ACME account updates

1. The problem I’m having:

I am trying to setup domain using CAA resource record with account binding. I have read the accounturi from $XDG_DATA_HOME/caddy and used that to set CAA resource record. After some time, the account uri seems to be changing and I keep getting errors like CAA record for sub.example.com prevents issuance. I wanted to check in which cases is accounturi generated by caddy supposed to change.

2. Error messages and/or full log output:

{"level":"error","ts":1690791416.6911912,"logger":"http.acme_client","msg":"challenge failed","identifier":"sub.example.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:caa","title":"","detail":"CAA record for sub.example.com prevents issuance","instance":"","subproblems":[]}}
{"level":"error","ts":1690791416.6912282,"logger":"http.acme_client","msg":"validating authorization","identifier":"sub.example.com","problem":{"type":"urn:ietf:params:acme:error:caa","title":"","detail":"CAA record for sub.example.com prevents issuance","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1233435836/198462076506","attempt":1,"max_attempts":3}
{"level":"error","ts":1690791416.691271,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:caa - CAA record for sub.example.com prevents issuance"}
{"level":"warn","ts":1690791416.691405,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"info","ts":1690791418.2679894,"logger":"http","msg":"generated EAB credentials","key_id":"2RQZgsZTlU4io6Q_WfRJ0w"}
{"level":"info","ts":1690791420.4499238,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["sub.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1690791420.454414,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["sub.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1690791421.6350415,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1690791423.7211192,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38214","distributed":false}
{"level":"info","ts":1690791428.1220367,"logger":"http.acme_client","msg":"authorization finalized","identifier":"sub.example.com","authz_status":"valid"}
{"level":"info","ts":1690791428.1220572,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/1gD3lBFN5wmKx0aaOy68Kw"}
{"level":"info","ts":1690791670.4719834,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38326","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"],"Accept":["*/*"],"Accept-Encoding":["gzip"]}},"user_id":"","duration":0.000036046,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/"],"Content-Type":[]}}
{"level":"info","ts":1690791671.0137236,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38330","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/client/get_targets","headers":{"Accept-Encoding":["gzip"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"],"Accept":["*/*"]}},"user_id":"","duration":0.00003625,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/client/get_targets"],"Content-Type":[]}}
{"level":"info","ts":1690791671.2695642,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38332","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/upl.php","headers":{"Accept":["*/*"],"Accept-Encoding":["gzip"],"User-Agent":["Mozilla/5.0"]}},"user_id":"","duration":0.000033805,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/upl.php"],"Content-Type":[]}}
{"level":"info","ts":1690791671.7932527,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38336","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/geoip/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"],"Accept":["*/*"],"Accept-Encoding":["gzip"]}},"user_id":"","duration":0.000036422,"size":0,"status":308,"resp_headers":{"Connection":["close"],"Location":["https://52.66.85.117/geoip/"],"Content-Type":[],"Server":["Caddy"]}}
{"level":"info","ts":1690791672.050587,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38338","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Snapchat/10.77.0.54 (like Safari/604.1)"],"Accept":["*/*"],"X-Id":["2b25f1b5215bfeaf9f6d4df62e1a9b5b"],"Accept-Encoding":["gzip"]}},"user_id":"","duration":0.000034043,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/"],"Content-Type":[]}}
{"level":"info","ts":1690791672.3156788,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38340","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/favicon.ico","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"],"Accept":["*/*"],"Accept-Encoding":["gzip"]}},"user_id":"","duration":0.000034437,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/favicon.ico"],"Content-Type":[]}}
{"level":"info","ts":1690791672.5807407,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38342","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/1.php","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"],"Accept":["*/*"],"Accept-Encoding":["gzip"]}},"user_id":"","duration":0.000034585,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/1.php"]}}
{"level":"info","ts":1690791672.8502057,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38344","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/bundle.js","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"],"Accept":["*/*"],"Accept-Encoding":["gzip"]}},"user_id":"","duration":0.000040197,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/bundle.js"],"Content-Type":[]}}
{"level":"info","ts":1690791673.110419,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38346","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/files/","headers":{"Accept-Encoding":["gzip"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"],"Accept":["*/*"]}},"user_id":"","duration":0.000033649,"size":0,"status":308,"resp_headers":{"Location":["https://52.66.85.117/files/"],"Content-Type":[],"Server":["Caddy"],"Connection":["close"]}}
{"level":"error","ts":1690791735.718973,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[sub.example.com] finalizing order https://acme.zerossl.com/v2/DV90/order/1gD3lBFN5wmKx0aaOy68Kw: order took too long (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1690791735.7190182,"logger":"tls.obtain","msg":"will retry","error":"[sub.example.com] Obtain: [sub.example.com] finalizing order https://acme.zerossl.com/v2/DV90/order/1gD3lBFN5wmKx0aaOy68Kw: order took too long (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":322.724900278,"max_duration":2592000}
{"level":"info","ts":1690791795.719261,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"sub.example.com"}
{"level":"info","ts":1690791797.7317526,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1690791798.311397,"logger":"tls","msg":"served key authentication certificate","server_name":"sub.example.com","challenge":"tls-alpn-01","remote":"127.0.0.1:50392","distributed":false}
{"level":"info","ts":1690791798.3402932,"logger":"tls","msg":"served key authentication certificate","server_name":"sub.example.com","challenge":"tls-alpn-01","remote":"127.0.0.1:50394","distributed":false}
{"level":"info","ts":1690791798.3549454,"logger":"tls","msg":"served key authentication certificate","server_name":"sub.example.com","challenge":"tls-alpn-01","remote":"127.0.0.1:50396","distributed":false}
{"level":"error","ts":1690791799.0513792,"logger":"http.acme_client","msg":"challenge failed","identifier":"sub.example.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:caa","title":"","detail":"CAA record for sub.example.com prevents issuance","instance":"","subproblems":[]}}
{"level":"error","ts":1690791799.0514135,"logger":"http.acme_client","msg":"validating authorization","identifier":"sub.example.com","problem":{"type":"urn:ietf:params:acme:error:caa","title":"","detail":"CAA record for sub.example.com prevents issuance","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/112978524/10040925284","attempt":1,"max_attempts":3}
{"level":"error","ts":1690791799.0514383,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:caa - CAA record for sub.example.com prevents issuance"}
{"level":"info","ts":1690791799.931333,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1690791801.0143092,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38400","distributed":false}
{"level":"info","ts":1690791805.9578655,"logger":"http.acme_client","msg":"authorization finalized","identifier":"sub.example.com","authz_status":"valid"}
{"level":"info","ts":1690791805.9578867,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/68WnIQZv6yE-8ooP0M0eBw"}
{"level":"error","ts":1690792115.1689718,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[sub.example.com] finalizing order https://acme.zerossl.com/v2/DV90/order/68WnIQZv6yE-8ooP0M0eBw: order took too long (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1690792115.169024,"logger":"tls.obtain","msg":"will retry","error":"[sub.example.com] Obtain: [sub.example.com] finalizing order https://acme.zerossl.com/v2/DV90/order/68WnIQZv6yE-8ooP0M0eBw: order took too long (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":702.174905989,"max_duration":2592000}
{"level":"info","ts":1690792235.1692646,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"sub.example.com"}
{"level":"info","ts":1690792236.967735,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1690792237.5192435,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38416","distributed":false}
{"level":"info","ts":1690792237.533857,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38418","distributed":false}
{"level":"info","ts":1690792237.5537162,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38420","distributed":false}
{"level":"error","ts":1690792238.2672875,"logger":"http.acme_client","msg":"challenge failed","identifier":"sub.example.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:caa","title":"","detail":"CAA record for sub.example.com prevents issuance","instance":"","subproblems":[]}}
{"level":"error","ts":1690792238.2673216,"logger":"http.acme_client","msg":"validating authorization","identifier":"sub.example.com","problem":{"type":"urn:ietf:params:acme:error:caa","title":"","detail":"CAA record for sub.example.com prevents issuance","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/112979374/10041007844","attempt":1,"max_attempts":3}
{"level":"error","ts":1690792238.2673447,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:caa - CAA record for sub.example.com prevents issuance"}
{"level":"info","ts":1690792240.890427,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1690792241.8051052,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38426","distributed":false}
{"level":"info","ts":1690792247.3241744,"logger":"http.acme_client","msg":"authorization finalized","identifier":"sub.example.com","authz_status":"valid"}
{"level":"info","ts":1690792247.3241947,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/WkZlv73DD1YFlb_oxCoP2Q"}
{"level":"error","ts":1690792562.9766295,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[sub.example.com] finalizing order https://acme.zerossl.com/v2/DV90/order/WkZlv73DD1YFlb_oxCoP2Q: order took too long (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1690792562.976676,"logger":"tls.obtain","msg":"will retry","error":"[sub.example.com] Obtain: [sub.example.com] finalizing order https://acme.zerossl.com/v2/DV90/order/WkZlv73DD1YFlb_oxCoP2Q: order took too long (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":1149.982557974,"max_duration":2592000}
{"level":"info","ts":1690792682.9769237,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"sub.example.com"}
{"level":"info","ts":1690792684.407744,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1690792684.970935,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38444","distributed":false}
{"level":"info","ts":1690792684.9888809,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38446","distributed":false}
{"level":"info","ts":1690792685.0018725,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38448","distributed":false}
{"level":"info","ts":1690792685.7020445,"logger":"http.acme_client","msg":"authorization finalized","identifier":"sub.example.com","authz_status":"valid"}
{"level":"info","ts":1690792685.7020648,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/112979374/10041095014"}
{"level":"info","ts":1690792689.5317523,"logger":"http.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa45d0bc95f28d718af67ec3b9a01cd6515f"}
{"level":"info","ts":1690792690.7727437,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["sub.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
{"level":"info","ts":1690792690.777384,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["sub.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
{"level":"info","ts":1690792691.527727,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1690792692.1214964,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38454","distributed":false}
{"level":"info","ts":1690792692.1580791,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38456","distributed":false}
{"level":"info","ts":1690792692.1908007,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38458","distributed":false}
{"level":"error","ts":1690792692.8402247,"logger":"http.acme_client","msg":"challenge failed","identifier":"sub.example.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:caa","title":"","detail":"CAA record for sub.example.com prevents issuance","instance":"","subproblems":[]}}
{"level":"error","ts":1690792692.8402596,"logger":"http.acme_client","msg":"validating authorization","identifier":"sub.example.com","problem":{"type":"urn:ietf:params:acme:error:caa","title":"","detail":"CAA record for sub.example.com prevents issuance","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1233465626/198465191346","attempt":1,"max_attempts":3}
{"level":"error","ts":1690792692.8402863,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:caa - CAA record for sub.example.com prevents issuance"}
{"level":"info","ts":1690792694.9790678,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1690792696.6424406,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38464","distributed":false}
{"level":"info","ts":1690792701.2895598,"logger":"http.acme_client","msg":"authorization finalized","identifier":"sub.example.com","authz_status":"valid"}
{"level":"info","ts":1690792701.2895803,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/IHwI8sC3RJJI20_M3Bq32Q"}
{"level":"info","ts":1690792885.7397735,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38470","proto":"HTTP/1.0","method":"OPTIONS","host":"52.66.85.117","uri":"/","headers":{}},"user_id":"","duration":0.000050724,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/"],"Content-Type":[]}}
{"level":"error","ts":1690793007.4323752,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[sub.example.com] finalizing order https://acme.zerossl.com/v2/DV90/order/IHwI8sC3RJJI20_M3Bq32Q: order took too long (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1690793007.4324226,"logger":"tls.obtain","msg":"will retry","error":"[sub.example.com] Obtain: [sub.example.com] finalizing order https://acme.zerossl.com/v2/DV90/order/IHwI8sC3RJJI20_M3Bq32Q: order took too long (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":1594.438304537,"max_duration":2592000}
{"level":"info","ts":1690793051.425263,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38474","proto":"HTTP/1.0","method":"GET","host":"","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"],"Accept":["*/*"]}},"user_id":"","duration":0.000041698,"size":0,"status":308,"resp_headers":{"Location":["https:///"],"Content-Type":[],"Server":["Caddy"],"Connection":["close"]}}
{"level":"info","ts":1690793253.2624044,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38476","proto":"HTTP/1.1","method":"HEAD","host":"52.66.85.117:80","uri":"/Core/Skin/Login.aspx","headers":{"Pragma":["no-cache"],"Proxy-Connection":["keep-alive"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["zh-CN,zh;q=0.9"],"Cache-Control":["no-cache"]}},"user_id":"","duration":0.000038679,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/Core/Skin/Login.aspx"],"Content-Type":[]}}
{"level":"info","ts":1690793307.4326653,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"sub.example.com"}
{"level":"info","ts":1690793308.9317284,"logger":"http.acme_client","msg":"authorization finalized","identifier":"sub.example.com","authz_status":"valid"}
{"level":"info","ts":1690793308.9356062,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/112979374/10041260654"}
{"level":"info","ts":1690793312.803822,"logger":"http.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa532705b6366c569463adf4727db006f7d1"}
{"level":"info","ts":1690793312.8087292,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["sub.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
{"level":"info","ts":1690793312.808744,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["sub.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
{"level":"info","ts":1690793314.4117396,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"sub.example.com","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1690793315.0073695,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38490","distributed":false}
{"level":"info","ts":1690793315.0365624,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38492","distributed":false}
{"level":"info","ts":1690793315.0503862,"logger":"http","msg":"served key authentication","identifier":"sub.example.com","challenge":"http-01","remote":"127.0.0.1:38494","distributed":false}
{"level":"info","ts":1690793315.7241583,"logger":"http.acme_client","msg":"authorization finalized","identifier":"sub.example.com","authz_status":"valid"}
{"level":"info","ts":1690793315.7241778,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/1233465626/198466664666"}
{"level":"info","ts":1690793317.6436982,"logger":"http.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/04cd67aad42500307086cd192b40d094a2ee"}
{"level":"info","ts":1690793317.643975,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"sub.example.com"}
{"level":"info","ts":1690793317.6440003,"logger":"tls.obtain","msg":"releasing lock","identifier":"sub.example.com"}{"level":"info","ts":1690794504.4263127,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38528","proto":"HTTP/1.1","method":"GET","host":"52.66.85.117","uri":"/.env","headers":{"Accept-Encoding":["gzip, deflate"],"Accept":["*/*"],"Connection":["keep-alive"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"]}},"user_id":"","duration":0.000042806,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/.env"]}}
{"level":"info","ts":1690794507.717765,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"38530","proto":"HTTP/1.1","method":"POST","host":"52.66.85.117","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"],"Accept-Encoding":["gzip, deflate"],"Accept":["*/*"],"Connection":["keep-alive"],"Content-Length":["15"],"Content-Type":["application/x-www-form-urlencoded"]}},"user_id":"","duration":0.000035429,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://52.66.85.117/"],"Content-Type":[]}}

3. Caddy version:

2.6.4

4. How I installed and ran Caddy:

wget -O caddy "https://caddyserver.com/api/download?os=linux&arch=arm64"

a. System environment:

AWS nitro enclave, arm64

b. Command:

using supervisor

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

(cors) {
	@options {
		method OPTIONS
	}
	header Access-Control-Allow-Origin "*"
	header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, DELETE"
	header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"
	respond @options 200
}

sub.example.com {
	import common
	import cors
	root * /app/dist
	try_files {path} {path}/ /index.html

	file_server
}

Caddy uses multiple CAs by default (Let’s Encrypt and ZeroSSL), as you can see in the logs.

If you only added a Let’s Encrypt account, a ZeroSSL account would fail.

Thanks for the quick reply. As you can see in the logs, the acme account changes from 1233435836 to 1233465626. I have set the CAA record with account binding to Let’s encrypt ACME account 1233435836, but the updates to accounturi makes the process of setting CAA record harder. So I wanted to understand what the conditions in which ACME account is reset.

What are the contents of your $XDG_DATA_HOME/caddy/acme folder? (Ideally, the output of the tree command at that path)

If you’re running Caddy as a systemd service, then remember that Caddy’s user’s HOME would be /var/lib/caddy, not your current user’s HOME, so the storage would be at /var/lib/caddy/.local/share/caddy.

Ahh… I can see that caddy@zerossl.com is also being used. Is that expected ?

I can also see that caddy falls back to staging env when the prod certificate issuance fails. But the CAA account binding is on the prod acme account. So it will not succeed in getting certificate in staging env. Does certificate issuance request on staging a pre requisite for caddy to retry on prod ?

.
├── acme-staging-v02.api.letsencrypt.org-directory
│   ├── challenge_tokens
│   └── users
│       ├── caddy@zerossl.com
│       │   ├── caddy.json
│       │   └── caddy.key
│       └── default
│           ├── default.json
│           └── default.key
├── acme-v02.api.letsencrypt.org-directory
│   ├── challenge_tokens
│   └── users
│       └── default
│           ├── default.json
│           └── default.key
└── acme.zerossl.com-v2-dv90
    ├── challenge_tokens
    └── users
        └── caddy@zerossl.com
            ├── caddy.json
            └── caddy.key

@francislavoie I have set the XDG_DATA_HOME env variable as specified here. I can see that the storage is at XDG_DATA_HOME/caddy and contents are as above.

Yeah, that’s how Caddy uses ZeroSSL when no email is provided.

Yeah, it does this to try to avoid rate limit problems. If it’s a DNS or network issue, Caddy can essentially retry on the staging endpoint until that succeeds, then go back to prod for the real cert.

Indeed, that will create a problem. Maybe allow both accounts.

Yeah, once the issuance succeeds it will retry on prod.

Is caddy@zerossl.com supposed to be used for let’s encrypt ? In the directory structure, I can see it as a user for acme-staging-v02.api.letsencrypt.org as well, is that expected ?

From what I see, a default user is created and acme account is generated for that and that is also used to get certificates. But then a little later caddy@zerossl.com is used and the acme account used to get certs changes. Is it possible to restrict this to use one account instead even when no email is provided, so that I can programatically get the accounturi to be used to set CAA records easily ?

Eh, probably not, but I suppose it could be, in theory, if Caddy is looking for an email address and one hasn’t been provided, but it previously used this email for ZeroSSL. We could probably have it ignore this email as a special case.

You can configure Caddy to use a single issuer only, with the acme_ca global option. You could also provide an email address to ensure it uses only a single account. (For now.)

Got it. Thanks for the prompt responses.

Is there a way to add the email address other than specifying in the Caddyfile ?

No, everything is specified in config.

Finally it clicked. I saw ZeroSSL referred to in the logs, but it didn’t click until I saw this comment that it’s a new ACME certificate issuer in addition to Let’s Encrypt that’s being used. All my domains had CAA records that only allowed Let’s Encrypt to issue certificates. On top of that I hadn’t specified an email address in the config. After updating CAA records and adding an email address I’m getting certificates issued to me again!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.