1. Caddy version (caddy version
): 2.2.1
2. How I run Caddy:
a. System environment:
Docker container on CentOS 7
b. Command:
Spun up via ansible-playbook
c. Service/unit/compose file: This is just a test setup.
version: "3.7"
networks:
wordpress:
external: yes
services:
caddy2:
build:
context: /tmp/docker-caddy2
dockerfile: /tmp/docker-caddy2/Dockerfile-builder
restart: unless-stopped
container_name: staging-caddy2
hostname: staging-caddy2
networks:
wordpress:
volumes:
- /opt/docker-caddy2/Caddyfile:/etc/caddy/Caddyfile:ro
- /opt/docker-caddy2/acme:/root/.caddy/acme:z
- /etc/ssl/priv/fullchain.crt:/root/.caddy/cert.crt:ro
- /etc/ssl/priv/fullchain.key:/root/.caddy/cert.key:ro
ports:
- 80:80
- 443:443
environment:
ENABLE_TELEMETRY: "false"
ACME_AGREE: "true"
GODADDY_API_SECRET: "redacted"
GODADDY_API_KEY: "redacted"
healthcheck:
test: wget --spider -q http://127.0.0.1/status || exit 1
interval: 30s
Dockerfile:
FROM caddy:2.2.1-builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/lego-deprecated
FROM caddy:2.2.1-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
d. My complete Caddyfile or JSON config:
I’m migrating from Caddy 1 so this may have leftovers from that. (E. g. haven’t looked up the ACME directory yet.)
{
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
email admins@bw-labor.de
}
127.0.0.1:80 {
respond /status 200
}
www.staging.bw-labor.de {
header / {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options allow-from false
}
@blacklist_1 {
not remote_ip 192.168.0.0/17 10.253.0.0/16
}
respond /wp-admin @blacklist_1 403
reverse_proxy / staging-wordpress:80
tls {
dns lego_deprecated godaddy
}
}
3. The problem I’m having:
I’m trying to use the lego_deprecated DNS plugin for Caddy 2.2.1 to set up certificate generation for internal-only servers. Our domain is bw-labor.de, referenced as @ because otherwise your very intelligent forum software won’t let me post this because it has too many links. The subdomain in question is *.staging.@
. @
is hosted with GoDaddy, but also on an internal PowerDNS server. (I know you shouldn’t have two separate “authoritative” DNS servers but can’t change that.)
Internally, *.staging.@
is a CNAME for staging.@
. staging.@
is an A record for the server Caddy is running on (in a Docker container). Externally, staging.@
shouldn’t exist, but I tried setting an A record for it without any change. The Caddy server can not be reached from the outside.
The goal is to be able to just throw any virtualhost on the Caddy server as necessary, e. g. www.staging.@
, shop.staging.@
etc without having to set up individual RRs for them, but still being able to generate valid certificates.
I’m not sure where the problem is since the documentation on all involved components is extremely sparse (or maybe I’m just too daft). I’m not sure what exactly lego does in the process of submitting the correct request, what GoDaddy expects of it or what LE expects of the resulting RRs.
I’d be willing to part with the wildcard idea even though it’d be neat, but since it doesn’t even work with staging.example.com itself (which is a normal A record internally and externally), I don’t know how to proceed. For now, all I need are valid certificates for anything under the staging subdomain.
4. Error messages and/or full log output:
{
"level": "info",
"ts": 1603437519.5953393,
"logger": "tls.issuance.acme.acme_client",
"msg": "trying to solve challenge",
"identifier": "www.staging.bw-labor.de",
"challenge_type": "dns-01",
"ca": "https://acme-staging-v02.api.letsencrypt.org/directory"
}
{
"level": "error",
"ts": 1603437521.0568206,
"logger": "tls.issuance.acme.acme_client",
"msg": "cleaning up solver",
"identifier": "www.staging.bw-labor.de",
"challenge_type": "dns-01",
"error": "godaddy: failed to get TXT records: could not get records: Domain: staging.bw-labor.de; Record: _acme-challenge.www, Status: 404; Body: {\"code\":\"UNKNOWN_DOMAIN\",\"message\":\"The given domain is not registered, or does not have a zone file\"}\n"
}
{
"level": "error",
"ts": 1603437521.2265606,
"logger": "tls.obtain",
"msg": "will retry",
"error": "[www.staging.bw-labor.de] Obtain: [www.staging.bw-labor.de] solving challenges: presenting for challenge: godaddy: failed to get TXT records: could not get records: Domain: staging.bw-labor.de; Record: _acme-challenge.www, Status: 404; Body: {\"code\":\"UNKNOWN_DOMAIN\",\"message\":\"The given domain is not registered, or does not have a zone file\"}\n (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/16256985/171395567) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)",
"attempt": 5,
"retrying_in": 600,
"elapsed": 614.639372671,
"max_duration": 2592000
}
5. What I already tried:
As described above, setting the A record externally. Also tried using staging.@
directly instead of www.staging.@
, but same result.
{
"level": "info",
"ts": 1603438264.6010396,
"logger": "tls.issuance.acme.acme_client",
"msg": "trying to solve challenge",
"identifier": "staging.bw-labor.de",
"challenge_type": "dns-01",
"ca": "https://acme-staging-v02.api.letsencrypt.org/directory"
}
{
"level": "error",
"ts": 1603438266.0431566,
"logger": "tls.issuance.acme.acme_client",
"msg": "cleaning up solver",
"identifier": "staging.bw-labor.de",
"challenge_type": "dns-01",
"error": "godaddy: failed to get TXT records: could not get records: Domain: staging.bw-labor.de; Record: _acme-challenge, Status: 404; Body: {\"code\":\"UNKNOWN_DOMAIN\",\"message\":\"The given domain is not registered, or does not have a zone file\"}\n"
}
{
"level": "error",
"ts": 1603438266.2152994,
"logger": "tls.obtain",
"msg": "will retry",
"error": "[staging.bw-labor.de] Obtain: [staging.bw-labor.de] solving challenges: presenting for challenge: godaddy: failed to get TXT records: could not get records: Domain: staging.bw-labor.de; Record: _acme-challenge, Status: 404; Body: {\"code\":\"UNKNOWN_DOMAIN\",\"message\":\"The given domain is not registered, or does not have a zone file\"}\n (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/16257239/171399908) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)",
"attempt": 1,
"retrying_in": 60,
"elapsed": 3.412579701,
"max_duration": 2592000
}
6. Links to relevant resources:
Uh… Github issue? "404 - The given domain is not registered" with GoDaddy and Caddy 2 · Issue #1274 · go-acme/lego · GitHub