1. The problem I’m having:
I cannot get caddy to obtain a wildcard certificate using the ACME DNS challenge.
2. Error messages and/or full log output:
{"level":"info","ts":1738008148.2597888,"logger":"tls.obtain","msg":"acquiring lock","identifier":"localdomain.ca"}
{"level":"info","ts":1738008148.2741358,"logger":"tls.obtain","msg":"lock acquired","identifier":"localdomain.ca"}
{"level":"info","ts":1738008148.2743206,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"localdomain.ca"}
{"level":"info","ts":1738008148.2759595,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["localdomain.ca"],"ca":"https://acme.zerossl.com/v2/DV90","account":"tschetter.victor@gmail.com"}
{"level":"info","ts":1738008148.2760203,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["localdomain.ca"],"ca":"https://acme.zerossl.com/v2/DV90","account":"tschetter.victor@gmail.com"}
{"level":"info","ts":1738008148.2760744,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme.zerossl.com/v2/DV90/account/DWwSaejlvFI36ET3_6GKOQ","account_contact":["mailto:tschetter.victor@gmail.com"]}
{"level":"info","ts":1738008159.626765,"msg":"trying to solve challenge","identifier":"localdomain.ca","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1738008159.6354272,"msg":"cleaning up solver","identifier":"localdomain.ca","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.localdomain.ca\" (usually OK if presenting also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:318\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:363\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1738008163.1593637,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"localdomain.ca","issuer":"acme.zerossl.com-v2-DV90","error":"[localdomain.ca] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.localdomain.ca\": unexpected response code 'REFUSED' for _acme-challenge.localdomain.ca. (order=https://acme.zerossl.com/v2/DV90/order/7DHWBHxp_77oCkJ3WF7VVQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1738008163.1595397,"logger":"tls.obtain","msg":"will retry","error":"[localdomain.ca] Obtain: [localdomain.ca] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.localdomain.ca\": unexpected response code 'REFUSED' for _acme-challenge.localdomain.ca. (order=https://acme.zerossl.com/v2/DV90/order/7DHWBHxp_77oCkJ3WF7VVQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":14.885354397,"max_duration":2592000}
3. Caddy version:
2.9.1
4. How I installed and ran Caddy:
xcaddy build --output /usr/local/bin/caddy --with github.com/caddy-dns/cloudflare
a. System environment:
FreeBSD 14.1
b. Command:
service caddy start
d. My complete Caddy config:
localdomain.ca {
tls {
dns cloudflare validkey
resolvers 1.1.1.1
}
log {
output file /var/log/localdomain.ca.log
}
}
I’ve redacted the domain only because it is not accessible from the outside world. If needed, I will share.
dig returns just fine with both TXT and SOA.