Acme:error 400: Caddy2.0 WP-Freenas

kenden · July 2, 2020, 3:46pm

1. Caddy version (`caddy version`):v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

For the output below caddy is run as in # caddy run -config /usr/local/www/Caddyfile - watch
In the Jail the rc.conf includes

php_fpm_enable="yes"
mysql_enable="yes"
caddy_enable="YES"

a. System environment:

Freenas Jail - built as shown in the Links to Relevant Resources below.

b. Command:

caddy run -config /usr/local/www/Caddyfile - watch

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

blog.endnot.casa {
	root * /var/www/wordpress
	log /var/log/caddy_log.log
	encode gzip
	file_server
	}

	php_fastcgi unix//run//usr/local/etc/php7.3-fpm.sock
}

For whatever reason the log file does not create.

3. The problem I’m having:

As this is my first attempt at building a jail/website, I really don’t know how many problems this jail has.
This problem reported by caddy appears to be a DNS issue. I have searched the error looked at logs but at this point, I am lost. I do not have any ports open and really did not plan to make this site available to the internet.
If I try to connect to the server from chrome Caddy reports LS handshake error : no certicate available for ‘blog.endnot.casa’ I did update my hosts file to point to the Jail.

4. Error messages and/or full log output:

root@wordpress:~ # caddy run -config /usr/local/www/Caddyfile - watch
2020/07/02 13:49:14.226	INFO	using provided configuration	{"config_file": "/usr/local/www/Caddyfile", "config_adapter": ""}
2020/07/02 13:49:14.227	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/07/02 08:49:14 [INFO][cache:0xc0003dfe00] Started certificate maintenance routine
2020/07/02 13:49:14.227	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/07/02 13:49:14.227	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/07/02 13:49:14.228	INFO	tls	cleaned up storage units
2020/07/02 13:49:14.228	INFO	http	enabling automatic TLS certificate management	
2020/07/02 13:49:14.228	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/07/02 13:49:14.228	INFO	serving initial configuration
2020/07/02 08:49:14 [INFO][unix] Obtain certificate; acquiring lock...
2020/07/02 08:49:14 [INFO][unix] Obtain: Lock acquired; proceeding...
2020/07/02 08:49:14 [INFO][php_fastcgi] Obtain certificate; acquiring lock...
2020/07/02 08:49:14 [INFO][php_fastcgi] Obtain: Lock acquired; proceeding...
2020/07/02 08:49:14 [INFO][unix] Waiting on rate limiter...
2020/07/02 08:49:14 [INFO][unix] Done waiting
2020/07/02 08:49:14 [INFO] [unix] acme: Obtaining bundled SAN certificate given a CSR
2020/07/02 08:49:14 [INFO][php_fastcgi] Waiting on rate limiter...
2020/07/02 08:49:14 [INFO][php_fastcgi] Done waiting
2020/07/02 08:49:14 [INFO] [php_fastcgi] acme: Obtaining bundled SAN certificate given a CSR
2020/07/02 08:49:14 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "unix": Domain name needs at least one dot, url:  (challenge=tls-alpn-01 remaining=[http-01])
2020/07/02 08:49:14 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "php_fastcgi": Domain name contains an invalid character, url:  (challenge=http-01 remaining=[tls-alpn-01])
2020/07/02 08:49:15 [INFO] [blog.endnot.casa] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5620214597
20

5. What I already tried:

php-fpm seems to be ok- i am running it with debug and there are no errors.

6. Links to relevant resources:

not sure if this helps, but these are the steps that I followed.

1. Fetch 
 https://github.com/caddyserver/caddy/releases/download/v2.0.0/caddy_2.0.0_freebsd_amd64.tar.gz

2. tar -xjf caddy_2.0.0_freebsd_amd64.tar.gz

3. mv caddy /usr/local/bin/

4. /usr/local/www/Caddyfile
------
blog.mydomain.com {
        root * /var/www/wordpress
        encode zstd gzip
        file_server
        }

        php_fastcgi unix//run//usr/local/etc/php7.3-fpm.sock
}
-------

5.   pkg install php73 mysql57-server mysql57-client php73-xml php73-dom php73-curl php73-ctype php73-json php73-ftp php73-hash php73-session php73-pecl-imagick php73-pecl-memcached php73-tokenizer php73-mbstring php73-fileinfo php73-exif php73-openssl php73-filter php73-zip php73-zlib php73-mysqli php73-iconv php73-gd


6. append /etc/rc.conf
	php_fpm_enable="yes"
     mysql_enable="yes"
     caddy_enable="YES"

7. edited usr/local/etc/php-fpm.conf
	events.mechanism = kqueue	; only line of file that changed

8. edited /usr/local/etc/php-fpm.d/www.conf
	a. #uncommented these lines
	    env[HOSTNAME] = $HOSTNAME
	    env[PATH] = /usr/local/bin:/usr/bin:/bin
	    env[TMP] = /tmp
	    env[TMPDIR] = /tmp
	    env[TEMP] = /tmp
	b. #added these lines
           php_admin_value[memory_limit] = 512M
          php_admin_value[cgi.fix_pathinfo] = 0
          php_admin_value[post_max_size] = 13M
          php_admin_value[upload_max_filesize] = 13M
          php_admin_value[date.timezone] = "America/Chicago"

9. create mysql database wordpress
	a. service mysql-server start # 	check netstat -an | grep 3306
	b. mysql_secure_installation 
#new root password, disable anonymous logins and root logins from external and remove the temp database
	c. mysql –u root –p
	d. create database wordpress;
	e. grant all privileges on wordpress.* to 'wpuser'@'localhost' identified by 'wppassword';
	f. flush privileges;
	g. exit
10 fetch https://wordpress.org/latest.tar.gz
11. tar -xzvf latest.tar.gz
12. mv wordpress /var/www/

francislavoie · July 2, 2020, 3:56pm

Your config has invalid syntax. You have an extra } which is causing Caddy to think that php_fastcgi is a site label.

Your log directive syntax is also invalid. Please take a look at the documentation for the directive.

kenden · July 2, 2020, 4:08pm

Thank you, that changed the error a bit. Is there still something wrong with the y
php_fastcgi unix//run//usr/local/etc/php7.3-fpm.sock line?

2020/07/02 10:58:17 [INFO][unix] Done waiting
2020/07/02 10:58:17 [INFO] [unix] acme: Obtaining bundled SAN certificate given a CSR
2020/07/02 10:58:17 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "php_fastcgi": Domain name contains an invalid character, url:  (challenge=http-01 remaining=[tls-alpn-01])
2020/07/02 10:58:17 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "unix": Domain name needs at least one dot, url:  (challenge=tls-alpn-01 remaining=[http-01])
2020/07/02 10:58:18 [INFO]  AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5622071428
2020/07/02 10:58:18 [INFO]  acme: use tls-alpn-01 solver
2020/07/02 10:58:18 [INFO]  acme: Trying to solve TLS-ALPN-01
2020/07/02 10:58:18 http: TLS handshake error from 10.0.0.105:15705: EOF
fatal error: concurrent map writes
fatal error: concurrent map writes

francislavoie · July 2, 2020, 4:18pm

What’s your full Caddyfile at this point? You clearly still have invalid syntax somewhere causing problems. It should not be getting to get certificates for php_fastcgi and unix

Please read the Caddyfile structure documentation, it seems like you don’t have a clear understanding of the syntax.

kenden · July 2, 2020, 4:54pm

This is my is the current Caddy file and the resulting error. In my experimenting, I have started getting the “too many failed attempts” Its true, i really do not understand the syntax, i am trying, but there is a lot to learn. As i read through all of the letsencrypt error messages, it appears that apn-01 solver is being used, why? how is it called.
Thanks

blog.endnot.casa {
        root * /var/www/wordpress
        encode zstd gzip
        file_server

        php_fastcgi unix//run//usr/local/etc/php7.3-fpm.sock

        log {
                output file /var/log/caddy_log.log {
                        roll_size       100gb
                        roll_keep       5
                        roll_keep_for   720h
                        }
        }

}

root@wordpress:/etc # caddy run -config /usr/local/www/Caddyfile - watch
2020/07/02 11:30:27 [INFO]  acme: use tls-alpn-01 solver
2020/07/02 11:30:27 [INFO] acme: Trying to solve TLS-ALPN-01
2020/07/02 11:30:27 http: TLS handshake error from 10.0.0.105:40365: EOF
2020/07/02 11:30:33 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5622633898
2020/07/02 11:30:33 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5622633898
2020/07/02 11:30:33 [ERROR] error: one or more domains had a problem:
[blog.endnot.casa] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: 
 (challenge=tls-alpn-01 remaining=[http-01])
2020/07/02 11:30:35 [INFO]  acme: Obtaining bundled SAN certificate given a CSR
2020/07/02 11:30:35 [INFO]  AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5622636068
2020/07/02 11:30:35 [INFO]  acme: Could not find solver for: tls-alpn-01
2020/07/02 11:30:35 [INFO] acme: use http-01 solver
2020/07/02 11:30:35 [INFO] acme: Trying to solve HTTP-01

jfirestorm44 · July 2, 2020, 10:04pm

Could be the // between run and usr

matt · July 2, 2020, 10:46pm

kenden:

[blog.endnot.casa] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: 
 (challenge=tls-alpn-01 remaining=[http-01])

This error means that Let’s Encrypt isn’t connecting to Caddy, but to some other TLS endpoint (or maybe not a TLS endpoint at all). Make sure your DNS and network infrastructure are set up correctly.

kenden · July 3, 2020, 1:03am

Thanks Matt,
I am a bit confused the best way to proceed. I have Cloudflare for DNS. I think I like using their features for the proxy “orange-cloud".
I am trying to set up the DNS challenge because it doesn’t require any open ports. As usual, I struggle with the SYNTAX…
I have added these lines to my Caddyfile but it still will not connect. Not sure What I am missing.

tls {
    dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
}
as
tls {
     dns cloudflare {bunchofletterandnumbers}
}

where the api token is
permissions - Zone.Zone, Zone.DNS
resources - all zones

kenden · July 3, 2020, 1:52am

After rereading “how to DNS Modules” I realized I needed to get xcaddy and build caddy using the cloudflare dns repository. After doing so, I think the dns issues are solved but it is still broken (probably syntax). This is the error when I try to browse to the site…

ERROR	http.log.error.log0	dialing backend: dial unix /run//usr/local/etc/php7.3-fpm.sock: connect: no such file or directory	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "10.0.0.133:33144", "host": "blog.endnot.casa", "headers": {"Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "User-Agent": ["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Fetch-Dest": ["document"], "Accept-Language": ["en-US,en;q=0.9"], "Cache-Control": ["max-age=0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Sec-Fetch-Site": ["cross-site"], "Sec-Fetch-Mode": ["navigate"], "Sec-Fetch-User": ["?1"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "blog.endnot.casa"}}, "duration": 0.000209711, "status": 502, "err_id": "xagic7mii", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:411)"}

jfirestorm44 · July 3, 2020, 2:15am

I still think you should take a look at the // in your path between run and usr. I’m not that good with computers but I think there should only be one / between directories.

kenden · July 3, 2020, 2:51am

thanks Jfirestorm44, you are correct regarding the //. However I think the issue is related to my PHP installation or the lack of…SO much to learn so little time.

kenden · July 3, 2020, 3:02pm

I am unable to make the unix socket work. To resolve this I changed the

php_fastcgi unix: /usr/local/sbin/php-fpm.sock

to

php_fastcgi 127.0.0.1:9000

and updated /php-fpm.d/www.conf accordingly.

I do not understand why changed to the sock file breaks this. It could be the syntax of the line in the caddy file ( i experimented with every example i could find) or what?

On to the next thing in making a wordpress site…

francislavoie · July 3, 2020, 3:09pm

It probably had to do with file permissions. The user under which the caddy process runs needs to have access to the unix socket.

But also the syntax is php_fastcgi unix//usr/local/sbin/php-fpm.sock. To explain, unix/ is the prefix that tells Caddy that what follows is a path to a unix socket, and following that is the absolute path to it.

kenden · July 6, 2020, 4:12pm

My caddy process runs as the root user.
the php-fpm.sock file is owned by root/wheel
php-fpm process is run by either caddy or www (depending on www.conf settings.)
There is one php-fpm process that runs as root. with a state of kqread

Not exactly sure which permissions I need to change. But I think I would like to use the sock…

system · August 1, 2020, 3:46pm

This topic was automatically closed after 30 days. New replies are no longer allowed.