1. Caddy version (caddy version
):
v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=
2. How I run Caddy:
a. System environment:
Ubuntu 18.04 LTS
b. Command:
nohup caddy run --resume &
d. My complete Caddyfile or JSON config:
{
email myemail@domain.com
on_demand_tls {
ask https://api-to-check-domain/isValid
}
}
:443
tls {
on_demand
}
root * /home/tripkindle
encode gzip zstd
try_files {path} {path}/ /index.html
file_server
3. The problem I’m having:
The issue is occurring when using tls on_demand, after I set the DNS records of a new domain pointing to my Caddy server. The first time I access that domain in Google Chrome browser Version 83.0.4103.116 (Official Build) (64-bit)
I get an Invalid Certificate error which wouldn’t go away until I close Chrome. If I access it in an Incognito window or any other browser after the first time it works fine with no certificate error but the first time always results in an error.
The ask endpoint is a whitelist of domains allowed to connect to my Caddy server and does not include the Caddy server IP address.
4. Error messages and/or full log output:
2020/07/01 15:59:57 [INFO] Obtaining new certificate for shop2.tripkindle.com
2020/07/01 15:59:57 [INFO][shop2.tripkindle.com] Obtain certificate; acquiring lock...
2020/07/01 15:59:57 [INFO][shop2.tripkindle.com] Obtain: Lock acquired; proceeding...
2020/07/01 15:59:57 [INFO][shop2.tripkindle.com] Waiting on rate limiter...
2020/07/01 15:59:57 [INFO][shop2.tripkindle.com] Done waiting
2020/07/01 15:59:57 [INFO] [shop2.tripkindle.com] acme: Obtaining bundled SAN certificate given a CSR
2020/07/01 15:59:57 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0102lhk0BycYV0QMyGy0wiHvKNU8PBOp_kK-VvDHejd5kew", url:
2020/07/01 15:59:58 [INFO] [shop2.tripkindle.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5599549734
2020/07/01 15:59:58 [INFO] [shop2.tripkindle.com] acme: Could not find solver for: tls-alpn-01
2020/07/01 15:59:58 [INFO] [shop2.tripkindle.com] acme: use http-01 solver
2020/07/01 15:59:58 [INFO] [shop2.tripkindle.com] acme: Trying to solve HTTP-01
2020/07/01 15:59:58 [INFO][shop2.tripkindle.com] Served key authentication (HTTP challenge)
2020/07/01 15:59:58 [INFO][shop2.tripkindle.com] Served key authentication (HTTP challenge)
2020/07/01 15:59:58 [INFO][shop2.tripkindle.com] Served key authentication (HTTP challenge)
2020/07/01 15:59:59 [INFO][shop2.tripkindle.com] Served key authentication (HTTP challenge)
2020/07/01 16:00:02 [INFO] [shop2.tripkindle.com] The server validated our request
2020/07/01 16:00:02 [INFO] [shop2.tripkindle.com] acme: Validations succeeded; requesting certificates
2020/07/01 16:00:03 [INFO] [shop2.tripkindle.com] Server responded with a certificate.
2020/07/01 16:00:03 [INFO][shop2.tripkindle.com] Certificate obtained successfully
2020/07/01 16:00:03 [INFO][shop2.tripkindle.com] Obtain: Releasing lock
2020/07/01 16:00:03 http: TLS handshake error from 51.6.185.205:64514: remote error: tls: unknown certificate
2020/07/01 16:00:03 http: TLS handshake error from 51.6.185.205:64517: remote error: tls: unknown certificate
2020/07/01 16:00:03 http: TLS handshake error from 51.6.185.205:64518: remote error: tls: unknown certificate
2020/07/01 16:00:12 http: TLS handshake error from 51.6.185.205:64522: remote error: tls: unknown certificate
2020/07/01 16:00:12 http: TLS handshake error from 51.6.185.205:64523: remote error: tls: unknown certificate
2020/07/01 16:02:13 http: TLS handshake error from 51.6.185.205:64579: remote error: tls: unknown certificate
2020/07/01 16:02:13 http: TLS handshake error from 51.6.185.205:64580: remote error: tls: unknown certificate
2020/07/01 16:02:19 http: TLS handshake error from 51.6.185.205:64584: remote error: tls: unknown certificate
2020/07/01 16:02:19 http: TLS handshake error from 51.6.185.205:64585: remote error: tls: unknown certificate
5. What I already tried:
I’ve tried programmatically adding hosts with curl -X POST -H "Content-Type: application/json" -d '["beta1.tripkindle.com", "beta2.tripkindle.com"]' "http://localhost:2019/config/apps/http/servers/srv0/routes/0/match/0/host/..."
but since I won’t have access to DNS records for my customers pointing to my Caddy server I am not sure if it will be a good practice to add domains before they point to my Caddy server.
6. Links to relevant resources:
Following from the discussion here - Dynamically adding multiple domains and its limit - #19 by sv6231