LetsEncrypt ACME timeout problem

falke · ‎08-27-2025

Hello,

system is a FPR-1010 with ASA-SW 9.23(1)13.

When enrolling LetsEncrypt certificates with ACME I noticed a strange timeout problem.

Without "alt-fqdn" entries, everything works fine!

crypto ca trustpoint LetsEncrypt_Trustpoint
 enrollment interface outside
 enrollment protocol acme authentication http01 outside
 enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory
 fqdn asa.domain1
 subject-name CN=asa.domain1
 keypair ecdsa elliptic-curve 384
 auto-enroll regenerate
 no ca-check
 crl configure

With "alt-fqdn" entries, there is always a timeout, because it takes longer than 20 seconds to get a response for all "alt-fqdn"s.

crypto ca trustpoint LetsEncrypt_Trustpoint
 enrollment interface outside
 enrollment protocol acme authentication http01 outside
 enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory
 fqdn asa.domain1
 alt-fqdn asa.domain1
 alt-fqdn asa.domain2
 alt-fqdn asa.domain3
 subject-name CN=asa.domain1
 keypair ecdsa elliptic-curve 384
 auto-enroll regenerate
 no ca-check
 crl configure

The ACME-log as attachment shows the timeout. 20 seconds are obviously too short for three domains.

Any recommendations besides using separate certificates for each domain?

MHM Cisco World · ‎08-27-2025

fqdn asa.domain1
 alt-fqdn asa.domain1
 alt-fqdn asa.domain2
 alt-fqdn asa.domain3

But as I know fqdn is main domain

Alt-fqdn is sub-domain' I see you use sub-domain and domain is same ?

MHM

falke · ‎08-27-2025

Thank you for your reply. Sub-domain is always "asa.", the domain name is different.

This should be a common task as RFC 5280 defines "Subject Alternative Names" (=alt-fqdn) to be expressed in the same manner as any other subject distinguished name.

MHM Cisco World · ‎08-27-2025

https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/general/asa-920-general-config/basic-certs.html

Check this

MHM

MHM Cisco World · ‎08-27-2025

So DNS can resolve asa.domain2?

Show logging

Did you see any log about dns can not resolve name?

MHM

falke · ‎08-27-2025

Yes, all three real host-names can be resolved.

ciscoasa(config)# ping asa.domain1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)# ping asa.domain2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ping asa.domain3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

The log attached to the first post shows, that the exit code is 124:

ACME client exit code: 124

Which means according to Cisco documentation:

124 
ACME processing timeout

Every time exactly after 20 seconds (=timeout, see log attached to first post) enrollment is canceled.

MHM Cisco World · ‎08-27-2025

debug crypto ca messages
debug crypto ca transactions

Run these two debug when you use only primary fqdn and when you use alt-fqdn

Let check in which step the enrollment is stop

MHM

falke · ‎08-27-2025

ciscoasa(config)# debug crypto ca messages
                                  ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# debug crypto ca transactions
                                    ^
ERROR: % Invalid input detected at '^' marker.


ciscoasa(config)# debug crypto ca ?

exec mode commands/options:
  <1-14>                   Specify an optional debug level (default is 1)
  acme                     debug the ACME transactions
  cluster                  debug PKI cluster
  cmp                      debug the CMP transactions
  periodic-authentication  debug PKI peroidic authentication
  scep-proxy               debug the SCEP proxy
  trustpool                debug the trustpool
  <cr>

Log of "debug crypto ca acme 255" is the log attached to the first post.

MHM Cisco World · ‎08-27-2025

Ok'

Asa domain1 is resolve to public IP which is reachable via CA

Other asa domain2/domain3 is resolve to private IP

Can you check if I am right

MHM

falke · ‎08-27-2025

All three domains are resolved to a public IP.

crypto ca trustpoint LetsEncrypt_Trustpoint
 enrollment interface outside
 enrollment protocol acme authentication http01 outside
 enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory
 fqdn asa.domain1
 subject-name CN=asa.domain1
 keypair ecdsa elliptic-curve 384
 auto-enroll regenerate
 no ca-check
 crl configure

just asa.domain1 works

crypto ca trustpoint LetsEncrypt_Trustpoint
 enrollment interface outside
 enrollment protocol acme authentication http01 outside
 enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory
 fqdn asa.domain2
 subject-name CN=asa.domain2
 keypair ecdsa elliptic-curve 384
 auto-enroll regenerate
 no ca-check
 crl configure

just asa.domain2 works

crypto ca trustpoint LetsEncrypt_Trustpoint
 enrollment interface outside
 enrollment protocol acme authentication http01 outside
 enrollment protocol acme url https://acme-v02.api.letsencrypt.org:443/directory
 fqdn asa.domain3
 subject-name CN=asa.domain3
 keypair ecdsa elliptic-curve 384
 auto-enroll regenerate
 no ca-check
 crl configure

just asa.domain3 works

Every enrollment for a single domain is successful and has a debug log that looks like this:

---------------------------------

Begin ACME PKCS#10 enrollment log

---------------------------------

using BIND_ADDR4: 169.254.1.3
using BIND_ADDR6: fd00:0:0:1::3
debug level:      3
DEBUG:            --debug 1
timeout:          20

[Wed Aug 27 14:18:06 CEST 2025] Lets find script dir.
[Wed Aug 27 14:18:06 CEST 2025] _SCRIPT_='/asa/scripts/acme.sh'
[Wed Aug 27 14:18:06 CEST 2025] _script='/opt/cisco/csp/applications/cisco-asa.9.23.1.13__asa_001_............/app_bin/asa/scripts/acme.sh'
[Wed Aug 27 14:18:06 CEST 2025] _script_home='/opt/cisco/csp/applications/cisco-asa.9.23.1.13__asa_001_............/app_bin/asa/scripts'
[Wed Aug 27 14:18:06 CEST 2025] Using default home://.acme.sh
[Wed Aug 27 14:18:06 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data
https://github.com/acmesh-official/acme.sh
v3.0.8
[Wed Aug 27 14:18:06 CEST 2025] Using server: https://acme-v02.api.letsencrypt.org:443/directory
[Wed Aug 27 14:18:07 CEST 2025] Running cmd: signcsr
[Wed Aug 27 14:18:07 CEST 2025] _csrsubj='asa.domain'
[Wed Aug 27 14:18:07 CEST 2025] _csrsubj='asa.domain'
[Wed Aug 27 14:18:07 CEST 2025] _dnsAltnames='DNS:asa.domain'
[Wed Aug 27 14:18:07 CEST 2025] AltNames contains subject
[Wed Aug 27 14:18:07 CEST 2025] _excapedAlgnames='DNS:asa.domain'
[Wed Aug 27 14:18:07 CEST 2025] _escapedSubject='asa.domain'
[Wed Aug 27 14:18:07 CEST 2025] _dnsAltnames
[Wed Aug 27 14:18:07 CEST 2025] _csrdomainlist
[Wed Aug 27 14:18:07 CEST 2025] ECC CSR
[Wed Aug 27 14:18:07 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data
[Wed Aug 27 14:18:07 CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org:443/directory'
[Wed Aug 27 14:18:07 CEST 2025] DOMAIN_PATH='/var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc'
[Wed Aug 27 14:18:07 CEST 2025] Copy csr to: /var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc/asa.domain.csr
[Wed Aug 27 14:18:07 CEST 2025] _main_domain='asa.domain'
[Wed Aug 27 14:18:07 CEST 2025] _alt_domains
[Wed Aug 27 14:18:07 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data
[Wed Aug 27 14:18:07 CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org:443/directory'
[Wed Aug 27 14:18:07 CEST 2025] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org:443/directory
[Wed Aug 27 14:18:07 CEST 2025] _init api for server: https://acme-v02.api.letsencrypt.org:443/directory
[Wed Aug 27 14:18:07 CEST 2025] GET
[Wed Aug 27 14:18:07 CEST 2025] url='https://acme-v02.api.letsencrypt.org:443/directory'
[Wed Aug 27 14:18:07 CEST 2025] timeout=
[Wed Aug 27 14:18:07 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g '
[Wed Aug 27 14:18:08 CEST 2025] ret='0'
[Wed Aug 27 14:18:08 CEST 2025] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed Aug 27 14:18:08 CEST 2025] ACME_NEW_AUTHZ
[Wed Aug 27 14:18:08 CEST 2025] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Aug 27 14:18:08 CEST 2025] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Aug 27 14:18:08 CEST 2025] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed Aug 27 14:18:08 CEST 2025] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf'
[Wed Aug 27 14:18:08 CEST 2025] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Aug 27 14:18:08 CEST 2025] Using CA: https://acme-v02.api.letsencrypt.org:443/directory
[Wed Aug 27 14:18:08 CEST 2025] _on_before_issue
[Wed Aug 27 14:18:08 CEST 2025] _chk_main_domain='asa.domain'
[Wed Aug 27 14:18:08 CEST 2025] _chk_alt_domains
[Wed Aug 27 14:18:08 CEST 2025] Le_LocalAddress
[Wed Aug 27 14:18:08 CEST 2025] d='asa.domain'
[Wed Aug 27 14:18:08 CEST 2025] Check for domain='asa.domain'
[Wed Aug 27 14:18:08 CEST 2025] _currentRoot='/var/acmesh/acme_challenge'
[Wed Aug 27 14:18:08 CEST 2025] d
[Wed Aug 27 14:18:08 CEST 2025] config file is empty, can not read CA_KEY_HASH
[Wed Aug 27 14:18:08 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data
[Wed Aug 27 14:18:08 CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org:443/directory'
[Wed Aug 27 14:18:08 CEST 2025] _init api for server: https://acme-v02.api.letsencrypt.org:443/directory
[Wed Aug 27 14:18:08 CEST 2025] length='ec-256'
[Wed Aug 27 14:18:08 CEST 2025] Using config home:/var/acmesh/LetsEncrypt_Trustpoint/data
[Wed Aug 27 14:18:08 CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org:443/directory'
[Wed Aug 27 14:18:08 CEST 2025] Use length 256
[Wed Aug 27 14:18:08 CEST 2025] Using ec name: prime256v1
[Wed Aug 27 14:18:08 CEST 2025] Create account key ok.
[Wed Aug 27 14:18:08 CEST 2025] EC key
[Wed Aug 27 14:18:09 CEST 2025] config file is empty, can not read CA_EAB_KEY_ID
[Wed Aug 27 14:18:09 CEST 2025] config file is empty, can not read CA_EAB_HMAC_KEY
[Wed Aug 27 14:18:09 CEST 2025] config file is empty, can not read CA_EMAIL
[Wed Aug 27 14:18:09 CEST 2025] Registering account: https://acme-v02.api.letsencrypt.org:443/directory
[Wed Aug 27 14:18:09 CEST 2025] =======Begin Send Signed Request=======
[Wed Aug 27 14:18:09 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Aug 27 14:18:09 CEST 2025] payload='{"termsOfServiceAgreed": true}'
[Wed Aug 27 14:18:09 CEST 2025] HEAD
[Wed Aug 27 14:18:09 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Aug 27 14:18:09 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g  -I  '
[Wed Aug 27 14:18:09 CEST 2025] _ret='0'
[Wed Aug 27 14:18:09 CEST 2025] POST
[Wed Aug 27 14:18:09 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Aug 27 14:18:09 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g '
[Wed Aug 27 14:18:10 CEST 2025] _ret='0'
[Wed Aug 27 14:18:10 CEST 2025] code='201'
[Wed Aug 27 14:18:10 CEST 2025] Registered
[Wed Aug 27 14:18:10 CEST 2025] _accUri='https://acme-v02.api.letsencrypt.org/acme/acct/............'
[Wed Aug 27 14:18:10 CEST 2025] Calc CA_KEY_HASH='............'
[Wed Aug 27 14:18:10 CEST 2025] ACCOUNT_THUMBPRINT='............'
[Wed Aug 27 14:18:10 CEST 2025] Signing from existing CSR.
[Wed Aug 27 14:18:10 CEST 2025] Getting domain auth token for each domain
[Wed Aug 27 14:18:10 CEST 2025] d
[Wed Aug 27 14:18:10 CEST 2025] STEP 1, Ordering a Certificate
[Wed Aug 27 14:18:10 CEST 2025] =======Begin Send Signed Request=======
[Wed Aug 27 14:18:10 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Aug 27 14:18:10 CEST 2025] payload='{"identifiers": [{"type":"dns","value":"asa.domain"}]}'
[Wed Aug 27 14:18:11 CEST 2025] POST
[Wed Aug 27 14:18:11 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Aug 27 14:18:11 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g '
[Wed Aug 27 14:18:11 CEST 2025] _ret='0'
[Wed Aug 27 14:18:11 CEST 2025] code='201'
[Wed Aug 27 14:18:12 CEST 2025] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/............/............'
[Wed Aug 27 14:18:12 CEST 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/............/............'
[Wed Aug 27 14:18:12 CEST 2025] STEP 2, Get the authorizations of each domain
[Wed Aug 27 14:18:12 CEST 2025] =======Begin Send Signed Request=======
[Wed Aug 27 14:18:12 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............'
[Wed Aug 27 14:18:12 CEST 2025] payload
[Wed Aug 27 14:18:12 CEST 2025] POST
[Wed Aug 27 14:18:12 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............'
[Wed Aug 27 14:18:12 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g '
[Wed Aug 27 14:18:12 CEST 2025] _ret='0'
[Wed Aug 27 14:18:13 CEST 2025] code='200'
[Wed Aug 27 14:18:13 CEST 2025] d='asa.domain'
[Wed Aug 27 14:18:13 CEST 2025] Getting webroot for domain='asa.domain'
[Wed Aug 27 14:18:13 CEST 2025] _w='/var/acmesh/acme_challenge'
[Wed Aug 27 14:18:13 CEST 2025] _currentRoot='/var/acmesh/acme_challenge'
[Wed Aug 27 14:18:13 CEST 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............'
[Wed Aug 27 14:18:13 CEST 2025] entry='"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............","status":"pending","token":"............"'
[Wed Aug 27 14:18:13 CEST 2025] token='............'
[Wed Aug 27 14:18:13 CEST 2025] uri='https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............'
[Wed Aug 27 14:18:13 CEST 2025] keyauthorization='.........................'
[Wed Aug 27 14:18:13 CEST 2025] dvlist='asa.domain#.........................#https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............#http-01#/var/acmesh/acme_challenge#https://acme-v02.api.letsencrypt.org/acme/authz/............/............'
[Wed Aug 27 14:18:13 CEST 2025] d
[Wed Aug 27 14:18:13 CEST 2025] vlist='asa.domain#.........................#https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............#http-01#/var/acmesh/acme_challenge#https://acme-v02.api.letsencrypt.org/acme/authz/............/............,'
[Wed Aug 27 14:18:13 CEST 2025] d='asa.domain'
[Wed Aug 27 14:18:13 CEST 2025] ok, let's start to verify
[Wed Aug 27 14:18:13 CEST 2025] Verifying: asa.domain
[Wed Aug 27 14:18:13 CEST 2025] d='asa.domain'
[Wed Aug 27 14:18:13 CEST 2025] keyauthorization='.........................'
[Wed Aug 27 14:18:13 CEST 2025] uri='https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............'
[Wed Aug 27 14:18:13 CEST 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............'
[Wed Aug 27 14:18:13 CEST 2025] _currentRoot='/var/acmesh/acme_challenge'
[Wed Aug 27 14:18:13 CEST 2025] wellknown_path='/var/acmesh/acme_challenge/.well-known/acme-challenge'
[Wed Aug 27 14:18:13 CEST 2025] writing token:............ to /var/acmesh/acme_challenge/.well-known/acme-challenge/............
[Wed Aug 27 14:18:13 CEST 2025] =======Begin Send Signed Request=======
[Wed Aug 27 14:18:13 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............'
[Wed Aug 27 14:18:13 CEST 2025] payload='{}'
[Wed Aug 27 14:18:13 CEST 2025] POST
[Wed Aug 27 14:18:13 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall/............/............/............'
[Wed Aug 27 14:18:13 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g '
[Wed Aug 27 14:18:14 CEST 2025] _ret='0'
[Wed Aug 27 14:18:14 CEST 2025] code='200'
[Wed Aug 27 14:18:14 CEST 2025] trigger validation code: 200
[Wed Aug 27 14:18:14 CEST 2025] Lets check the status of the authz
[Wed Aug 27 14:18:14 CEST 2025] Pending, The CA is processing your order, please just wait. (1/30)
[Wed Aug 27 14:18:14 CEST 2025] sleep 2 secs to verify again
[Wed Aug 27 14:18:16 CEST 2025] checking
[Wed Aug 27 14:18:16 CEST 2025] =======Begin Send Signed Request=======
[Wed Aug 27 14:18:16 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............'
[Wed Aug 27 14:18:16 CEST 2025] payload
[Wed Aug 27 14:18:17 CEST 2025] POST
[Wed Aug 27 14:18:17 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/............/............'
[Wed Aug 27 14:18:17 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g '
[Wed Aug 27 14:18:17 CEST 2025] _ret='0'
[Wed Aug 27 14:18:17 CEST 2025] code='200'
[Wed Aug 27 14:18:17 CEST 2025] Success
[Wed Aug 27 14:18:17 CEST 2025] pid
[Wed Aug 27 14:18:17 CEST 2025] Debugging, skip removing: /var/acmesh/acme_challenge/.well-known
[Wed Aug 27 14:18:17 CEST 2025] pid
[Wed Aug 27 14:18:17 CEST 2025] No need to restore nginx, skip.
[Wed Aug 27 14:18:17 CEST 2025] _clearupdns
[Wed Aug 27 14:18:17 CEST 2025] dns_entries
[Wed Aug 27 14:18:17 CEST 2025] skip dns.
[Wed Aug 27 14:18:17 CEST 2025] Verify finished, start to sign.
[Wed Aug 27 14:18:17 CEST 2025] i='2'
[Wed Aug 27 14:18:17 CEST 2025] j='9'
[Wed Aug 27 14:18:17 CEST 2025] Lets finalize the order.
[Wed Aug 27 14:18:17 CEST 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/............/............'
[Wed Aug 27 14:18:17 CEST 2025] =======Begin Send Signed Request=======
[Wed Aug 27 14:18:17 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/finalize/............/............'
[Wed Aug 27 14:18:17 CEST 2025] payload='{"csr": "............"}'
[Wed Aug 27 14:18:18 CEST 2025] POST
[Wed Aug 27 14:18:18 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/............/............'
[Wed Aug 27 14:18:18 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g '
[Wed Aug 27 14:18:21 CEST 2025] _ret='0'
[Wed Aug 27 14:18:21 CEST 2025] code='200'
[Wed Aug 27 14:18:21 CEST 2025] Order status is valid.
[Wed Aug 27 14:18:21 CEST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c'
[Wed Aug 27 14:18:21 CEST 2025] Downloading cert.
[Wed Aug 27 14:18:21 CEST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c'
[Wed Aug 27 14:18:21 CEST 2025] =======Begin Send Signed Request=======
[Wed Aug 27 14:18:21 CEST 2025] url='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c'
[Wed Aug 27 14:18:21 CEST 2025] payload
[Wed Aug 27 14:18:22 CEST 2025] POST
[Wed Aug 27 14:18:22 CEST 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c'
[Wed Aug 27 14:18:22 CEST 2025] _CURL='curl --silent --dump-header /var/acmesh/LetsEncrypt_Trustpoint/data/http.header  -L  --cacert /etc/lina_roots/lina_roots.0.pem  -g '
[Wed Aug 27 14:18:22 CEST 2025] _ret='0'
[Wed Aug 27 14:18:22 CEST 2025] code='200'
[Wed Aug 27 14:18:22 CEST 2025] Found cert chain
[Wed Aug 27 14:18:22 CEST 2025] _end_n='22'
[Wed Aug 27 14:18:22 CEST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/066f234b0fb37120b9bf3fb103fa4558160c'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ............
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = US, O = Let's Encrypt, CN = E7
        Validity
            Not Before: Aug 27 11:19:48 2025 GMT
            Not After : Nov 25 11:19:47 2025 GMT
        Subject: CN = asa.domain
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    ............
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            ............
[Wed Aug 27 14:18:22 CEST 2025] Cert success.
-----BEGIN CERTIFICATE-----
MII............
-----END CERTIFICATE-----
[Wed Aug 27 14:18:22 CEST 2025] Your cert is in: /var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc/asa.domain.cer
[Wed Aug 27 14:18:22 CEST 2025] The intermediate CA cert is in: /var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc/ca.cer
[Wed Aug 27 14:18:22 CEST 2025] And the full chain certs is there: /var/acmesh/LetsEncrypt_Trustpoint/certs/asa.domain_ecc/fullchain.cer
[Wed Aug 27 14:18:23 CEST 2025] _on_issue_success
ACME client exit code: 0

---------------------------------

End ACME PKCS#10 enrollment log

---------------------------------

PKI ACME[7]: END LOG BUF:
PKI ACME[8]: BEGIN OUTPUT BUF
{"ERROR_CODE":0,"CERT_CHAIN_PEM_TXT":"-----BEGIN CERTIFICATE-----\nMII............\n-----END CERTIFICATE-----"}

PKI ACME[8]: END OUTPUT BUF:
PKI ACME[7]: ERROR_CODE 0. Success
PKI ACME[7]: Certificate chain:
-----BEGIN CERTIFICATE-----
MII............
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MII............
-----END CERTIFICATE-----
PKI ACME[7]: ACME_Enroll() returns 0
PKI ACME[7]: Verifying ACME certificate path.
PKI ACME[7]: Verifying ACME cert chain
PKI ACME[7]: Certificate path verified
PKI ACME[7]: trust_point->router_cert_issued = TRUE
PKI ACME[7]: ACME enrollment certificate has been granted by CA

So it is definitly an error with multiple domains and/or 20 seconds timeout.