topic Re: LetsEncrypt ACME timeout problem in Web Security

LetsEncrypt ACME timeout problem

falke — Wed, 27 Aug 2025 10:50:47 GMT

Hello,

system is a FPR-1010 with ASA-SW 9.23(1)13.

When enrolling LetsEncrypt certificates with ACME I noticed a strange timeout problem.

Without "alt-fqdn" entries, everything works fine!

crypto ca trustpoint LetsEncrypt_Trustpoint
 enrollment interface outside
 enrollment protocol acme authentication http01 outside
 enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory
 fqdn asa.domain1
 subject-name CN=asa.domain1
 keypair ecdsa elliptic-curve 384
 auto-enroll regenerate
 no ca-check
 crl configure

With "alt-fqdn" entries, there is always a timeout, because it takes longer than 20 seconds to get a response for all "alt-fqdn"s.

crypto ca trustpoint LetsEncrypt_Trustpoint
 enrollment interface outside
 enrollment protocol acme authentication http01 outside
 enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory
 fqdn asa.domain1
 alt-fqdn asa.domain1
 alt-fqdn asa.domain2
 alt-fqdn asa.domain3
 subject-name CN=asa.domain1
 keypair ecdsa elliptic-curve 384
 auto-enroll regenerate
 no ca-check
 crl configure

The ACME-log as attachment shows the timeout. 20 seconds are obviously too short for three domains.

Any recommendations besides using separate certificates for each domain?

Re: LetsEncrypt ACME timeout problem

MHM Cisco World — Wed, 27 Aug 2025 10:57:24 GMT

fqdn asa.domain1
 alt-fqdn asa.domain1
 alt-fqdn asa.domain2
 alt-fqdn asa.domain3

But as I know fqdn is main domain

Alt-fqdn is sub-domain' I see you use sub-domain and domain is same ?

MHM

Re: LetsEncrypt ACME timeout problem

falke — Wed, 27 Aug 2025 11:12:07 GMT

Thank you for your reply. Sub-domain is always "asa.", the domain name is different.

This should be a common task as RFC 5280 defines "Subject Alternative Names" (=alt-fqdn) to be expressed in the same manner as any other subject distinguished name.

Re: LetsEncrypt ACME timeout problem

MHM Cisco World — Wed, 27 Aug 2025 11:16:57 GMT

https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/general/asa-920-general-config/basic-certs.html

Check this

MHM

Re: LetsEncrypt ACME timeout problem

MHM Cisco World — Wed, 27 Aug 2025 11:24:40 GMT

So DNS can resolve asa.domain2?

Show logging

Did you see any log about dns can not resolve name?

MHM

Re: LetsEncrypt ACME timeout problem

falke — Wed, 27 Aug 2025 11:36:15 GMT

Yes, all three real host-names can be resolved.

ciscoasa(config)# ping asa.domain1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ciscoasa(config)# ping asa.domain2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ciscoasa(config)# ping asa.domain3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

The log attached to the first post shows, that the exit code is 124:

ACME client exit code: 124

Which means according to Cisco documentation:

124 ACME processing timeout

Every time exactly after 20 seconds (=timeout, see log attached to first post) enrollment is canceled.

Re: LetsEncrypt ACME timeout problem

MHM Cisco World — Wed, 27 Aug 2025 11:51:55 GMT

debug crypto ca messages
debug crypto ca transactions

Run these two debug when you use only primary fqdn and when you use alt-fqdn

Let check in which step the enrollment is stop

MHM

Re: LetsEncrypt ACME timeout problem

falke — Wed, 27 Aug 2025 11:58:28 GMT

ciscoasa(config)# debug crypto ca messages ^ ERROR: % Invalid input detected at '^' marker. ciscoasa(config)# debug crypto ca transactions ^ ERROR: % Invalid input detected at '^' marker. ciscoasa(config)# debug crypto ca ? exec mode commands/options: <1-14> Specify an optional debug level (default is 1) acme debug the ACME transactions cluster debug PKI cluster cmp debug the CMP transactions periodic-authentication debug PKI peroidic authentication scep-proxy debug the SCEP proxy trustpool debug the trustpool <cr>

Log of "debug crypto ca acme 255" is the log attached to the first post.

Re: LetsEncrypt ACME timeout problem

MHM Cisco World — Wed, 27 Aug 2025 12:05:01 GMT

Ok'

Asa domain1 is resolve to public IP which is reachable via CA

Other asa domain2/domain3 is resolve to private IP

Can you check if I am right

MHM

Re: LetsEncrypt ACME timeout problem

falke — Wed, 27 Aug 2025 12:31:55 GMT

All three domains are resolved to a public IP.

crypto ca trustpoint LetsEncrypt_Trustpoint enrollment interface outside enrollment protocol acme authentication http01 outside enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory fqdn asa.domain1 subject-name CN=asa.domain1 keypair ecdsa elliptic-curve 384 auto-enroll regenerate no ca-check crl configure

just asa.domain1 works

crypto ca trustpoint LetsEncrypt_Trustpoint enrollment interface outside enrollment protocol acme authentication http01 outside enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory fqdn asa.domain2 subject-name CN=asa.domain2 keypair ecdsa elliptic-curve 384 auto-enroll regenerate no ca-check crl configure

just asa.domain2 works

crypto ca trustpoint LetsEncrypt_Trustpoint enrollment interface outside enrollment protocol acme authentication http01 outside enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory fqdn asa.domain3 subject-name CN=asa.domain3 keypair ecdsa elliptic-curve 384 auto-enroll regenerate no ca-check crl configure

just asa.domain3 works

Every enrollment for a single domain is successful and has a debug log that looks like this:

--------------------------------- Begin ACME PKCS#10 enrollment log --------------------------------- using BIND_ADDR4: 169.254.1.3 using BIND_ADDR6: fd00:0:0:1::3 debug level: 3 DEBUG: --debug 1 timeout: 20 [Wed Aug 27 14:18:06 CEST 2025] Lets find script dir. [Wed Aug 27 14:18:06 CEST 2025] _SCRIPT_='/asa/scripts/acme.sh' [Wed Aug 27 14:18:06 CEST 2025] _script='/opt/cisco/csp/applications/cisco-asa.9.23.1.13__asa_001_............/app_bin/asa/scripts/acme.sh' [Wed Aug 27 14:18:06 CEST 2025] _script_home='/opt/cisco/csp/applications/cisco-asa.9.23.1.13__asa_001_............/app_bin/asa/scripts' [Wed Aug 27 14:18:06 CEST 2025] Using default home://.acme.sh [Wed Aug 27 14:18:06 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data https://github.com/acmesh-official/acme.sh v3.0.8 [Wed Aug 27 14:18:06 CEST 2025] Using server: https://acme-v02.api.letsencrypt.org:443/directory [Wed Aug 27 14:18:07 CEST 2025] Running cmd: signcsr [Wed Aug 27 14:18:07 CEST 2025] _csrsubj='asa.domain' [Wed Aug 27 14:18:07 CEST 2025] _csrsubj='asa.domain' [Wed Aug 27 14:18:07 CEST 2025] _dnsAltnames='DNS:asa.domain' [Wed Aug 27 14:18:07 CEST 2025] AltNames contains subject [Wed Aug 27 14:18:07 CEST 2025] _excapedAlgnames='DNS:asa.domain' [Wed Aug 27 14:18:07 CEST 2025] _escapedSubject='asa.domain' [Wed Aug 27 14:18:07 CEST 2025] _dnsAltnames [Wed Aug 27 14:18:07 CEST 2025] _csrdomainlist [Wed Aug 27 14:18:07 CEST 2025] ECC CSR [Wed Aug 27 14:18:07 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data [Wed Aug 27 14:18:07 CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org:443/directory' [Wed Aug 27 14:18:07 CEST 2025] DOMAIN_PATH='/var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc' [Wed Aug 27 14:18:07 CEST 2025] Copy csr to: /var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc/asa.domain.csr [Wed Aug 27 14:18:07 CEST 2025] _main_domain='asa.domain' [Wed Aug 27 14:18:07 CEST 2025] _alt_domains [Wed Aug 27 14:18:07 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data [Wed Aug 27 14:18:07 CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org:443/directory' [Wed Aug 27 14:18:07 CEST 2025] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org:443/directory [Wed Aug 27 14:18:07 CEST 2025] _init api for server: https://acme-v02.api.letsencrypt.org:443/directory [Wed Aug 27 14:18:07 CEST 2025] GET [Wed Aug 27 14:18:07 CEST 2025] url='https://acme-v02.api.letsencrypt.org:443/directory' [Wed Aug 27 14:18:07 CEST 2025] timeout= [Wed Aug 27 14:18:07 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g ' [Wed Aug 27 14:18:08 CEST 2025] ret='0' [Wed Aug 27 14:18:08 CEST 2025] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change' [Wed Aug 27 14:18:08 CEST 2025] ACME_NEW_AUTHZ [Wed Aug 27 14:18:08 CEST 2025] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Aug 27 14:18:08 CEST 2025] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Wed Aug 27 14:18:08 CEST 2025] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert' [Wed Aug 27 14:18:08 CEST 2025] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf' [Wed Aug 27 14:18:08 CEST 2025] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Aug 27 14:18:08 CEST 2025] Using CA: https://acme-v02.api.letsencrypt.org:443/directory [Wed Aug 27 14:18:08 CEST 2025] _on_before_issue [Wed Aug 27 14:18:08 CEST 2025] _chk_main_domain='asa.domain' [Wed Aug 27 14:18:08 CEST 2025] _chk_alt_domains [Wed Aug 27 14:18:08 CEST 2025] Le_LocalAddress [Wed Aug 27 14:18:08 CEST 2025] d='asa.domain' [Wed Aug 27 14:18:08 CEST 2025] Check for domain='asa.domain' [Wed Aug 27 14:18:08 CEST 2025] _currentRoot='/var/acmesh/acme_challenge' [Wed Aug 27 14:18:08 CEST 2025] d [Wed Aug 27 14:18:08 CEST 2025] config file is empty, can not read CA_KEY_HASH [Wed Aug 27 14:18:08 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data [Wed Aug 27 14:18:08 CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org:443/directory' [Wed Aug 27 14:18:08 CEST 2025] _init api for server: https://acme-v02.api.letsencrypt.org:443/directory [Wed Aug 27 14:18:08 CEST 2025] length='ec-256' [Wed Aug 27 14:18:08 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data [Wed Aug 27 14:18:08 CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org:443/directory' [Wed Aug 27 14:18:08 CEST 2025] Use length 256 [Wed Aug 27 14:18:08 CEST 2025] Using ec name: prime256v1 [Wed Aug 27 14:18:08 CEST 2025] Create account key ok. [Wed Aug 27 14:18:08 CEST 2025] EC key [Wed Aug 27 14:18:09 CEST 2025] config file is empty, can not read CA_EAB_KEY_ID [Wed Aug 27 14:18:09 CEST 2025] config file is empty, can not read CA_EAB_HMAC_KEY [Wed Aug 27 14:18:09 CEST 2025] config file is empty, can not read CA_EMAIL [Wed Aug 27 14:18:09 CEST 2025] Registering account: https://acme-v02.api.letsencrypt.org:443/directory [Wed Aug 27 14:18:09 CEST 2025] =======Begin Send Signed Request======= [Wed Aug 27 14:18:09 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Wed Aug 27 14:18:09 CEST 2025] payload='{"termsOfServiceAgreed": true}' [Wed Aug 27 14:18:09 CEST 2025] HEAD [Wed Aug 27 14:18:09 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Aug 27 14:18:09 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g -I ' [Wed Aug 27 14:18:09 CEST 2025] _ret='0' [Wed Aug 27 14:18:09 CEST 2025] POST [Wed Aug 27 14:18:09 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Wed Aug 27 14:18:09 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g ' [Wed Aug 27 14:18:10 CEST 2025] _ret='0' [Wed Aug 27 14:18:10 CEST 2025] code='201' [Wed Aug 27 14:18:10 CEST 2025] Registered [Wed Aug 27 14:18:10 CEST 2025] _accUri='https://acme-v02.api.letsencrypt.org/acme/acct/............' [Wed Aug 27 14:18:10 CEST 2025] Calc CA_KEY_HASH='............' [Wed Aug 27 14:18:10 CEST 2025] ACCOUNT_THUMBPRINT='............' [Wed Aug 27 14:18:10 CEST 2025] Signing from existing CSR. [Wed Aug 27 14:18:10 CEST 2025] Getting domain auth token for each domain [Wed Aug 27 14:18:10 CEST 2025] d [Wed Aug 27 14:18:10 CEST 2025] STEP 1, Ordering a Certificate [Wed Aug 27 14:18:10 CEST 2025] =======Begin Send Signed Request======= [Wed Aug 27 14:18:10 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Aug 27 14:18:10 CEST 2025] payload='{"identifiers": [{"type":"dns","value":"asa.domain"}]}' [Wed Aug 27 14:18:11 CEST 2025] POST [Wed Aug 27 14:18:11 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Aug 27 14:18:11 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g ' [Wed Aug 27 14:18:11 CEST 2025] _ret='0' [Wed Aug 27 14:18:11 CEST 2025] code='201' [Wed Aug 27 14:18:12 CEST 2025] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/............/............' [Wed Aug 27 14:18:12 CEST 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/............/............' [Wed Aug 27 14:18:12 CEST 2025] STEP 2, Get the authorizations of each domain [Wed Aug 27 14:18:12 CEST 2025] =======Begin Send Signed Request======= [Wed Aug 27 14:18:12 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............' [Wed Aug 27 14:18:12 CEST 2025] payload [Wed Aug 27 14:18:12 CEST 2025] POST [Wed Aug 27 14:18:12 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............' [Wed Aug 27 14:18:12 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g ' [Wed Aug 27 14:18:12 CEST 2025] _ret='0' [Wed Aug 27 14:18:13 CEST 2025] code='200' [Wed Aug 27 14:18:13 CEST 2025] d='asa.domain' [Wed Aug 27 14:18:13 CEST 2025] Getting webroot for domain='asa.domain' [Wed Aug 27 14:18:13 CEST 2025] _w='/var/acmesh/acme_challenge' [Wed Aug 27 14:18:13 CEST 2025] _currentRoot='/var/acmesh/acme_challenge' [Wed Aug 27 14:18:13 CEST 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............' [Wed Aug 27 14:18:13 CEST 2025] entry='"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............","status":"pending","token":"............"' [Wed Aug 27 14:18:13 CEST 2025] token='............' [Wed Aug 27 14:18:13 CEST 2025] uri='https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............' [Wed Aug 27 14:18:13 CEST 2025] keyauthorization='.........................' [Wed Aug 27 14:18:13 CEST 2025] dvlist='asa.domain#.........................#https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............#http-01#/var/acmesh/acme_challenge#https://acme-v02.api.letsencrypt.org/acme/authz/............/............' [Wed Aug 27 14:18:13 CEST 2025] d [Wed Aug 27 14:18:13 CEST 2025] vlist='asa.domain#.........................#https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............#http-01#/var/acmesh/acme_challenge#https://acme-v02.api.letsencrypt.org/acme/authz/............/............,' [Wed Aug 27 14:18:13 CEST 2025] d='asa.domain' [Wed Aug 27 14:18:13 CEST 2025] ok, let's start to verify [Wed Aug 27 14:18:13 CEST 2025] Verifying: asa.domain [Wed Aug 27 14:18:13 CEST 2025] d='asa.domain' [Wed Aug 27 14:18:13 CEST 2025] keyauthorization='.........................' [Wed Aug 27 14:18:13 CEST 2025] uri='https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............' [Wed Aug 27 14:18:13 CEST 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............' [Wed Aug 27 14:18:13 CEST 2025] _currentRoot='/var/acmesh/acme_challenge' [Wed Aug 27 14:18:13 CEST 2025] wellknown_path='/var/acmesh/acme_challenge/.well-known/acme-challenge' [Wed Aug 27 14:18:13 CEST 2025] writing token:............ to /var/acmesh/acme_challenge/.well-known/acme-challenge/............ [Wed Aug 27 14:18:13 CEST 2025] =======Begin Send Signed Request======= [Wed Aug 27 14:18:13 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............' [Wed Aug 27 14:18:13 CEST 2025] payload='{}' [Wed Aug 27 14:18:13 CEST 2025] POST [Wed Aug 27 14:18:13 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............' [Wed Aug 27 14:18:13 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g ' [Wed Aug 27 14:18:14 CEST 2025] _ret='0' [Wed Aug 27 14:18:14 CEST 2025] code='200' [Wed Aug 27 14:18:14 CEST 2025] trigger validation code: 200 [Wed Aug 27 14:18:14 CEST 2025] Lets check the status of the authz [Wed Aug 27 14:18:14 CEST 2025] Pending, The CA is processing your order, please just wait. (1/30) [Wed Aug 27 14:18:14 CEST 2025] sleep 2 secs to verify again [Wed Aug 27 14:18:16 CEST 2025] checking [Wed Aug 27 14:18:16 CEST 2025] =======Begin Send Signed Request======= [Wed Aug 27 14:18:16 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............' [Wed Aug 27 14:18:16 CEST 2025] payload [Wed Aug 27 14:18:17 CEST 2025] POST [Wed Aug 27 14:18:17 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............' [Wed Aug 27 14:18:17 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g ' [Wed Aug 27 14:18:17 CEST 2025] _ret='0' [Wed Aug 27 14:18:17 CEST 2025] code='200' [Wed Aug 27 14:18:17 CEST 2025] Success [Wed Aug 27 14:18:17 CEST 2025] pid [Wed Aug 27 14:18:17 CEST 2025] Debugging, skip removing: /var/acmesh/acme_challenge/.well-known [Wed Aug 27 14:18:17 CEST 2025] pid [Wed Aug 27 14:18:17 CEST 2025] No need to restore nginx, skip. [Wed Aug 27 14:18:17 CEST 2025] _clearupdns [Wed Aug 27 14:18:17 CEST 2025] dns_entries [Wed Aug 27 14:18:17 CEST 2025] skip dns. [Wed Aug 27 14:18:17 CEST 2025] Verify finished, start to sign. [Wed Aug 27 14:18:17 CEST 2025] i='2' [Wed Aug 27 14:18:17 CEST 2025] j='9' [Wed Aug 27 14:18:17 CEST 2025] Lets finalize the order. [Wed Aug 27 14:18:17 CEST 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/............/............' [Wed Aug 27 14:18:17 CEST 2025] =======Begin Send Signed Request======= [Wed Aug 27 14:18:17 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/finalize/............/............' [Wed Aug 27 14:18:17 CEST 2025] payload='{"csr": "............"}' [Wed Aug 27 14:18:18 CEST 2025] POST [Wed Aug 27 14:18:18 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/............/............' [Wed Aug 27 14:18:18 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g ' [Wed Aug 27 14:18:21 CEST 2025] _ret='0' [Wed Aug 27 14:18:21 CEST 2025] code='200' [Wed Aug 27 14:18:21 CEST 2025] Order status is valid. [Wed Aug 27 14:18:21 CEST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c' [Wed Aug 27 14:18:21 CEST 2025] Downloading cert. [Wed Aug 27 14:18:21 CEST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c' [Wed Aug 27 14:18:21 CEST 2025] =======Begin Send Signed Request======= [Wed Aug 27 14:18:21 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c' [Wed Aug 27 14:18:21 CEST 2025] payload [Wed Aug 27 14:18:22 CEST 2025] POST [Wed Aug 27 14:18:22 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c' [Wed Aug 27 14:18:22 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header -L --cacert /etc/lina_roots/lina_roots.0.pem -g ' [Wed Aug 27 14:18:22 CEST 2025] _ret='0' [Wed Aug 27 14:18:22 CEST 2025] code='200' [Wed Aug 27 14:18:22 CEST 2025] Found cert chain [Wed Aug 27 14:18:22 CEST 2025] _end_n='22' [Wed Aug 27 14:18:22 CEST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c' Certificate: Data: Version: 3 (0x2) Serial Number: ............ Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = E7 Validity Not Before: Aug 27 11:19:48 2025 GMT Not After : Nov 25 11:19:47 2025 GMT Subject: CN = asa.domain Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: ............ ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE ............ [Wed Aug 27 14:18:22 CEST 2025] Cert success. -----BEGIN CERTIFICATE----- MII............ -----END CERTIFICATE----- [Wed Aug 27 14:18:22 CEST 2025] Your cert is in: /var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc/asa.domain.cer [Wed Aug 27 14:18:22 CEST 2025] The intermediate CA cert is in: /var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc/ca.cer [Wed Aug 27 14:18:22 CEST 2025] And the full chain certs is there: /var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc/fullchain.cer [Wed Aug 27 14:18:23 CEST 2025] _on_issue_success ACME client exit code: 0 --------------------------------- End ACME PKCS#10 enrollment log --------------------------------- PKI ACME[7]: END LOG BUF: PKI ACME[8]: BEGIN OUTPUT BUF {"ERROR_CODE":0,"CERT_CHAIN_PEM_TXT":"-----BEGIN CERTIFICATE-----\nMII............\n-----END CERTIFICATE-----"} PKI ACME[8]: END OUTPUT BUF: PKI ACME[7]: ERROR_CODE 0. Success PKI ACME[7]: Certificate chain: -----BEGIN CERTIFICATE----- MII............ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MII............ -----END CERTIFICATE----- PKI ACME[7]: ACME_Enroll() returns 0 PKI ACME[7]: Verifying ACME certificate path. PKI ACME[7]: Verifying ACME cert chain PKI ACME[7]: Certificate path verified PKI ACME[7]: trust_point->router_cert_issued = TRUE PKI ACME[7]: ACME enrollment certificate has been granted by CA

So it is definitly an error with multiple domains and/or 20 seconds timeout.

Re: LetsEncrypt ACME timeout problem

MHM Cisco World — Wed, 27 Aug 2025 13:10:07 GMT

https://community.cisco.com/t5/security-knowledge-base/using-let-s-encrypt-certificates-with-cisco-firepower-ise-amp/ta-p/4925009#toc-hId-1019233046

Issue with validate domain' check this

And I will do more deep dive about causing this behave

MHM

Re: LetsEncrypt ACME timeout problem

balaji.bandi — Wed, 27 Aug 2025 13:50:55 GMT

check this document and see any limitation of multidomain.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/222809-configure-certificate-enrollment-with-ac.html

check if you can do multi trust point different trust point with different domain (never tested my self just an idea)

the document provides troubleshooting tips.