/etc/step-ca/db",
                "badgerFileLoadingMode": ""
        },
        "authority": {
                "provisioners": [
…
                        {
                                "type": "ACME",
                                "name": "acme-dns",
                                "challenges": [
                                        "dns-01"
                                ],
                                "claims": {
                                        "enableSSHCA": false,
                                        "disableRenewal": false,
                                        "allowRenewalAfterExpiry": false,
                                        "disableSmallstepExtensions": false
                                },
                                "options": {
                                        "x509": {},
                                        "ssh": {}
                                }
                        }
…


WORKFLOW
On the testhost I ran (as root) the following command to start the flow.
.acme.sh/acme.sh --issue --dns dns_nsupdate -d 'testhost.myown.home' --server https://[redacted].22/acme/acme/directory --dnssleep 300<https://[redacted].22/acme/acme/directory%20--dnssleep%20300>
REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/myown_root_ca.crt certbot certonly --dns-rfc2136 --dns-rfc2136-credentials certbot.ini -d testhost.myown.home --server https://[redacted].22/acme/acme/directory

This resulted in the following output (example for achme.sh).
[Wed Sep 17 12:49:03 PM CEST 2025] Using CA: https://[redacted].22/acme/acme/directory
[Wed Sep 17 12:49:03 PM CEST 2025] Account key creation OK.
[Wed Sep 17 12:49:04 PM CEST 2025] Registering account: https://[redacted].22/acme/acme/directory
[Wed Sep 17 12:49:04 PM CEST 2025] Registered
[Wed Sep 17 12:49:04 PM CEST 2025] ACCOUNT_THUMBPRINT='7juVi3uRQTaf2qUTEvOB9faQfCjoNUHUNj-VFxyC284'
[Wed Sep 17 12:49:04 PM CEST 2025] Creating domain key
[Wed Sep 17 12:49:04 PM CEST 2025] The domain key is here: /root/.acme.sh/testhost.myown.home_ecc/testhost.myown.home.key
[Wed Sep 17 12:49:04 PM CEST 2025] Single domain='testhost.myown.home'
[Wed Sep 17 12:49:05 PM CEST 2025] Getting webroot for domain='testhost.myown.home'
[Wed Sep 17 12:49:05 PM CEST 2025] Adding TXT value: JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk for domain: _acme-challenge.testhost.myown.home
[Wed Sep 17 12:49:05 PM CEST 2025] adding _acme-challenge.testhost.myown.home. 600 in txt "JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk"
[Wed Sep 17 12:49:05 PM CEST 2025] The TXT record has been successfully added.
[Wed Sep 17 12:49:05 PM CEST 2025] Sleeping for 300 seconds to wait for the the TXT records to take effect
[Wed Sep 17 12:54:07 PM CEST 2025] Verifying: testhost.myown.home
[Wed Sep 17 12:54:07 PM CEST 2025] Pending. The CA is processing your order, please wait. (1/30)
[Wed Sep 17 12:54:11 PM CEST 2025] Pending. The CA is processing your order, please wait. (2/30)
[Wed Sep 17 12:54:14 PM CEST 2025] Pending. The CA is processing your order, please wait. (3/30)
[Wed Sep 17 12:54:17 PM CEST 2025] Pending. The CA is processing your order, please wait. (4/30)
[Wed Sep 17 12:54:21 PM CEST 2025] Pending. The CA is processing your order, please wait. (5/30)
[Wed Sep 17 12:54:24 PM CEST 2025] Pending. The CA is processing your order, please wait. (6/30)
[Wed Sep 17 12:54:27 PM CEST 2025] Pending. The CA is processing your order, please wait. (7/30)
[Wed Sep 17 12:54:30 PM CEST 2025] Pending. The CA is processing your order, please wait. (8/30)
[Wed Sep 17 12:54:34 PM CEST 2025] Pending. The CA is processing your order, please wait. (9/30)
[Wed Sep 17 12:54:37 PM CEST 2025] Pending. The CA is processing your order, please wait. (10/30)
[Wed Sep 17 12:54:40 PM CEST 2025] Pending. The CA is processing your order, please wait. (11/30)
[Wed Sep 17 12:54:43 PM CEST 2025] Pending. The CA is processing your order, please wait. (12/30)
[Wed Sep 17 12:54:47 PM CEST 2025] Pending. The CA is processing your order, please wait. (13/30)
[Wed Sep 17 12:54:50 PM CEST 2025] Pending. The CA is processing your order, please wait. (14/30)
[Wed Sep 17 12:54:53 PM CEST 2025] Pending. The CA is processing your order, please wait. (15/30)
[Wed Sep 17 12:54:57 PM CEST 2025] Pending. The CA is processing your order, please wait. (16/30)
[Wed Sep 17 12:55:00 PM CEST 2025] Pending. The CA is processing your order, please wait. (17/30)
[Wed Sep 17 12:55:03 PM CEST 2025] Pending. The CA is processing your order, please wait. (18/30)
[Wed Sep 17 12:55:06 PM CEST 2025] Pending. The CA is processing your order, please wait. (19/30)
[Wed Sep 17 12:55:10 PM CEST 2025] Pending. The CA is processing your order, please wait. (20/30)
[Wed Sep 17 12:55:13 PM CEST 2025] Pending. The CA is processing your order, please wait. (21/30)
[Wed Sep 17 12:55:16 PM CEST 2025] Pending. The CA is processing your order, please wait. (22/30)
[Wed Sep 17 12:55:20 PM CEST 2025] Pending. The CA is processing your order, please wait. (23/30)
[Wed Sep 17 12:55:23 PM CEST 2025] Pending. The CA is processing your order, please wait. (24/30)
[Wed Sep 17 12:55:26 PM CEST 2025] Pending. The CA is processing your order, please wait. (25/30)
[Wed Sep 17 12:55:29 PM CEST 2025] Pending. The CA is processing your order, please wait. (26/30)
[Wed Sep 17 12:55:33 PM CEST 2025] Pending. The CA is processing your order, please wait. (27/30)
[Wed Sep 17 12:55:36 PM CEST 2025] Pending. The CA is processing your order, please wait. (28/30)
[Wed Sep 17 12:55:39 PM CEST 2025] Pending. The CA is processing your order, please wait. (29/30)
[Wed Sep 17 12:55:42 PM CEST 2025] testhost.myown.home: Timeout
[Wed Sep 17 12:55:42 PM CEST 2025] Removing DNS records.
[Wed Sep 17 12:55:42 PM CEST 2025] Removing txt: JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk for domain: _acme-challenge.testhost.myown.home
[Wed Sep 17 12:55:43 PM CEST 2025] removing _acme-challenge.testhost.myown.home. txt
[Wed Sep 17 12:55:43 PM CEST 2025] Successfully removed
[Wed Sep 17 12:55:43 PM CEST 2025] Please add '--debug' or '--log' to see more information.
[Wed Sep 17 12:55:43 PM CEST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh


During 12.49 PM when ACME.sh registered the account and added the TXT message, I got the following in the journalctl on the certificated.myown.home:
{
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fb;b=013473d30295440782ff29490d3dc9fe;m=2d2ac928bed;t=63efcfc2c08c2;x=efdcb09f0f131d1e",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_GID" : "996",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_CAP_EFFECTIVE" : "400",
        "__REALTIME_TIMESTAMP" : "1758106143688898",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_UID" : "999",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_PID" : "2226",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "SYSLOG_FACILITY" : "3",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_EXE" : "/usr/bin/step-ca",
        "_RUNTIME_SCOPE" : "system",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "_HOSTNAME" : "certificates",
        "_COMM" : "step-ca",
        "__MONOTONIC_TIMESTAMP" : "3103861672941",
        "_SYSTEMD_SLICE" : "system.slice",
        "MESSAGE" : "time=\"2025-09-17T12:49:03+02:00\" level=info duration=\"58.755µs\" duration-ns=58755 fields.time=\"2025-09-17T12:49:03+02:00\" method=GET name=ca path=/acme/acme/directory protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=a4421749-4cbd-4128-a22a-3de5ce439a4e response=\"{\\\"newNonce\\\":\\\https://[redacted].22/acme/acme/new-nonce\\\<https://[redacted].22/acme/acme/new-nonce/>,\\\"newAccount\\\":\\\https://[redacted].22/acme/acme/new-account\\\<https://[redacted].22/acme/acme/new-account/>,\\\"newOrder\\\":\\\https://[redacted].22/acme/acme/new-order\\\<https://[redacted].22/acme/acme/new-order/>,\\\"revokeCert\\\":\\\https://[redacted].22/acme/acme/revoke-cert\\\<https://[redacted].22/acme/acme/revoke-cert/>,\\\"keyChange\\\":\\\https://[redacted].22/acme/acme/key-change\\\<https://[redacted].22/acme/acme/key-change/>}\" size=282 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "PRIORITY" : "6",
        "_TRANSPORT" : "stdout"
}
{
        "_PID" : "2226",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_COMM" : "step-ca",
        "_GID" : "996",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=3.178139ms duration-ns=3178139 fields.time=\"2025-09-17T12:49:04+02:00\" method=HEAD name=ca nonce=UzROdnlhVXc2SHVnbkZOV1YxTVFlamxzV3U3ZVhFa0I path=/acme/acme/new-nonce protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=0063c780-2e22-4b3c-b0e3-e0a9e211619b size=0 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fc;b=013473d30295440782ff29490d3dc9fe;m=2d2ac998662;t=63efcfc330336;x=dab3e11aced4bad7",
        "_UID" : "999",
        "SYSLOG_FACILITY" : "3",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_CAP_EFFECTIVE" : "400",
        "_SYSTEMD_SLICE" : "system.slice",
        "_HOSTNAME" : "certificates",
        "_EXE" : "/usr/bin/step-ca",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_RUNTIME_SCOPE" : "system",
        "__REALTIME_TIMESTAMP" : "1758106144146230",
        "__MONOTONIC_TIMESTAMP" : "3103862130274",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "PRIORITY" : "6",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_TRANSPORT" : "stdout",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service"
}
{
        "PRIORITY" : "6",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_EXE" : "/usr/bin/step-ca",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "__REALTIME_TIMESTAMP" : "1758106144332324",
        "_SYSTEMD_SLICE" : "system.slice",
        "__MONOTONIC_TIMESTAMP" : "3103862316368",
        "_GID" : "996",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_HOSTNAME" : "certificates",
        "_COMM" : "step-ca",
        "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=10.229178ms duration-ns=10229178 fields.time=\"2025-09-17T12:49:04+02:00\" method=POST name=ca nonce=SWEwNVFNczcySlBlZUhwcFNpald0TmJrUEdEekh3V3g path=/acme/acme/new-account protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=3be4d4bb-5479-4904-8b73-b53f0fbbb150 response=\"{\\\"contact\\\":[\\\mailto:test at test.com\\\],\\\"status\\\":\\\"valid\\\",\\\"orders\\\":\\\https://[redacted].22/acme/acme/account/6J2ZJJSxnYO27u6bpFUtBrJ1CCtHkfcA/orders\\\<https://[redacted].22/acme/acme/account/6J2ZJJSxnYO27u6bpFUtBrJ1CCtHkfcA/orders/>}\" size=144 status=201 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_RUNTIME_SCOPE" : "system",
        "_CAP_EFFECTIVE" : "400",
        "_TRANSPORT" : "stdout",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_UID" : "999",
        "SYSLOG_FACILITY" : "3",
        "_PID" : "2226",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fd;b=013473d30295440782ff29490d3dc9fe;m=2d2ac9c5d50;t=63efcfc35da24;x=8d727976330d3e21"
}
{
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_COMM" : "step-ca",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_HOSTNAME" : "certificates",
        "_TRANSPORT" : "stdout",
        "_GID" : "996",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_UID" : "999",
        "SYSLOG_FACILITY" : "3",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_PID" : "2226",
        "PRIORITY" : "6",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "_CAP_EFFECTIVE" : "400",
        "__MONOTONIC_TIMESTAMP" : "3103862794284",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "__REALTIME_TIMESTAMP" : "1758106144810241",
        "_SYSTEMD_SLICE" : "system.slice",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_EXE" : "/usr/bin/step-ca",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fe;b=013473d30295440782ff29490d3dc9fe;m=2d2aca3a82c;t=63efcfc3d2501;x=d6ac118a2c53c6a4",
        "_RUNTIME_SCOPE" : "system",
        "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=17.863338ms duration-ns=17863338 fields.time=\"2025-09-17T12:49:04+02:00\" method=POST name=ca nonce=RmJ1Z0RkY0JXQk9LaEdLcU9PdDZId2NXUW5xcUdqekQ path=/acme/acme/new-order protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=3f8bd00e-6c59-4de8-b5b4-2c51cf2f6bd8 response=\"{\\\"id\\\":\\\"OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t\\\",\\\"status\\\":\\\"pending\\\",\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\",\\\"identifiers\\\":[{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"}],\\\"notBefore\\\":\\\"2025-09-17T10:48:04Z\\\",\\\"notAfter\\\":\\\"2025-09-18T10:49:04Z\\\",\\\"authorizations\\\":[\\\https://[redacted].22/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7\\\<https://[redacted].22/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/>],\\\"finalize\\\":\\\https://[redacted].22/acme/acme/order/OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t/finalize\\\<https://[redacted].22/acme/acme/order/OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t/finalize/>}\" size=414 status=201 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id="
}
{
        "_EXE" : "/usr/bin/step-ca",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_CAP_EFFECTIVE" : "400",
        "_PID" : "2226",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_GID" : "996",
        "SYSLOG_FACILITY" : "3",
        "_RUNTIME_SCOPE" : "system",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10ff;b=013473d30295440782ff29490d3dc9fe;m=2d2aca7f1fb;t=63efcfc416ed0;x=8c246ed311a302e",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_COMM" : "step-ca",
        "MESSAGE" : "time=\"2025-09-17T12:49:05+02:00\" level=info duration=5.975201ms duration-ns=5975201 fields.time=\"2025-09-17T12:49:05+02:00\" method=POST name=ca nonce=R3JoSUljRVU0cU5HcGhQeDdwRWJvV2o0RG9EQnBWdlg path=/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7 protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=21a5b8f1-2e06-4270-9c78-36756eed0454 response=\"{\\\"identifier\\\":{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"},\\\"status\\\":\\\"pending\\\",\\\"challenges\\\":[{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V/>},{\\\"type\\\":\\\"http-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp/>}],\\\"wildcard\\\":false,\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\"}\" size=542 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "__MONOTONIC_TIMESTAMP" : "3103863075323",
        "_SYSTEMD_SLICE" : "system.slice",
        "_HOSTNAME" : "certificates",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "PRIORITY" : "6",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "__REALTIME_TIMESTAMP" : "1758106145091280",
        "_TRANSPORT" : "stdout",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_UID" : "999"
}


While the ACME.sh script slept for 300 seconds, I ran on the DNS server: dig @192.168.2.21 TXT _acme-challenge.testhost.myown.home. Verifying that the TXT record was added correctly.
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @[redacted].21 TXT _acme-challenge.testhost.myown.home.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37924
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: db03a0646b58f1cf0100000068ca92262d763b3f9b6e48a7 (good)
;; QUESTION SECTION:
;_acme-challenge.testhost.myown.home. IN TXT

;; ANSWER SECTION:
_acme-challenge.testhost.myown.home. 600 IN TXT "JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk"

;; Query time: 0 msec
;; SERVER: [redacted].21#53([redacted].21) (UDP)
;; WHEN: Wed Sep 17 12:49:10 CEST 2025
;; MSG SIZE  rcvd: 155


From 12.54 PM when ACME.sh tried to verify the the FQDN testhost.myown.home, I got the following output in the journalctl of the PKI of each of the 30 attempts:
{
        "_CAP_EFFECTIVE" : "400",
        "__MONOTONIC_TIMESTAMP" : "3104165836085",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "PRIORITY" : "6",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "_PID" : "2226",
        "__REALTIME_TIMESTAMP" : "1758106447852041",
        "SYSLOG_FACILITY" : "3",
        "_RUNTIME_SCOPE" : "system",
        "_HOSTNAME" : "certificates",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_TRANSPORT" : "stdout",
        "_COMM" : "step-ca",
        "MESSAGE" : "time=\"2025-09-17T12:54:07+02:00\" level=info duration=20.569994ms duration-ns=20569994 fields.time=\"2025-09-17T12:54:07+02:00\" method=POST name=ca nonce=M3dsVFlIV2dOR2ZNc0w4RlBkNjV4S3RxTGROMVdQZnE path=/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=cab15bca-630d-471e-953a-2e83afb36dfd response=\"{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V/>,\\\"error\\\":{\\\"type\\\":\\\"urn:ietf:params:acme:error:dns\\\",\\\"detail\\\":\\\"There was a problem with a DNS query during identifier validation\\\"}}\" size=322 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id=",
        "_EXE" : "/usr/bin/step-ca",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_UID" : "999",
        "_GID" : "996",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=1100;b=013473d30295440782ff29490d3dc9fe;m=2d2beb3b535;t=63efd0e4d3209;x=4b57da03825cd994",
        "_SYSTEMD_SLICE" : "system.slice"
}
{
        "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=1101;b=013473d30295440782ff29490d3dc9fe;m=2d2bee58f91;t=63efd0e7f0c65;x=a9161de4e298eae5",
        "_RUNTIME_SCOPE" : "system",
        "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
        "SYSLOG_IDENTIFIER" : "step-ca",
        "_COMM" : "step-ca",
        "_SYSTEMD_SLICE" : "system.slice",
        "_PID" : "2226",
        "PRIORITY" : "6",
        "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
        "_CAP_EFFECTIVE" : "400",
        "__MONOTONIC_TIMESTAMP" : "3104169103249",
        "_GID" : "996",
        "SYSLOG_FACILITY" : "3",
        "__REALTIME_TIMESTAMP" : "1758106451119205",
        "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
        "_EXE" : "/usr/bin/step-ca",
        "_UID" : "999",
        "_SYSTEMD_UNIT" : "step-ca.service",
        "_HOSTNAME" : "certificates",
        "_SELINUX_CONTEXT" : "unconfined\n",
        "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
        "_TRANSPORT" : "stdout",
        "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
        "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
        "MESSAGE" : "time=\"2025-09-17T12:54:11+02:00\" level=info duration=5.976054ms duration-ns=5976054 fields.time=\"2025-09-17T12:54:11+02:00\" method=POST name=ca nonce=aU9venZXaHJBOGNKRlBYcUU1WkM5U0NiUmVtczlwckk path=/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7 protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=97b6d3c0-7f70-4aec-a83a-8949c26617c6 response=\"{\\\"identifier\\\":{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"},\\\"status\\\":\\\"pending\\\",\\\"challenges\\\":[{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V/>,\\\"error\\\":{\\\"type\\\":\\\"urn:ietf:params:acme:error:dns\\\",\\\"detail\\\":\\\"There was a problem with a DNS query during identifier validation\\\"}},{\\\"type\\\":\\\"http-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp\\\<https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp/>}],\\\"wildcard\\\":false,\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\"}\" size=669 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\<https://github.com/acmesh-official/acme.sh)/>" user-id="
}
…This last message is repeated 29 times, for attempt 2 till 30 as shown in the output of the acme.sh…

Kind regards,
Vinvar



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250919/1bab5866/attachment-0001.htm>


More information about the bind-users mailing list