Re: Some questions about ACME challenge dns-01

Fri, 21 Nov 2025 12:59:30 -0800 

On Fri, Nov 21, 2025 at 09:30:55PM +0100, Aleksandar Lazic wrote:
> ```shell
> alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:15:16_CET
> /datadisk/git-repos/haproxy $
> # ./haproxy -W -db -f ../haproxy_acme.cfg
> [NOTICE]   (4047) : Initializing new worker (4049)
> [NOTICE]   (4049) : config : No certificate available for 'none.at.pem',
> generating a temporary key pair before getting the ACME certificate
> [NOTICE]   (4049) : config : acme: generate account key 'DNS1.account.key'
> for acme section 'DNS1'.
> Sharing caphdr with caphdr
> Sharing caphdr with caphdr
> Sharing ptrcap with ptrcap
> Sharing ptrcap with ptrcap
> [NOTICE]   (4049) : Automatically setting global.maxconn to 524263.
> Sharing stk_ctr with caphdr
> [NOTICE]   (4047) : Loading success.
> acme: none.at.pem: Starting update of the certificate.
> -:- [21/Nov/2025:21:15:21.243] <ACME> -/- 3/0/321/161/483 200 152 - - ----
> 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "GET
> https://acme-staging-v02.api.letsencrypt.org/directory HTTP/1.1"
> 0/0000000000000000/-/-/0 -/-/-
> -:- [21/Nov/2025:21:15:21.727] <ACME> -/- 2/0/0/741/741 200 158 - - ----
> 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "HEAD
> https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce HTTP/1.1"
> 0/0000000000000000/-/-/0 -/-/-
> -:- [21/Nov/2025:21:15:22.468] <ACME> -/- 2/0/0/178/178 400 963 - - ----
> 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
> https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1"
> 0/0000000000000000/-/-/0 -/-/-
> -:- [21/Nov/2025:21:15:22.647] <ACME> -/- 2/0/0/303/303 201 991 - - ----
> 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
> https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1"
> 0/0000000000000000/-/-/0 -/-/-
> -:- [21/Nov/2025:21:15:22.950] <ACME> -/- 2/0/0/168/168 201 870 - - ----
> 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
> https://acme-staging-v02.api.letsencrypt.org/acme/new-order HTTP/1.1"
> 0/0000000000000000/-/-/0 -/-/-
> acme: none.at.pem: dns-01 requires to set the "_acme-challenge.none.at" TXT
> record to "Vbqf5UyduQlpoKDfLbxSa3b3YljtSYOW4cxtk15Ci-w" and use the "acme
> challenge_ready none.at.pem domain none.at" command over the CLI
> -:- [21/Nov/2025:21:15:23.118] <ACME> -/- 2/0/0/162/162 200 776 - - ----
> 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
> https://acme-staging-v02.api.letsencrypt.org/acme/authz/244887833/20356587293
> HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
> acme: none.at.pem: dns-01 requires to set the "_acme-challenge.none.at" TXT
> record to "cCWPWcuQBKp3ncDT4ayzyRC6HMc3Nhp8vPhdIoDGsUY" and use the "acme
> challenge_ready none.at.pem domain none.at" command over the CLI
> -:- [21/Nov/2025:21:15:23.281] <ACME> -/- 2/0/0/163/163 200 776 - - ----
> 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST
> https://acme-staging-v02.api.letsencrypt.org/acme/authz/244887833/20356587283
> HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
> -:- [21/Nov/2025:21:18:06.706] <ACME> -/- 5/0/0/484/487 200 796 - - ----
> 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST 
> https://acme-staging-v02.api.letsencrypt.org/acme/chall/244887833/20356587293/7JLxvw
> HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
> ```
> 
> Check DNS
> ```shell
> alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:16:39_CET
> /datadisk/git-repos/haproxy $
> # dig @ns1.desec.io +short _acme-challenge.none.at txt
> "Vbqf5UyduQlpoKDfLbxSa3b3YljtSYOW4cxtk15Ci-w"
> "cCWPWcuQBKp3ncDT4ayzyRC6HMc3Nhp8vPhdIoDGsUY"
> ```
> 
> Challenge ready
> ```shell
> alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:18:03_CET
> /datadisk/git-repos/haproxy $
> # echo "acme challenge_ready none.at.pem domain none.at" | socat - 
> /tmp/hap-stats
> Challenge Ready!
> 
> alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 21:18:06_CET
> /datadisk/git-repos/haproxy $
> # echo "acme status" | socat - /tmp/hap-stats
> # certificate section state   expiration date (UTC)   expires in      
> scheduled date
> (UTC) scheduled in
> none.at.pem   DNS1    Running 2025-11-20T20:15:21Z    0d 0h00m00s     -       
> -
> ```

Are you sure you recompiled with the latest master version ? It does not
process the 2nd domain like if you didn't applied my fix?

> 
> The certbot handle this in one challange and add the additional Domains into
> SAN could this be also be handled like this in HAP?
> 
> https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options
> 
> ###
> -d DOMAIN, --domains DOMAIN, --domain DOMAIN
>                         Domain names to include. For multiple domains you can
>                         use multiple -d flags or enter a comma separated list
>                         of domains as a parameter. All domains will be
>                         included as Subject Alternative Names on the
>                         certificate. The first domain will be used as the
>                         certificate name, unless otherwise specified or if you
>                         already have a certificate with the same name. In the
>                         case of a name conflict, a number like -0001 will be
>                         appended to the certificate name. (default: Ask)
> ###
> 
> https://github.com/certbot/certbot/blob/main/certbot/src/certbot/_internal/cli/cli_utils.py#L105
> 

That's already what we are doing, there's 1 order per certificate but you need
1 challenge per domain. You can't validate a domain without proving that you
have permissions to use it. The certificate that will be issued will have the
first domain in CN and the next ones are put in the SAN list.


-- 
William Lallemand

Reply via email to