Acme-client endless loop with order.status 0

My domain is: pandion.au

I ran this command:
doas acme-client -vv -f acme-client.conf pandion.au
with this contents in acme-client.conf:

authority letsencrypt-staging {
        api url "https://acme-staging-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain pandion.au {
  alternative names { www.pandion.au }
  domain key "/vhost/pandion.au/host.key.pem"
  domain certificate "/vhost/pandion.au/test.cert.pem"
  domain full chain certificate "/vhost/pandion.au/test.fullchain.pem"
  sign with letsencrypt-staging
}

It produced this output:

acme-client: /vhost/pandion.au/host.key.pem: loaded domain key
acme-client: /etc/acme/letsencrypt-staging-privkey.pem: generated RSA account key
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: directories
acme-client: acme-staging-v02.api.letsencrypt.org: DNS: 172.65.46.172
acme-client: transfer buffer: [{ "Dc5Onzj_46g": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "profiles": { "classic": "https://letsencrypt.org/docs/profiles#classic", "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)", "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver" }, "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf", "website": "https://letsencrypt.org/docs/staging-environment/" }, "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order", "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo", "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert" }] (1086 bytes)
acme-client: transfer buffer: [{ "key": { "kty": "RSA", "n": "1xKYZDxLlzs9KJhJZJWOvFDZmlM1MMT2biCuluoJQyu79Y0fLpMIME8D8Rxc8rzXY6RziqfJcsgYFA68HDhhMBik8KELQCI8yswD3QtCPyuUz87uyIamknn611MN5OZpeMcPTO5PF-yFP2qETqe8-h8AOj-GqwnqDCVzcaNwboNRpxn9zTdcFWaCYPDDSq9PHFFfN5hu5pu3rQnZDvoZmNuOa8oOEJm7d8nLkoPBmm7vNhjn3ZH-J1vFO5hUmOiFeD3s2kbuFEKfE_pHsKgEAV28Uz7ivH4Ue_XnofD3z3o8blHOMx9iKTuTR4Mc6MmUqeOkMOFqA-e2RfrASe7PH7nBdiI4ItqOzEzcNrv8o3XgPoDrbH1qzWGbsjNB0-gfnNZz1EsmFMmWWkddFv4-Mkw06j7t3M3h-Oz4hHWrn_TI82-b7orcbBy_Mvjp8AzaP2idFXRLO3vIEeNTTl17H6KePMl7Ot_UUICW2ne7OWo9CzZGYrV1U8RV_trTx8OPu2VtKA8scsEX5OwfzBkkafvcAsZnB-9Kmoy_QwerAT_zUwvKNUAWI7OPSOemQbz09LXVU5-HDcoC_-mUfXTrcMd1DTm2vRI8Np-NK4ea1CaIq3Fmlb4AMTCuqR3PPpMuxNDPuYoSgbdZO2R2V0jlP9Uz8R5xjNGJGTB21oNegJs", "e": "AQAB" }, "createdAt": "2025-05-25T01:18:45.757280819Z", "status": "valid" }] (818 bytes)
acme-client: transfer buffer: [{ "key": { "kty": "RSA", "n": "1xKYZDxLlzs9KJhJZJWOvFDZmlM1MMT2biCuluoJQyu79Y0fLpMIME8D8Rxc8rzXY6RziqfJcsgYFA68HDhhMBik8KELQCI8yswD3QtCPyuUz87uyIamknn611MN5OZpeMcPTO5PF-yFP2qETqe8-h8AOj-GqwnqDCVzcaNwboNRpxn9zTdcFWaCYPDDSq9PHFFfN5hu5pu3rQnZDvoZmNuOa8oOEJm7d8nLkoPBmm7vNhjn3ZH-J1vFO5hUmOiFeD3s2kbuFEKfE_pHsKgEAV28Uz7ivH4Ue_XnofD3z3o8blHOMx9iKTuTR4Mc6MmUqeOkMOFqA-e2RfrASe7PH7nBdiI4ItqOzEzcNrv8o3XgPoDrbH1qzWGbsjNB0-gfnNZz1EsmFMmWWkddFv4-Mkw06j7t3M3h-Oz4hHWrn_TI82-b7orcbBy_Mvjp8AzaP2idFXRLO3vIEeNTTl17H6KePMl7Ot_UUICW2ne7OWo9CzZGYrV1U8RV_trTx8OPu2VtKA8scsEX5OwfzBkkafvcAsZnB-9Kmoy_QwerAT_zUwvKNUAWI7OPSOemQbz09LXVU5-HDcoC_-mUfXTrcMd1DTm2vRI8Np-NK4ea1CaIq3Fmlb4AMTCuqR3PPpMuxNDPuYoSgbdZO2R2V0jlP9Uz8R5xjNGJGTB21oNegJs", "e": "AQAB" }, "createdAt": "2025-05-25T01:18:45.757280819Z", "status": "valid" }] (818 bytes)
acme-client: transfer buffer: [{ "status": "pending", "expires": "2025-06-01T01:18:46Z", "identifiers": [ { "type": "dns", "value": "pandion.au" }, { "type": "dns", "value": "www.pandion.au" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614724", "https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614744" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/201858544/24873632914" }] (507 bytes)
acme-client: dochngreq: https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614724
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "pandion.au" }, "status": "pending", "expires": "2025-06-01T01:18:46Z", "challenges": [ { "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }, { "type": "tls-alpn-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/P9ISEA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }, { "type": "dns-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/8ELoug", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" } ] }] (836 bytes)
acme-client: challenge, token: _c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc, uri: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA, status: 0
acme-client: /var/www/acme/_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc: created
acme-client: dochngreq: https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614744
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "www.pandion.au" }, "status": "pending", "expires": "2025-06-01T01:18:46Z", "challenges": [ { "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }, { "type": "tls-alpn-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/n1YVAQ", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }, { "type": "dns-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/kR2KeA", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" } ] }] (840 bytes)
acme-client: challenge, token: PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc, uri: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw, status: 0
acme-client: /var/www/acme/PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc: created
acme-client: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA: challenge
acme-client: transfer buffer: [{ "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }] (201 bytes)
acme-client: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw: challenge
acme-client: transfer buffer: [{ "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }] (201 bytes)
acme-client: transfer buffer: [{ "status": "pending", "expires": "2025-06-01T01:18:46Z", "identifiers": [ { "type": "dns", "value": "pandion.au" }, { "type": "dns", "value": "www.pandion.au" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614724", "https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614744" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/201858544/24873632914" }] (507 bytes)
acme-client: order.status 0
acme-client: dochngreq: https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614724
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "pandion.au" }, "status": "pending", "expires": "2025-06-01T01:18:46Z", "challenges": [ { "type": "dns-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/8ELoug", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }, { "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }, { "type": "tls-alpn-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/P9ISEA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" } ] }] (836 bytes)
acme-client: challenge, token: _c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc, uri: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA, status: 0
acme-client: /var/www/acme/_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc: created
acme-client: dochngreq: https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614744
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "www.pandion.au" }, "status": "pending", "expires": "2025-06-01T01:18:46Z", "challenges": [ { "type": "tls-alpn-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/n1YVAQ", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }, { "type": "dns-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/kR2KeA", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }, { "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" } ] }] (840 bytes)
acme-client: challenge, token: PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc, uri: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw, status: 0
acme-client: /var/www/acme/PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc: created
acme-client: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA: challenge
acme-client: transfer buffer: [{ "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }] (201 bytes)
acme-client: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw: challenge
acme-client: transfer buffer: [{ "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }] (201 bytes)
acme-client: transfer buffer: [{ "status": "pending", "expires": "2025-06-01T01:18:46Z", "identifiers": [ { "type": "dns", "value": "pandion.au" }, { "type": "dns", "value": "www.pandion.au" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614724", "https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614744" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/201858544/24873632914" }] (507 bytes)
acme-client: order.status 0
acme-client: dochngreq: https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614724
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "pandion.au" }, "status": "pending", "expires": "2025-06-01T01:18:46Z", "challenges": [ { "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }, { "type": "tls-alpn-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/P9ISEA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }, { "type": "dns-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/8ELoug", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" } ] }] (836 bytes)
acme-client: challenge, token: _c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc, uri: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA, status: 0
acme-client: /var/www/acme/_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc: created
acme-client: dochngreq: https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614744
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "www.pandion.au" }, "status": "pending", "expires": "2025-06-01T01:18:46Z", "challenges": [ { "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }, { "type": "dns-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/kR2KeA", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }, { "type": "tls-alpn-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/n1YVAQ", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" } ] }] (840 bytes)
acme-client: challenge, token: PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc, uri: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw, status: 0
acme-client: /var/www/acme/PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc: created
acme-client: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA: challenge
acme-client: transfer buffer: [{ "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614724/TmGRjA", "status": "pending", "token": "_c3tL5CtXGf3Uch6z3afBftizJU-zcU5WaeAk_IS9rc" }] (201 bytes)
acme-client: https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw: challenge
acme-client: transfer buffer: [{ "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/201858544/17571614744/fzMcEw", "status": "pending", "token": "PAz-ZFi4qAon8R4TP_0tt4FqpYxflTNqQiVp0n4Dqnc" }] (201 bytes)
acme-client: transfer buffer: [{ "status": "pending", "expires": "2025-06-01T01:18:46Z", "identifiers": [ { "type": "dns", "value": "pandion.au" }, { "type": "dns", "value": "www.pandion.au" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614724", "https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614744" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/201858544/24873632914" }] (507 bytes)
acme-client: order.status 0

My web server is (include version):
Custom webserver - tungsten/1.0
When this command is executed:

curl -v http://www.pandion.au/.well-known/acme-challenge/7Jka0FHphK8SvL4SydEb8E1YDGc5tJZ-P-KaG0jRFD0

It produces this output:

* Host www.pandion.au:80 was resolved.
* IPv6: (none)
* IPv4: 207.148.87.189
*   Trying 207.148.87.189:80...
* Connected to www.pandion.au (207.148.87.189) port 80
* using HTTP/1.x
> GET /.well-known/acme-challenge/7Jka0FHphK8SvL4SydEb8E1YDGc5tJZ-P-KaG0jRFD0 HTTP/1.1
> Host: www.pandion.au
> User-Agent: curl/8.12.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Cache-Control: max-age=300
< Content-Type: text/plain
< Server: tungsten/1.0
< Date: Sun, 25 May 2025 01:13:54 GMT
< Content-Length: 87
< 
* Connection #0 to host www.pandion.au left intact
7Jka0FHphK8SvL4SydEb8E1YDGc5tJZ-P-KaG0jRFD0.1ZREEFhKBO2rq7sclzg1tXpa3WgAGxHQBQwTkX9hHKA

The operating system my web server runs on is (include version): OpenBSD 7.6

My hosting provider, if applicable, is: vultr.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Summary:
I noticed this problem in production and the workaround was to remove the alternate name www.pandion.au and just request a certificate for pandion.au only. That worked yesterday. crt.sh shows two certificates have been issued at almost the same time, but acme-client crashed after the certificate was issued and before it could be downloaded or installed. I retrieved the cert from crt.sh and manually installed it.
As of now, pandion.au has a valid cert but www.pandion.au does not.

To troubleshoot, I reproduced the problem in the Staging environment using the config shown at top.
Its clearly in a loop where the token file is written and then the challenge does not succeed but the process is retried, but I am unsure why.

The token files are being written, they are readable by the web server, and are served. The web server appears to me to give a quick and reasonable response, served as text/plain, but perhaps there is something wrong with the web server response?

Any suggestions for what else to try to diagnose the problem would be greatly appreciated.

The test with Staging failed for the below reason. These details are found from this URL in your log: https://acme-staging-v02.api.letsencrypt.org/acme/authz/201858544/17571614724
Your ACME Client should be showing you those results. You should ask the developer why they don't and why that would cause a loop.

The error is:

"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "During secondary validation: While processing CAA for pandion.au: 
DNS problem: query timed out looking up CAA for pandion.au"
},

The Let's Encrypt DNS checks for CAA records timed out. LE will not issue a cert without getting a proper answer.

This is likely to be a problem when requesting certs from production too. I can easily reproduce this problem with https://unboundtest.com

Another tool we often use shows the same: pandion.au | DNSViz

You need to review your DNS config and see why it is so slow. Once you resolve that getting a new certificate with both domain names should work well.

It looks like ns2.netfinch.com.au server is the problem.

Brilliant! Thanks for your help, MikeMcQ.
I did not realise that the challenge URL held the log result, but that's exactly what I needed to know about.
The name server is now serving CAA responses properly and acme-client works perfectly again.
Heartfelt Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.