admin/cli/haproxy-dump-certs "Unknown command: '@1' ..." #3193
Description
Detailed Description of the Problem
I have pulled the latest haproxy dev version to get used with acme dns-01 stuff.
After compilation have I used the ../haproxy_acme.cfg below to run haproxy and executed the the admin/cli/haproxy-dump-certs -v -S /tmp/hap-stats got get the certificate + key.
This was the output of the command.
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 02:30:28_CET /datadisk/git-repos/haproxy $
# admin/cli/haproxy-dump-certs -v -S /tmp/hap-stats
[WARNING] (68297) : can't dump "Unknown command: '@1', but maybe one of the following ones is a better match:", crt/key filename details not found in "show ssl cert"
[WARNING] (68297) : can't dump "show ssl cert [<certfile>] : display the SSL certificates used in memory, or the details of a file", crt/key filename details not found in "show ssl cert"
[WARNING] (68297) : can't dump "help [<command>] : list matching or all commands", crt/key filename details not found in "show ssl cert"
[WARNING] (68297) : can't dump "prompt [help | n | i | p | timed ]* : toggle interactive mode with prompt", crt/key filename details not found in "show ssl cert"
[WARNING] (68297) : can't dump "quit : disconnect", crt/key filename details not found in "show ssl cert"
That's the output of the command with bash -x
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 02:37:34_CET /datadisk/git-repos/haproxy $
# bash -x admin/cli/haproxy-dump-certs -v -S /tmp/hap-stats
+ set -e
+ export BASEPATH=/etc/haproxy/
+ BASEPATH=/etc/haproxy/
+ export SOCKET=/var/run/haproxy-master.sock
+ SOCKET=/var/run/haproxy-master.sock
+ export DRY_RUN=0
+ DRY_RUN=0
+ export DEBUG=
+ DEBUG=
+ export VERBOSE=
+ VERBOSE=
+ export 'M=@1 '
+ M='@1 '
+ export TMP
+ trap 'rm -rf -- "$TMP"' EXIT
+ main -v -S /tmp/hap-stats
+ '[' -n -v ']'
+ case "$1" in
+ VERBOSE=1
+ shift
+ '[' -n -S ']'
+ case "$1" in
+ SOCKET=/tmp/hap-stats
+ M='@1 '
+ shift 2
+ '[' -n '' ']'
+ '[' -n '' ']'
++ mktemp -d
+ TMP=/tmp/tmp.UAb8UTLvZA
+ '[' -z '' ']'
+ dump_all_certificates
+ echo '@1 show ssl cert'
+ socat /tmp/hap-stats -
+ grep -v '^#'
+ grep -v '^$'
+ read -r line
+ export NAME
+ export CRT_FILENAME
+ export KEY_FILENAME
+ read_certificate 'Unknown command: '\''@1'\'', but maybe one of the following ones is a better match:'
+ name='Unknown command: '\''@1'\'', but maybe one of the following ones is a better match:'
Expected Behavior
To get the Cert and Key.
Steps to Reproduce the Behavior
- compile HAP
make TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE2=1 USE_ZLIB=1 DEBUG=-DDEBUG_FULL - run HAP
./haproxy -W -d -f ../haproxy_acme.cfg - add
_acme-challengeto DNS - run
echo "acme status" | socat - /tmp/hap-stats - execute
admin/cli/haproxy-dump-certs -v -S /tmp/hap-stats
Do you have any idea what may have caused this?
Not
Do you have an idea how to solve the issue?
No
What is your configuration?
#../haproxy_acme.cfg
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
expose-experimental-directives
log stdout format raw daemon debug
stats socket /tmp/hap-stats mode 660 level admin expose-fd listeners
defaults
mode http
balance leastconn
log global
option httplog
option dontlognull
option log-health-checks
option forwardfor except 10.196.106.108/32
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
crt-store
load crt "DOMAIN.pem" acme DNS1 domains "*.DOMAIN,DOMAIN"
frontend in
bind *:8080
bind *:8443 ssl
http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].%[path,field(-1,/),map(virt@acme)]\n" if { path_beg '/.well-known/acme-challenge/' }
ssl-f-use crt "DOMAIN.pem"
listen stats
bind *:1936
monitor-uri /healthz
#http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /
acme DNS1
directory https://acme-staging-v02.api.letsencrypt.org/directory
#account-key /etc/haproxy/letsencrypt.account.key
contact al-le@DOMAIN
challenge dns-01
keytype RSA
bits 2048
map virt@acmeOutput of haproxy -vv
# ./haproxy -vv
HAProxy version 3.3-dev13-4cbff2-44 2025/11/20 - https://haproxy.org/
Status: development branch - not safe for use in production.
Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open
Running on: Linux 6.14.0-116036-tuxedo #36~24.04.1tux1 SMP PREEMPT_DYNAMIC Wed Nov 12 16:30:21 UTC 2025 x86_64
Build options :
TARGET = linux-glibc
CC = cc
CFLAGS = -O2 -g -fwrapv -fvect-cost-model=very-cheap
OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE2=1
DEBUG = -DDEBUG_FULL
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ECH -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE +KTLS -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION -QUIC -QUIC_OPENSSL_COMPAT +RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB +ACME
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=16).
Built with SSL library version : OpenSSL 3.0.13 30 Jan 2024
Running on SSL library version : OpenSSL 3.0.13 30 Jan 2024
SSL library supports TLS extensions : yes
SSL library supports SNI : yes
SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with network namespace support.
Built with zlib version : 1.3
Running on zlib version : 1.3
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.42 2022-12-11
PCRE2 library supports JIT : no (USE_PCRE2_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 13.3.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
<default> : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG
spop : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Last Outputs and Backtraces
alex@alex-tuxedoinfinitybooks1517gen7 on 21/11/2025 at 02:34:09_CET /datadisk/git-repos/haproxy $
# ./haproxy -W -d -f ../haproxy_acme.cfg
[NOTICE] (68785) : Initializing new worker (68787)
[NOTICE] (68787) : config : No certificate available for 'DOMAIN.pem', generating a temporary key pair before getting the ACME certificate
Using epoll() as the polling mechanism.
Sharing caphdr with caphdr
Sharing caphdr with caphdr
Sharing ptrcap with ptrcap
Sharing ptrcap with ptrcap
[NOTICE] (68787) : Automatically setting global.maxconn to 524263.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Using epoll() as the polling mechanism.
Sharing stk_ctr with caphdr
00000000:MASTER.accept(0004)=0007 from [unix:1] ALPN=<none>
[NOTICE] (68785) : Loading success.
00000000:MASTER.srvcls[0007:ffff]
00000001:MASTER.clicls[0007:ffff]
00000001:MASTER.closed[0007:ffff]
WARNING! thread 1 has stopped processing traffic for 201 milliseconds
with 0 streams currently blocked, prevented from making any progress.
While this may occasionally happen with inefficient configurations
involving excess of regular expressions, map_reg, or heavy Lua processing,
this must remain exceptional because the system's stability is now at risk.
Timers in logs may be reported incorrectly, spurious timeouts may happen,
some incoming connections may silently be dropped, health checks may
randomly fail, and accesses to the CLI may block the whole process. The
blocking delay before emitting this warning may be adjusted via the global
'warn-blocked-traffic-after' directive. Please check the trace below for
any clues about configuration elements that need to be corrected:
* Thread 1 : id=0x76c3be74dd00 act=1 glob=0 wq=0 rq=0 tl=1 tlsz=1 rqsz=1
1/1 loops=0 ctxsw=7 stuck=0 prof=0 harmless=0 isolated=0 locks=1
cpu_ns: poll=100556261 now=302550344 diff=201994083
curr_task=0x646f4c0eb200 (task) calls=1 last=0
fct=0x646f440b0f60(ssl_async_fd_handler+0x3ecb0) ctx=0x76c3be003b20
lock_hist: U:PROTO W:PATEXP U:PATEXP S:PROTO W:LISTENER U:LISTENER U:PROTO S:CKCH locked: CKCH(S)
call trace(23):
| 0x646f442017f4 <00 00 00 e8 dc 08 e6 ff]: ha_dump_backtrace+0x84/0x40d > main-0x8a0
| 0x646f44204bb6 <48 89 df e8 2a f4 ff ff]: ha_stuck_warning+0xf6/0x160 > ha_thread_dump_one
| 0x646f443214f4 <00 00 00 e8 cc 35 ee ff]: wdt_handler+0x1e4/0x297 > ha_stuck_warning
| 0x76c3bde45330 <00 00 00 00 0f 1f 40 00]: libc:+0x45330
| 0x76c3be300c6f <da c1 e8 1f f7 d0 23 01]: libcrypto:BN_gcd+0x27f/0x30d
| 0x76c3be30b3ab <4c 89 ff e8 45 56 ff ff]: libcrypto:+0x10b3ab > libcrypto:BN_gcd
| 0x76c3be30b697 <89 5d a0 e8 e9 f9 ff ff]: libcrypto:+0x10b697 > libcrypto:+0x10b080
| 0x76c3be5204cd <54 6a 00 e8 d3 af de ff]: libcrypto:+0x3204cd > libcrypto:+0x10b4a0
| 0x76c3be520c1c <4c 89 ff e8 84 f7 ff ff]: libcrypto:+0x320c1c > libcrypto:+0x3203a0
| 0x76c3be5cdcbd <8b 73 18 e8 b3 63 f4 ff]: libcrypto:+0x3cdcbd > libcrypto:RSA_generate_multi_prime_key
| 0x76c3be403e28 <83 ec 08 e8 f8 0b 00 00]: libcrypto:+0x203e28 > libcrypto:+0x204a20
| 0x76c3be40f5fa <fd ff ff e8 06 48 ff ff]: libcrypto:EVP_PKEY_generate+0x12a/0x2cf > libcrypto:+0x203e00
| 0x646f440a7f32 <48 89 df e8 ee 9c fb ff]: ssl_async_fd_handler+0x35c82 > main-0xd50
| 0x646f440b0dba <8b 4d c8 e8 06 71 ff ff]: ssl_async_fd_handler+0x3eb0a > ssl_async_fd_handler+0x35c10
| 0x646f440b11ed <48 89 df e8 43 f6 ff ff]: ssl_async_fd_handler+0x3ef3d > ssl_async_fd_handler+0x3e580
=> Trying to gracefully recover now (pid 68787).
acme: DOMAIN.pem: Starting update of the certificate.
00000000:<ACME>.clireq[ffffffff:ffffffff]: GET https://acme-staging-v02.api.letsencrypt.org/directory HTTP/1.1
00000000:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000000:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000000:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000000:<ACME>.clireq[ffffffff:ffffffff]: GET https://acme-staging-v02.api.letsencrypt.org/directory HTTP/1.1
00000000:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000000:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000000:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000000:<ACME>.srvcls[ffff:0021]
00000000:<ACME>.srvrep[ffffffff:0021]: HTTP/2.0 200
00000000:<ACME>.srvhdr[ffffffff:0021]: server: nginx
00000000:<ACME>.srvhdr[ffffffff:0021]: date: Fri, 21 Nov 2025 01:36:54 GMT
00000000:<ACME>.srvhdr[ffffffff:0021]: content-type: application/json
00000000:<ACME>.srvhdr[ffffffff:0021]: content-length: 1137
00000000:<ACME>.srvhdr[ffffffff:0021]: cache-control: public, max-age=0, no-cache
00000000:<ACME>.srvhdr[ffffffff:0021]: x-frame-options: DENY
00000000:<ACME>.srvhdr[ffffffff:0021]: strict-transport-security: max-age=604800
00000000:<ACME>.clicls[ffff:0021]
00000000:<ACME>.closed[ffff:0021]
-:- [21/Nov/2025:02:36:53.356] <ACME> -/- 360/0/307/149/814 200 152 - - ---- 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "GET https://acme-staging-v02.api.letsencrypt.org/directory HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
00000001:<ACME>.clireq[ffffffff:ffffffff]: HEAD https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce HTTP/1.1
00000001:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000001:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000001:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000001:<ACME>.clireq[ffffffff:ffffffff]: HEAD https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce HTTP/1.1
00000001:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000001:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000001:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000001:<ACME>.srvcls[ffff:0021]
00000001:<ACME>.srvrep[ffffffff:0021]: HTTP/2.0 200
00000001:<ACME>.srvhdr[ffffffff:0021]: server: nginx
00000001:<ACME>.srvhdr[ffffffff:0021]: date: Fri, 21 Nov 2025 01:36:54 GMT
00000001:<ACME>.srvhdr[ffffffff:0021]: cache-control: public, max-age=0, no-cache
00000001:<ACME>.srvhdr[ffffffff:0021]: link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
00000001:<ACME>.srvhdr[ffffffff:0021]: replay-nonce: XVP_df_uy7RQ74Z8fk1PEECGeRk_-op8hEBse--pNd3O4Utt5pM
00000001:<ACME>.srvhdr[ffffffff:0021]: x-frame-options: DENY
00000001:<ACME>.srvhdr[ffffffff:0021]: strict-transport-security: max-age=604800
00000001:<ACME>.clicls[ffff:0021]
00000001:<ACME>.closed[ffff:0021]
-:- [21/Nov/2025:02:36:54.171] <ACME> -/- 2/0/0/148/148 200 158 - - ---- 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "HEAD https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
00000002:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1
00000002:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000002:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000002:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000002:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000002:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 1243
00000002:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1
00000002:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000002:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000002:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000002:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000002:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 1243
00000002:<ACME>.srvcls[ffff:0021]
00000002:<ACME>.srvrep[ffffffff:0021]: HTTP/2.0 200
00000002:<ACME>.srvhdr[ffffffff:0021]: server: nginx
00000002:<ACME>.srvhdr[ffffffff:0021]: date: Fri, 21 Nov 2025 01:36:54 GMT
00000002:<ACME>.srvhdr[ffffffff:0021]: content-type: application/json
00000002:<ACME>.srvhdr[ffffffff:0021]: content-length: 467
00000002:<ACME>.srvhdr[ffffffff:0021]: boulder-requester: 244718363
00000002:<ACME>.srvhdr[ffffffff:0021]: cache-control: public, max-age=0, no-cache
00000002:<ACME>.srvhdr[ffffffff:0021]: link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
00000002:<ACME>.srvhdr[ffffffff:0021]: location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/244718363
00000002:<ACME>.srvhdr[ffffffff:0021]: replay-nonce: K_WcMXRq6NOFw6VcAmhyYBzRrWKWtF0vDNurk1DuE8R70cuph5Y
00000002:<ACME>.srvhdr[ffffffff:0021]: x-frame-options: DENY
00000002:<ACME>.srvhdr[ffffffff:0021]: strict-transport-security: max-age=604800
00000002:<ACME>.clicls[ffff:0021]
00000002:<ACME>.closed[ffff:0021]
-:- [21/Nov/2025:02:36:54.320] <ACME> -/- 2/0/0/349/349 200 1451 - - ---- 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST https://acme-staging-v02.api.letsencrypt.org/acme/new-acct HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
00000003:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/new-order HTTP/1.1
00000003:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000003:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000003:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000003:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000003:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 876
00000003:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/new-order HTTP/1.1
00000003:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000003:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000003:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000003:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000003:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 876
00000003:<ACME>.srvcls[ffff:0021]
00000003:<ACME>.srvrep[ffffffff:0021]: HTTP/2.0 201
00000003:<ACME>.srvhdr[ffffffff:0021]: server: nginx
00000003:<ACME>.srvhdr[ffffffff:0021]: date: Fri, 21 Nov 2025 01:36:54 GMT
00000003:<ACME>.srvhdr[ffffffff:0021]: content-type: application/json
00000003:<ACME>.srvhdr[ffffffff:0021]: content-length: 499
00000003:<ACME>.srvhdr[ffffffff:0021]: boulder-requester: 244718363
00000003:<ACME>.srvhdr[ffffffff:0021]: cache-control: public, max-age=0, no-cache
00000003:<ACME>.srvhdr[ffffffff:0021]: link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
00000003:<ACME>.srvhdr[ffffffff:0021]: location: https://acme-staging-v02.api.letsencrypt.org/acme/order/244718363/28899553783
00000003:<ACME>.srvhdr[ffffffff:0021]: replay-nonce: K_WcMXRqESQqKp-5ogV9CYq284qMYEs7kPe_b8fpRpUV4E9E2So
00000003:<ACME>.srvhdr[ffffffff:0021]: x-frame-options: DENY
00000003:<ACME>.srvhdr[ffffffff:0021]: strict-transport-security: max-age=604800
00000003:<ACME>.clicls[ffff:0021]
00000003:<ACME>.closed[ffff:0021]
-:- [21/Nov/2025:02:36:54.669] <ACME> -/- 2/0/0/163/163 201 1084 - - ---- 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST https://acme-staging-v02.api.letsencrypt.org/acme/new-order HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
00000004:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/244718363/20345082603 HTTP/1.1
00000004:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000004:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000004:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000004:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000004:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 764
00000004:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/244718363/20345082603 HTTP/1.1
00000004:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000004:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000004:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000004:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000004:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 764
00000004:<ACME>.srvcls[ffff:0021]
00000004:<ACME>.srvrep[ffffffff:0021]: HTTP/2.0 200
00000004:<ACME>.srvhdr[ffffffff:0021]: server: nginx
00000004:<ACME>.srvhdr[ffffffff:0021]: date: Fri, 21 Nov 2025 01:36:54 GMT
00000004:<ACME>.srvhdr[ffffffff:0021]: content-type: application/json
00000004:<ACME>.srvhdr[ffffffff:0021]: content-length: 833
00000004:<ACME>.srvhdr[ffffffff:0021]: boulder-requester: 244718363
00000004:<ACME>.srvhdr[ffffffff:0021]: cache-control: public, max-age=0, no-cache
00000004:<ACME>.srvhdr[ffffffff:0021]: link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
00000004:<ACME>.srvhdr[ffffffff:0021]: replay-nonce: K_WcMXRqrJPhJksfXMRWEaqFHSO9JTYhMxuGJnKZk09Gv2lQbZA
00000004:<ACME>.srvhdr[ffffffff:0021]: x-frame-options: DENY
00000004:<ACME>.srvhdr[ffffffff:0021]: strict-transport-security: max-age=604800
acme: DOMAIN.pem: dns-01 requires to set the "_acme-challenge.DOMAIN" TXT record to "PNalKQMGhuHAlPl15Bke2xVofog6qkqa_u7-vgQ9nc0" and use the "acme challenge_ready DOMAIN.pem domain DOMAIN" command over the CLI
00000004:<ACME>.clicls[ffff:0021]
00000004:<ACME>.closed[ffff:0021]
-:- [21/Nov/2025:02:36:54.832] <ACME> -/- 2/0/0/153/153 200 990 - - ---- 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/244718363/20345082603 HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
00000005:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/244718363/20345082593 HTTP/1.1
00000005:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000005:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000005:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000005:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000005:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 764
00000005:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/244718363/20345082593 HTTP/1.1
00000005:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000005:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000005:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000005:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000005:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 764
00000005:<ACME>.srvcls[ffff:0021]
00000005:<ACME>.srvrep[ffffffff:0021]: HTTP/2.0 200
00000005:<ACME>.srvhdr[ffffffff:0021]: server: nginx
00000005:<ACME>.srvhdr[ffffffff:0021]: date: Fri, 21 Nov 2025 01:36:55 GMT
00000005:<ACME>.srvhdr[ffffffff:0021]: content-type: application/json
00000005:<ACME>.srvhdr[ffffffff:0021]: content-length: 395
00000005:<ACME>.srvhdr[ffffffff:0021]: boulder-requester: 244718363
00000005:<ACME>.srvhdr[ffffffff:0021]: cache-control: public, max-age=0, no-cache
00000005:<ACME>.srvhdr[ffffffff:0021]: link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
00000005:<ACME>.srvhdr[ffffffff:0021]: replay-nonce: XVP_df_uAZxP-9SoACepGlCghHSJynvQqz9rvZ3jpLRit9R6Nbs
00000005:<ACME>.srvhdr[ffffffff:0021]: x-frame-options: DENY
00000005:<ACME>.srvhdr[ffffffff:0021]: strict-transport-security: max-age=604800
acme: DOMAIN.pem: dns-01 requires to set the "_acme-challenge.DOMAIN" TXT record to "3PhVn14y-XiUkXfWWfTjC2SZPQ31NanMfeMpMIwWi6M" and use the "acme challenge_ready DOMAIN.pem domain DOMAIN" command over the CLI
00000005:<ACME>.clicls[ffff:0021]
00000005:<ACME>.closed[ffff:0021]
-:- [21/Nov/2025:02:36:54.986] <ACME> -/- 2/0/0/153/153 200 990 - - ---- 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/244718363/20345082593 HTTP/1.1" 0/0000000000000000/-/-/0 -/-/-
00000006:GLOBAL.accept(0009)=0022 from [unix:2] ALPN=<none>
00000007:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/chall/244718363/20345082603/-ZaKzw HTTP/1.1
00000007:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000007:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000007:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000007:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000007:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 777
00000006:GLOBAL.clicls[0022:ffff]
00000006:GLOBAL.srvcls[0022:ffff]
00000006:GLOBAL.closed[0022:ffff]
00000007:<ACME>.clireq[ffffffff:ffffffff]: POST https://acme-staging-v02.api.letsencrypt.org/acme/chall/244718363/20345082603/-ZaKzw HTTP/1.1
00000007:<ACME>.clihdr[ffffffff:ffffffff]: content-type: application/jose+json
00000007:<ACME>.clihdr[ffffffff:ffffffff]: host: acme-staging-v02.api.letsencrypt.org
00000007:<ACME>.clihdr[ffffffff:ffffffff]: accept: */*
00000007:<ACME>.clihdr[ffffffff:ffffffff]: user-agent: HAProxy
00000007:<ACME>.clihdr[ffffffff:ffffffff]: content-length: 777
00000007:<ACME>.srvcls[ffff:0021]
00000007:<ACME>.srvrep[ffffffff:0021]: HTTP/2.0 200
00000007:<ACME>.srvhdr[ffffffff:0021]: server: nginx
00000007:<ACME>.srvhdr[ffffffff:0021]: date: Fri, 21 Nov 2025 01:37:30 GMT
00000007:<ACME>.srvhdr[ffffffff:0021]: content-type: application/json
00000007:<ACME>.srvhdr[ffffffff:0021]: content-length: 200
00000007:<ACME>.srvhdr[ffffffff:0021]: boulder-requester: 244718363
00000007:<ACME>.srvhdr[ffffffff:0021]: cache-control: public, max-age=0, no-cache
00000007:<ACME>.srvhdr[ffffffff:0021]: link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
00000007:<ACME>.srvhdr[ffffffff:0021]: link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz/244718363/20345082603>;rel="up"
00000007:<ACME>.srvhdr[ffffffff:0021]: location: https://acme-staging-v02.api.letsencrypt.org/acme/chall/244718363/20345082603/-ZaKzw
00000007:<ACME>.srvhdr[ffffffff:0021]: replay-nonce: K_WcMXRqjVSUJngCROGfS5k0f8huzsgyLK_YtdyLKbreMpcXRro
00000007:<ACME>.srvhdr[ffffffff:0021]: x-frame-options: DENY
00000007:<ACME>.srvhdr[ffffffff:0021]: strict-transport-security: max-age=604800
00000007:<ACME>.clicls[ffff:0021]
00000007:<ACME>.closed[ffff:0021]
-:- [21/Nov/2025:02:37:29.717] <ACME> -/- 4/0/0/455/457 200 1010 - - ---- 0/0/0/0/0 0/0 {2606:4700:60:0:f41b:d4fe:4325:6026} "POST https://acme-staging-v02.api.letsencrypt.org/acme/chall/244718363/20345082603/-ZaKzw HTTP/1.1" 0/0000000000000000/-/-/1 -/-/-
00000008:GLOBAL.accept(0009)=0024 from [unix:2] ALPN=<none>
00000008:GLOBAL.clicls[0024:ffff]
00000008:GLOBAL.srvcls[0024:ffff]
00000008:GLOBAL.closed[0024:ffff]
00000009:GLOBAL.accept(0009)=0025 from [unix:2] ALPN=<none>
Additional Information
It looks to me that the challange have not worked, as far as I understand this output.
# echo "acme status" | socat - /tmp/hap-stats
# certificate section state expiration date (UTC) expires in scheduled date (UTC) scheduled in
DOMAIN.pem DNS1 Running 2025-11-20T01:36:53Z 0d 0h00m00s - -
There is also an thread dump because of missing certificate
WARNING! thread 1 has stopped processing traffic for 201 milliseconds
with 0 streams currently blocked, prevented from making any progress.
While this may occasionally happen with inefficient configurations
involving excess of regular expressions, map_reg, or heavy Lua processing,
this must remain exceptional because the system's stability is now at risk.
Timers in logs may be reported incorrectly, spurious timeouts may happen,
some incoming connections may silently be dropped, health checks may
randomly fail, and accesses to the CLI may block the whole process. The
blocking delay before emitting this warning may be adjusted via the global
'warn-blocked-traffic-after' directive. Please check the trace below for
any clues about configuration elements that need to be corrected:
* Thread 1 : id=0x76c3be74dd00 act=1 glob=0 wq=0 rq=0 tl=1 tlsz=1 rqsz=1
1/1 loops=0 ctxsw=7 stuck=0 prof=0 harmless=0 isolated=0 locks=1
cpu_ns: poll=100556261 now=302550344 diff=201994083
curr_task=0x646f4c0eb200 (task) calls=1 last=0
fct=0x646f440b0f60(ssl_async_fd_handler+0x3ecb0) ctx=0x76c3be003b20
lock_hist: U:PROTO W:PATEXP U:PATEXP S:PROTO W:LISTENER U:LISTENER U:PROTO S:CKCH locked: CKCH(S)
call trace(23):
| 0x646f442017f4 <00 00 00 e8 dc 08 e6 ff]: ha_dump_backtrace+0x84/0x40d > main-0x8a0
| 0x646f44204bb6 <48 89 df e8 2a f4 ff ff]: ha_stuck_warning+0xf6/0x160 > ha_thread_dump_one
| 0x646f443214f4 <00 00 00 e8 cc 35 ee ff]: wdt_handler+0x1e4/0x297 > ha_stuck_warning
| 0x76c3bde45330 <00 00 00 00 0f 1f 40 00]: libc:+0x45330
| 0x76c3be300c6f <da c1 e8 1f f7 d0 23 01]: libcrypto:BN_gcd+0x27f/0x30d
| 0x76c3be30b3ab <4c 89 ff e8 45 56 ff ff]: libcrypto:+0x10b3ab > libcrypto:BN_gcd
| 0x76c3be30b697 <89 5d a0 e8 e9 f9 ff ff]: libcrypto:+0x10b697 > libcrypto:+0x10b080
| 0x76c3be5204cd <54 6a 00 e8 d3 af de ff]: libcrypto:+0x3204cd > libcrypto:+0x10b4a0
| 0x76c3be520c1c <4c 89 ff e8 84 f7 ff ff]: libcrypto:+0x320c1c > libcrypto:+0x3203a0
| 0x76c3be5cdcbd <8b 73 18 e8 b3 63 f4 ff]: libcrypto:+0x3cdcbd > libcrypto:RSA_generate_multi_prime_key
| 0x76c3be403e28 <83 ec 08 e8 f8 0b 00 00]: libcrypto:+0x203e28 > libcrypto:+0x204a20
| 0x76c3be40f5fa <fd ff ff e8 06 48 ff ff]: libcrypto:EVP_PKEY_generate+0x12a/0x2cf > libcrypto:+0x203e00
| 0x646f440a7f32 <48 89 df e8 ee 9c fb ff]: ssl_async_fd_handler+0x35c82 > main-0xd50
| 0x646f440b0dba <8b 4d c8 e8 06 71 ff ff]: ssl_async_fd_handler+0x3eb0a > ssl_async_fd_handler+0x35c10
| 0x646f440b11ed <48 89 df e8 43 f6 ff ff]: ssl_async_fd_handler+0x3ef3d > ssl_async_fd_handler+0x3e580
=> Trying to gracefully recover now (pid 68787).
acme: DOMAIN.pem: Starting update of the certificate.