ACME request fails for private network with private/off-grid Smallstep CA

[RanchoHam]

I have an isolated network which can be off-grid for long periods of time.

Therefore, I cannot use Lets Encrypt, Cloudflare, goDaddy, etc services.

My private network is a Unifi system whose DNS I don't use.

Instead I am running a Technitium DNS server as primary & authoritative server (I also have Technitium secondary DNS servers, which for the purposes of trouble shooting I have temporarily shut down.)

I also have an instance Smallstep's step-ca server running whose root cert is trusted throughout my network.

This CA has been used for over 2 years to provide certs with Certbot using an http challenge.

Recently I have had cause to look into using the DNS challenge.
I have been able to get LEGO to issue TEXT records to the local DNS server, but the process fails with

The text record is being correctly created and destroyed in the DNS server.

In examining the CA logs, I see that a certificate is being requested; but the challenge associated with that request is for a tls-alpn-01 challenge.
In spite of LEGO reporting that it could not find resolvers for tls-alpn-01 nor http-01 and then finding a dns-01 solver.

LEGO is invoked with:

Is LEGO really trying a tls-alpn-01 challenge? Is the dns-01 challenge malformed?

[ldez]

Can you provide the command line you are using?

Is LEGO really trying a tls-alpn-01 challenge?

Yes, if you are using the right command line arguments.

Is the dns-01 challenge malformed?

No

[ldez]

Is the dns-01 challenge invocation malformed?

no

---

The CLI flags you are using are wrong: you have defined the DNS-01 challenge instead of the TLS-ALPN-01.

(note: please avoid screenshots)

[ldez]

To use the TLS-ALPN-01 challenge:

• You don't need to define the env vars because it's only related to DNS-01
• You must remove those flags: --dns technitium --dns.propagation-disable-ans --dns.resolvers 192.168.1.36:53, because it's only related to DNS-01
• Add --tls to enable the TLS-ALPN-01 challenge

Example:

LEGO_CA_CERTIFICATES="/usr/local/share/ca-certificates/root_ca.crt" \
bin/lego --email="foo@example" -d example.com \
--tls \
-s https://your-ca/directory run

[ldez]

If your goal is to use the DNS-01 challenge, I need the full logs to help you diagnose where your network and/or configuration fails.

Please, no screenshots.

Note: There is no problem with lego (nothing is malformed), the problem is your local environment.

[RanchoHam]

I don't want the TLS-ALPN-01 challenge. I only referenced it because it shows up in the CA logs.

My goal is to use the DNS-01 challenge. Full logs from where? CA? DNS? If from LEGO, where are they?

[ldez]

Full logs from where? CA? DNS? If from LEGO, where are they?

I need the lego logs, the logs are the output of the CLI.

[RanchoHam]

I have concatenated the command line invocation and the log file together in the attached lego.log.txt file.

$ sudo TECHNITIUM_SERVER_BASE_URL="https://ho-dns1.orion.wb0nre.org:53443" TECHNITIUM_API_TOKEN_FILE=/root/.secrets/token LEGO_CA_CERTIFICATES="/usr/local/share/ca-certificates/root_ca.crt" bin/lego --email="[email protected]" -d ho-beelink-nas.orion.wb0nre.org --dns technitium --dns.propagation-disable-ans --dns.resolvers 192.168.20.36 -s https://tinyca-ho/acme/acme/directory run >lego.log 2>&1
2025/10/06 16:50:18 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Obtaining bundled SAN certificate
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] AuthURL: https://tinyca-ho/acme/acme/authz/5OZQ4BMKS1lHrVIL7shZCGjVowC39nHE
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Could not find solver for: tls-alpn-01
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Could not find solver for: http-01
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: use dns-01 solver
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Preparing to solve DNS-01
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Trying to solve DNS-01
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Checking DNS record propagation. [nameservers=192.168.20.36:53]
2025/10/06 16:50:21 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/10/06 16:57:52 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Cleaning DNS-01 challenge
2025/10/06 16:57:52 [INFO] Deactivating auth: https://tinyca-ho/acme/acme/authz/5OZQ4BMKS1lHrVIL7shZCGjVowC39nHE
2025/10/06 16:57:52 [INFO] Unable to deactivate the authorization: https://tinyca-ho/acme/acme/authz/5OZQ4BMKS1lHrVIL7shZCGjVowC39nHE
2025/10/06 16:57:52 Could not obtain certificates:
	error: one or more domains had a problem:
[ho-beelink-nas.orion.wb0nre.org] the server didn't respond to our request (status=pending)

[ldez]

It feels like a problem with your ACME server.

As the status is "pending", I think the problem is the communication between the ACME server and your DNS server: the DNS server doesn't seem to respond to the ACME server.

The "pending" status can be related to this step-ca issue: smallstep/certificates#1365
But this just hide the underlying problem with the ACME server to DNS server communication.

---

The following logs prove that the dns-01 is used by lego.

2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Could not find solver for: tls-alpn-01
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: Could not find solver for: http-01
2025/10/06 16:50:19 [INFO] [ho-beelink-nas.orion.wb0nre.org] acme: use dns-01 solver

So the problem is not lego.