[Bug]: The server will not issue certificates for the identifier / type : urn:ietf:params:acme:error:rejectedIdentifier #2564
Description
Steps to Reproduce
I've been trying to set ACME on a home server that is running proxmox and TrueNas (VM);
As per my understanding there should not be any issues with issuing multiple certificates in a small timespan; I managed to get it working on proxmox + nginx reverse proxy and was halfway through testing acme.sh in trueNAS (i.e. got certificate yesterday and stopped tinkering; today I forced another cert because I wanted to see if env vars had to be set on each run and it worked but when I issued/forced it again, almost immediately, it stopped working and I got the error)...
I'm used to working with step cli and JWT to issue my local certificates and never got an issue but to have it all working out of the box I just ran the --renewal with a period of 12h that way I always had a fresh crt... I tend to forget the dates that certificates will expire and by the time they expire if time is too long I've already forgoten what I did and have to loose a whole day just to set it up again... I was looking to automate the process with the tools that are provided by proxmox (and TrueNAS for that matter) but it has proven to be way more difficult that I expected or there is something I'm missing; I've noticed there are other issues like this; some have been fixed by restarting CA (DONE), other by starting CA from scratch (DONE), added policy.x509 {} in ca.json but does not show when I run step ca policy authority view and get that it does not exist; nor does it fix the issue... running step ca certificate --provisioner acme works 100% of the times and HTTP-01 challenge works as well... any help, comment or explanation is highly appreciated.
Your Environment
- OS - PI5 running Docker image
step-caVersion - Smallstep CLI/0.29.0 (linux/arm64)
Release Date: 2025-12-03 04:11 UTC
Expected Behavior
Certificate should always be issued...
time="2026-02-10T23:15:48Z"
level=info duration=8.041846ms
duration-ns=8041846
fields.time="2026-02-10T23:15:48Z"
method=POST
name=ca
nonce=Nm9wQ1V6M2xIVHBjZG8wNDA1cUZ4OGZnRm9wZmRxQ1o path=/acme/acme/authz/apzRPkiLcSR9hbed6S8akVrcW7m2ZvSZ protocol=HTTP/2.0
referer= remote-address=10.15.15.250
request-id=344f16a1-6902-4ae4-a349-3ffd062742cc
response="{
\"identifier\":{
\"type\":\"dns\",
\"value\":\"nas.pve.local\"
},
\"status\":\"pending\",
\"challenges\":[{
\"type\":\"dns-01\",
\"status\":\"pending\",
\"token\":\"EBQE57dcqSstHu4WWx1b477ef6r90pCf\",
\"url\":\"https://ca.pi.local:5739/acme/acme/challenge/apzRPkiLcSR9hbed6S8akVrcW7m2ZvSZ/R5UP1iLmNoc7CV5lgQnWrOrvmu04KSmR\"
},
{\"type\":\"http-01\",
\"status\":\"pending\",
\"token\":\"EBQE57dcqSstHu4WWx1b477ef6r90pCf\",\"url\":\"https://ca.pi.local:5739/acme/acme/challenge/apzRPkiLcSR9hbed6S8akVrcW7m2ZvSZ/qX73wK2LVUG2U93nT94z8eocqVwA0KGl\"
},
{\"type\":\"tls-alpn-01\",
\"status\":\"pending\",
\"token\":\"EBQE57dcqSstHu4WWx1b477ef6r90pCf\",
\"url\":\"https://ca.pi.local:5739/acme/acme/challenge/apzRPkiLcSR9hbed6S8akVrcW7m2ZvSZ/Ih3QxhAKnXrsPOomYgyeT12tvr6UiO11\"
}],
\"wildcard\":false,
\"expires\":\"2026-02-11T23:15:48Z\"
}"
size=741
status=200
user-agent="acme.sh/3.1.3 (https://github.com/acmesh-official/acme.sh)"
user-id=
Actual Behavior
It works sometimes and most of the time i get...
ca-1 | time="2026-02-10T23:45:34Z" level=info duration="197.759µs" duration-ns=197759 fields.time="2026-02-10T23:45:34Z" method=GET name=ca path=/acme/acme/directory protocol=HTTP/2.0 referer= remote-address=10.15.15.250 request-id=118f3be6-97a3-4fec-b87a-43a137497396 response="{\"newNonce\":\"https://ca.pi.local:5739/acme/acme/new-nonce\",\"newAccount\":\"https://ca.pi.local:5739/acme/acme/new-account\",\"newOrder\":\"https://ca.pi.local:5739/acme/acme/new-order\",\"revokeCert\":\"https://ca.pi.local:5739/acme/acme/revoke-cert\",\"keyChange\":\"https://ca.pi.local:5739/acme/acme/key-change\"}" size=302 status=200 user-agent="acme.sh/3.1.3 (https://github.com/acmesh-official/acme.sh)" user-id=
ca-1 | time="2026-02-10T23:45:34Z" level=info duration=4.549038ms duration-ns=4549038 fields.time="2026-02-10T23:45:34Z" method=HEAD name=ca nonce=R2ZDVG1YSUpuTDcwNFNWWXpqREFUNGNQNUVNQmZjS2c path=/acme/acme/new-nonce protocol=HTTP/2.0 referer= remote-address=10.15.15.250 request-id=13bc4ec0-1615-4a61-bf2c-7ea8a5bf2512 size=0 status=200 user-agent="acme.sh/3.1.3 (https://github.com/acmesh-official/acme.sh)" user-id=
ca-1 | time="2026-02-10T23:45:34Z" level=info duration=28.954934ms duration-ns=28954934 fields.time="2026-02-10T23:45:34Z" method=POST name=ca nonce=Zjc5MXBJMVl6czJLSHJWZzRHSThxMkJGRkFSbmVPV3U path=/acme/acme/new-order protocol=HTTP/2.0 referer= remote-address=10.15.15.250 request-id=7e87cc18-acf4-4c04-8fdf-cda7034db3f9 response="{\"id\":\"OUBetyeHtpSX1NX2glWmF0Qtch61Qhzo\",\"status\":\"pending\",\"expires\":\"2026-02-11T23:45:34Z\",\"identifiers\":[{\"type\":\"dns\",\"value\":\"terra.pve.internal\"}],\"notBefore\":\"2026-02-10T23:44:34Z\",\"notAfter\":\"2026-02-11T23:45:34Z\",\"authorizations\":[\"https://ca.pi.local:5739/acme/acme/authz/4qwws7Wyd4ug1N90QmL9sPKXdmitCMQd\"],\"finalize\":\"https://ca.pi.local:5739/acme/acme/order/OUBetyeHtpSX1NX2glWmF0Qtch61Qhzo/finalize\"}" size=414 status=201 user-agent="acme.sh/3.1.3 (https://github.com/acmesh-official/acme.sh)" user-id=
ca-1 | time="2026-02-10T23:45:34Z" level=info duration=8.343688ms duration-ns=8343688 fields.time="2026-02-10T23:45:34Z" method=POST name=ca nonce=SmhmOGZBYzk1ZE5vOTZXckEySDFnVmpsWjRIVE9LcWE path=/acme/acme/authz/4qwws7Wyd4ug1N90QmL9sPKXdmitCMQd protocol=HTTP/2.0 referer= remote-address=10.15.15.250 request-id=51138c77-b6f8-41eb-8248-56d757454769 response="{\"identifier\":{\"type\":\"dns\",\"value\":\"terra.pve.internal\"},\"status\":\"pending\",\"challenges\":[{\"type\":\"dns-01\",\"status\":\"pending\",\"token\":\"xJWvyyjnaJ7e17AawsQ0ddjtvx233Sl2\",\"url\":\"https://ca.pi.local:5739/acme/acme/challenge/4qwws7Wyd4ug1N90QmL9sPKXdmitCMQd/QDH8P9aTUUgyUEafsEVPv8IFcZMfKtQ6\"},{\"type\":\"http-01\",\"status\":\"pending\",\"token\":\"xJWvyyjnaJ7e17AawsQ0ddjtvx233Sl2\",\"url\":\"https://ca.pi.local:5739/acme/acme/challenge/4qwws7Wyd4ug1N90QmL9sPKXdmitCMQd/ueD66ikzuDqIW1s80KFqQ1nz2jllDUJ4\"},{\"type\":\"tls-alpn-01\",\"status\":\"pending\",\"token\":\"xJWvyyjnaJ7e17AawsQ0ddjtvx233Sl2\",\"url\":\"https://ca.pi.local:5739/acme/acme/challenge/4qwws7Wyd4ug1N90QmL9sPKXdmitCMQd/Df8iQbbLNEI7Or3bOWSwccG3u1eEyzpq\"}],\"wildcard\":false,\"expires\":\"2026-02-11T23:45:34Z\"}" size=746 status=200 user-agent="acme.sh/3.1.3 (https://github.com/acmesh-official/acme.sh)" user-id=
ca-1 | time="2026-02-10T23:45:40Z" level=info duration=15.841985ms duration-ns=15841985 fields.time="2026-02-10T23:45:40Z" method=POST name=ca nonce=SG5DQUFpVzQ0SGdZaTNWd1RzeFo3aEI1c2U1YVFCYXI path=/acme/acme/challenge/4qwws7Wyd4ug1N90QmL9sPKXdmitCMQd/QDH8P9aTUUgyUEafsEVPv8IFcZMfKtQ6 protocol=HTTP/2.0 referer= remote-address=10.15.15.250 request-id=c6ae35b9-9894-42be-a088-aef6cdf6b462 response="{\"type\":\"dns-01\",\"status\":\"valid\",\"token\":\"xJWvyyjnaJ7e17AawsQ0ddjtvx233Sl2\",\"validated\":\"2026-02-10T23:45:40Z\",\"url\":\"https://ca.pi.local:5739/acme/acme/challenge/4qwws7Wyd4ug1N90QmL9sPKXdmitCMQd/QDH8P9aTUUgyUEafsEVPv8IFcZMfKtQ6\"}" size=232 status=200 user-agent="acme.sh/3.1.3 (https://github.com/acmesh-official/acme.sh)" user-id=
ca-1 | time="2026-02-10T23:45:41Z" level=info duration=31.034175ms duration-ns=31034175 fields.time="2026-02-10T23:45:41Z" method=POST name=ca nonce=QnRxU29wOEpyUUxwdmpJVnJqcU05MGJhY2gzTWR5bU0 path=/acme/acme/order/OUBetyeHtpSX1NX2glWmF0Qtch61Qhzo/finalize protocol=HTTP/2.0 referer= remote-address=10.15.15.250 request-id=e8c363ac-fceb-402b-817d-749940069903 response="{\"id\":\"OUBetyeHtpSX1NX2glWmF0Qtch61Qhzo\",\"status\":\"valid\",\"expires\":\"2026-02-11T23:45:34Z\",\"identifiers\":[{\"type\":\"dns\",\"value\":\"terra.pve.internal\"}],\"notBefore\":\"2026-02-10T23:44:34Z\",\"notAfter\":\"2026-02-11T23:45:34Z\",\"authorizations\":[\"https://ca.pi.local:5739/acme/acme/authz/4qwws7Wyd4ug1N90QmL9sPKXdmitCMQd\"],\"finalize\":\"https://ca.pi.local:5739/acme/acme/order/OUBetyeHtpSX1NX2glWmF0Qtch61Qhzo/finalize\",\"certificate\":\"https://ca.pi.local:5739/acme/acme/certificate/fRjOnLyy342GvSvhtn7Ne2j9Q4XZjqVF\"}" size=508 status=200 user-agent="acme.sh/3.1.3 (https://github.com/acmesh-official/acme.sh)" user-id=
ca-1 | time="2026-02-10T23:45:41Z" level=info certificate="MIICBzCCAa2gAwIBAgIRAKpNXKLVGTCdDAB/W0h+QO4wCgYIKoZIzj0EAwIwOjETMBEGA1UECgwKT2x5bXBvc19DQTEjMCEGA1UEAwwaT2x5bXBvc19DQSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjYwMjEwMjM0NDM0WhcNMjYwMjExMjM0NTM0WjAdMRswGQYDVQQDExJ0ZXJyYS5wdmUuaW50ZXJuYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASwvf5NiepRSQE1PSRLz8jVDWA8jflHXCF6Jo3gLFRHu6znFH2Bp62xDJLemRTME5PmkaBMG1MdnrG15gtR2GlAo4GwMIGtMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFKVjXXlhKjjuH7Cs0jTVjkmHZtPRMB8GA1UdIwQYMBaAFLTdYAvo1DvQcbTH42xjIaCMp3hMMB0GA1UdEQQWMBSCEnRlcnJhLnB2ZS5pbnRlcm5hbDAdBgwrBgEEAYKkZMYoQAEEDTALAgEGBARhY21lBAAwCgYIKoZIzj0EAwIDSAAwRQIgA0HzBSqeTuMYrFmHTFu/s80gTFEdqdkVNSWIwz2R8zsCIQDXf8FIPysm7b7uW4rU6H8PlxMc0B8g9oIx00b8aPjZjg==" duration=7.474705ms duration-ns=7474705 fields.time="2026-02-10T23:45:41Z" issuer="Olympos_CA Intermediate CA" method=POST name=ca nonce=Y1MxY3J6cURxY3hLMmk5TTlGd2Y4Tld1QjlCdVVqWG4 path=/acme/acme/certificate/fRjOnLyy342GvSvhtn7Ne2j9Q4XZjqVF protocol=HTTP/2.0 provisioner=acme public-key="ECDSA P-256" referer= remote-address=10.15.15.250 request-id=53bdf695-26b7-4ec0-8d9d-486fc9e8dc12 sans="map[dns:[terra.pve.internal]]" serial=226370445024139503193577435607852794094 size=1453 status=200 subject=terra.pve.internal user-agent="acme.sh/3.1.3 (https://github.com/acmesh-official/acme.sh)" user-id= valid-from="2026-02-10T23:44:34Z" valid-to="2026-02-11T23:45:34Z"
Additional Context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).