ACME 403 errors encountered, and others

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

Testing v2 because of major failure to renew Let’s Encrypt domain names in v1… Doing run caddy in the directory with the Caddyfile.

a. System environment:

Ubuntu 16.04 LTS

b. Command:

./caddy run

d. My complete Caddyfile or JSON config:

(log) {
  encode gzip

(php) {
  import log
  php_fastcgi / /var/run/php/php7.0-fpm.sock php
} {
  import php
  root * /var/ww/site/

3. The problem I’m having:

ACME authentication/renewal problems.

4. Error messages and/or full log output:

2020/07/28 18:49:10.197 INFO    using adjacent Caddyfile
2020/07/28 18:49:10.203 INFO    admin   admin endpoint started  {"address": "tcp
/localhost:2019", "enforce_origin": false, "origins": ["[::1]:2019", "
2019", "localhost:2019"]}
2020/07/28 18:49:10.204 INFO    http    server is listening only on the HTTPS po
rt but has no TLS connection policies; adding one to enable TLS {"server_name": 
"srv0", "https_port": 443}
2020/07/28 18:49:10.205 INFO    http    enabling automatic HTTP->HTTPS redirects
{"server_name": "srv0"}
2020/07/28 18:49:10.209 INFO    tls     cleaned up storage units
2020/07/28 18:49:10.209 INFO    http    enabling automatic TLS certificate manag
ement   {"domains": [""]}
2020/07/28 18:49:10.210 INFO    autosaved config        {"file": "/root/.config/
2020/07/28 18:49:10.210 INFO    serving initial configuration
2020/07/28 20:49:10 [INFO][] Obtain certificate; acquiring lock...
2020/07/28 20:49:10 [INFO][] Obtain: Lock acquired; proceeding...
2020/07/28 20:49:10 [INFO][cache:0xc000070f60] Started certificate maintenance r
2020/07/28 20:49:10 [INFO][] Waiting on rate limiter...
2020/07/28 20:49:10 [INFO][] Done waiting
2020/07/28 20:49:10 [INFO] [] acme: Obtaining bundled SAN certifica
te given a CSR
2020/07/28 20:49:11 [INFO] [] AuthURL: https://acme-v02.api.letsenc
2020/07/28 20:49:11 [INFO] [] acme: Could not find solver for: tls-
2020/07/28 20:49:11 [INFO] [] acme: use http-01 solver
2020/07/28 20:49:11 [INFO] [] acme: Trying to solve HTTP-01
2020/07/28 20:49:15 http: TLS handshake error from no cert
ificate available for ''
2020/07/28 20:49:18 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.o
2020/07/28 20:49:19 [INFO] Unable to deactivate the authorization: https://acme-
2020/07/28 20:49:19 [ERROR] error: one or more domains had a problem:
[] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: I
nvalid response from
e3zUJ_BvwoIWqD68XjrGHk6ZtDOd6_uc [2a01:4f8:10a:396f::]: "<!DOCTYPE html>\n<html 
style=\"height:100%\">\n<head>\n<meta name=\"viewport\" content=\"width=device-w
idth, initial-scale=1, shrink-to-", url: 
 (challenge=http-01 remaining=[tls-alpn-01])
2020/07/28 20:49:21 [INFO] [] acme: Obtaining bundled SAN certifica
te given a CSR
2020/07/28 20:49:21 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.let :: urn:ietf:params:acme:error:rateLimited :: Error c
reating new order :: too many failed authorizations recently: see https://letsen, url:  (challenge=tls-alpn-01 remaining=[])
2020/07/28 20:49:23 [ERROR] attempt 1: [] Obtain: [] a
cme: error: 429 :: POST :: :
: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many
 failed authorizations recently: see, 
url:  - retrying in 1m0s (13.15329274s/720h0m0s elapsed)...
2020/07/28 20:49:24 http: TLS handshake error from no certi
ficate available for ''
^C2020/07/28 18:49:44.639       INFO    shutting down   {"signal": "SIGINT"}
2020/07/28 20:49:44 [INFO][cache:0xc000070f60] Stopped certificate maintenance r
2020/07/28 18:49:44.640 INFO    admin   stopped previous server
2020/07/28 18:49:44.640 INFO    shutdown done   {"signal": "SIGINT"}

5. What I already tried:

After many years of v1 now many sites are down, so might as well try v2 at this point…

What’s happening is that Let’s Encrypt is making a (standard) HTTP request to e3zUJ_BvwoIWqD68XjrGHk6ZtDOd6_uc but is getting this response:

<!DOCTYPE html>\n<html style=\"height:100%\">\n<head>\n<meta name=\"viewport\" content=\"width=device-w idth, initial-scale=1, shrink-to-...

… which is not the solution to the http-01 challenge.

So, make sure that there’s a direct path from the outside to Caddy on port 80.

As for the rate limits, you’ll just have to wait for them to expire now. In the future, always use the Let’s Encrypt staging endpoint to test new setups to avoid rate limits.

To clarify @pepa65, Caddy v2 has smarter logic when it comes to rate limits, so with Caddy v2 it’s significantly less likely that you’ll hit the rate limits again:

As for your Caddyfile, you’re still using Caddy v1 syntax in what you posted. I’m not sure how your server could have run with that config. Are you sure you pasted the right one?

Yes, except there was a w missing in /var/ww/site … :frowning:
But the acme errors were real, caused by AAAA records (that apparently don’t work when used by Let’s Encrypt).
Transition to v2 still in the future for me, have to get the Markdown to work first, another issue… The v1 markdown plugin is not available for v2, right?

FYI, caddy v2 runs fine with a Caddyfile once a few modifications are made:

  • gzip -> encode gzip
  • log <logfile> -> log
  • fastcgi -> php_fastcgi
  • root -> root *
    (Except it only returned blank pages in my case… :smiley: )
1 Like

Great! Sounds like you read the upgrade guide.

Caddy 2 can definitely serve markdown. A simple search in our docs for markdown should yield some results. I’m mobile right now but let me know if you find it and I’ll check back!

For markdown you need the templates directive plus an .html file you use as your entrypoint/layout. In that file, you’ll use the template function {{markdown "markdown text"}} to render it. See the Caddy website example, linked on this page:

I think you’re likely missing file_server.

1 Like