1. The problem I’m having:
I’m trying to switch from the default certificate provider Let’s Encrypt to Actalis (free plan, unlimited single domain certificates), but I’m getting an error when requesting certificates:
could not get certificate from issuer
Obtain: base64-decoding MAC key: illegal base64 data at input byte 43
What I did was creating a global block in /etc/caddy/Caddyfile with the following content (keys have been invalidated):
{
email me@example.com
acme_ca https://acme-api.actalis.com/acme/directory
acme_eab {
key_id aiLRBKYhcWAVNeQHyPCRCePtXH
mac_key IHxxLDCyqY7RTx9lz6ZMqD94rlBzw-znmVAis6OaiJQ=
}
}
Then I deleted everything under /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory and restarted caddy with sudo systemctl restart caddy.
2. Error messages and/or full log output:
[
{
"level": "info",
"ts": 1761374887.3296335,
"logger": "tls.issuance.acme",
"msg": "creating new account because no account for configured email is known to us",
"email": "me@example.com",
"ca": "https://acme-api.actalis.com/acme/directory",
"error": "open /var/lib/caddy/.local/share/caddy/acme/acme-api.actalis.com-acme-directory/users/me@example.com/actalis.json: no such file or directory"
},
{
"level": "error",
"ts": 1761374887.329879,
"logger": "tls.obtain",
"msg": "could not get certificate from issuer",
"identifier": "example.com",
"issuer": "acme-api.actalis.com-acme-directory",
"error": "base64-decoding MAC key: illegal base64 data at input byte 43"
},
{
"level": "error",
"ts": 1761374887.3299177,
"logger": "tls.obtain",
"msg": "will retry",
"error": "[example.com] Obtain: base64-decoding MAC key: illegal base64 data at input byte 43",
"attempt": 1,
"retrying_in": 60,
"elapsed": 2.287067271,
"max_duration": 2592000
}
]
3. Caddy version:
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=
4. How I installed and ran Caddy:
From the Fedora COPR repo: https://copr.fedorainfracloud.org/coprs/g/caddy/caddy/
a. System environment:
Fedora 42 with the CachyOS kernel.
b. Command:
sudo systemctl start caddy
c. Service/unit/compose file:
Unmodified version of https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
It’s been working fine for months. It’s just Actalis ACME that’s acting wierd.
{
email me@example.com
acme_ca https://acme-api.actalis.com/acme/directory
acme_eab {
key_id <my_key_id>
mac_key <my_mac_key>
}
}
http:// {
redir https://{host}{uri} permanent
}
https://example.com {
reverse_proxy unix//run/navidrome/navidrome.socket
}