Acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data

I am trying to obtain a SSL cert for my domain name. Let’s replace it by the fictional domain name xyz.com. Original one is redacted.

The following setup works, both port 80 and 443:

https://xyz.com http://xyz.com  {
root /var/www/html/
#tls REDACTED
tls self_signed
browse /data
}

However, when i try to uncomment the tls setting with my email and disable the self-signed cert, in order to enable ACME. Then this happens:

caddy_1    | 2019/09/19 18:13:29 [INFO] New CaddyFile:
caddy_1    | https://xyz.com http://xyz.com  {
caddy_1    | root /var/www/html/
caddy_1    | tls REDACTED
caddy_1    | #tls self_signed
caddy_1    | browse /data
caddy_1    | }
caddy_1    | # Skipping services because swarm is not available
caddy_1    | # Skipping configs because swarm is not available
caddy_1    | http://cloud.xyz.com {
caddy_1    |   proxy / 172.26.0.3:8000
caddy_1    |   tls off
caddy_1    | }
caddy_1    | http://old.xyz.com {
caddy_1    |   proxy / 172.26.0.2:8000
caddy_1    |   tls off
caddy_1    | }
caddy_1    | Activating privacy features... 2019/09/19 18:13:29 [INFO][cache:0xc00029cbe0] Started certificate maintenance routine
caddy_1    | 2019/09/19 18:13:29 [INFO][cache:0xc00029cf00] Started certificate maintenance routine
caddy_1    | 2019/09/19 18:13:30 [INFO] [xyz.com] acme: Obtaining bundled SAN certificate
caddy_1    | 2019/09/19 18:13:31 [INFO] [xyz.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/REDACTED
caddy_1    | 2019/09/19 18:13:31 [INFO] [xyz.com] acme: use tls-alpn-01 solver
caddy_1    | 2019/09/19 18:13:31 [INFO] [xyz.com] acme: Trying to solve TLS-ALPN-01
caddy_1    | 2019/09/19 18:13:39 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/REDACTED
caddy_1    | 2019/09/19 18:13:39 [xyz.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
caddy_1    | [xyz.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url:

With the Let’s encrypt report being:

{
  "identifier": {
    "type": "dns",
    "value": "xyz.com"
  },
  "status": "invalid",
  "expires": "2019-09-26T18:13:30Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "url": "REDACTED",
      "token": "y6ZI2qtGHTjcTPImxXKnYKzBWYj8ugrgTS7xjfluDNo"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "REDACTED",
      "token": "y6ZI2qtGHTjcTPImxXKnYKzBWYj8ugrgTS7xjfluDNo"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Error getting validation data",
        "status": 400
      },
      "url": "REDACTED",
      "token": "y6ZI2qtGHTjcTPImxXKnYKzBWYj8ugrgTS7xjfluDNo",
      "validationRecord": [
        {
          "hostname": "REDACTED",
          "port": "443",
          "addressesResolved": [
            "51.38.98.XX",
            "2001:XXXX"
          ],
          "addressUsed": "2001:4XXX"
        }
      ]
    }
  ]
}

Hi @pietje1234, welcome to the Caddy community.

xyz.com is not a fictional domain name, it is owned and operated by an entity on the internet.

Instead, example.com is specifically registered and made available for this purpose, along with the entire .example TLD; please avoid using other people’s domain names.

As for troubleshooting this issue, well… Error getting validation data is a bit less specific than some errors. You’ve redacted the log here, too, but after url: it will have the URL of the .well-known resource LetsEncrypt tried to access. Long story short, LE attempted to retrieve this file and the server didn’t produce a challenge response.

It may imply that a non-Caddy server is responding at that domain, or that DNS is not configured correctly.

@Whitestrake, Thank you! Thanks a lot for your reply.

You’re right. I should have used example.com. I am sorry.

Docker output:

caddy_1    | 2019/09/20 20:48:28 [INFO] [example.com] acme: Obtaining bundled SAN certificate
caddy_1    | 2019/09/20 20:48:29 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/430795028
caddy_1    | 2019/09/20 20:48:29 [INFO] [example.com] acme: use tls-alpn-01 solver
caddy_1    | 2019/09/20 20:48:29 [INFO] [example.com] acme: Trying to solve TLS-ALPN-01
caddy_1    | 2019/09/20 20:48:37 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/430795028
caddy_1    | 2019/09/20 20:48:37 [example.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
caddy_1    | [example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url:

The full domainname can be found at the following link: https://acme-v02.api.letsencrypt.org/acme/authz-v3/430795028

I have left the webserver running with a snake oil cert. This should prove both ports 80 and 443 are running. So HTTP challenges should pass, as far as I know.

Also, this is the docker-compose file for the caddy container:

version: '2'

services:
  caddy:
    image: lucaslorentz/caddy-docker-proxy:alpine
    ports:
      - 80:80
      - 443:443
    networks:
      - web
    command: --email="REDACTED" --agree=true --log stdout -docker-caddyfile-path "/root/CaddyFile"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/dockerfiles/cluster/storage/caddy:/root/.caddy
      - /home/dockerfiles/cluster/caddy/CaddyFile:/root/CaddyFile
      - /home/dockerfiles/cluster/storage/www/html:/var/www/html/

networks:
  web:
    external: true

As far as I know, they should too. Looks like they resolved the correct IP address and Caddy is definitely serving content from it.

This is a TLS-ALPN-01 failure, though. I wish it were more specific.

Try running Caddy with the flag -disable-tls-alpn-challenge to force it to use HTTP-01 instead, see what you get.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.