After each restart, no certificates are available

Help
1

1. Caddy version (caddy version):

2.1.1-alpine

2. How I run Caddy:

Docker

a. System environment:

Docker

b. Command:

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

clevergo.tech {
    reverse_proxy clevergo:80
}

...

3. The problem I’m having:

Hi, Caddy shows up no certificate available for domains after each restart, but it is strange that those domains’s certificates have been issued before. After a few minutes of restart, everything returned to normal.

4. Error messages and/or full log output:

2020-09-06T16:21:52.428126604Z {"level":"info","ts":1599409312.4277506,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2020-09-06T16:21:52.522463254Z {"level":"info","ts":1599409312.5221765,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2020-09-06T16:21:52.522706271Z 2020/09/06 16:21:52 [INFO][cache:0xc0007542a0] Started certificate maintenance routine
2020-09-06T16:21:52.522909607Z {"level":"info","ts":1599409312.5228322,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2020-09-06T16:21:52.522947269Z {"level":"info","ts":1599409312.5228813,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2020-09-06T16:21:52.522964435Z {"level":"info","ts":1599409312.522906,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
2020-09-06T16:21:52.522994284Z {"level":"warn","ts":1599409312.522942,"logger":"http","msg":"user server is listening on same interface as automatic HTTP->HTTPS redirects; user-configured routes might override these redirects","server_name":"srv1","interface":"tcp/:80"}
2020-09-06T16:21:52.527618013Z {"level":"info","ts":1599409312.5275252,"logger":"tls","msg":"cleaned up storage units"}
2020-09-06T16:21:52.527727255Z {"level":"info","ts":1599409312.5276728,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["pkg.clevergo.tech","clevergo.tech","razonyang.com","yii2.razonyang.com","www.razonyang.com","admin.yii2.razonyang.com","www.clevergo.tech","gz.lb.clevergo.tech","go-auth0.razonyang.com"]}
2020-09-06T16:21:55.790705841Z 2020/09/06 16:21:55 http: TLS handshake error from 10.0.0.1:1736: no certificate available for 'clevergo.tech'
2020-09-06T16:22:15.743856593Z 2020/09/06 16:22:15 http: TLS handshake error from 10.0.0.1:17658: no certificate available for 'clevergo.tech'
2020-09-06T16:22:15.877508245Z 2020/09/06 16:22:15 http: TLS handshake error from 10.0.0.1:43307: no certificate available for 'clevergo.tech'
2020-09-06T16:22:16.679285473Z 2020/09/06 16:22:16 http: TLS handshake error from 10.0.0.1:46777: no certificate available for 'clevergo.tech'
2020-09-06T16:22:16.851865572Z 2020/09/06 16:22:16 http: TLS handshake error from 10.0.0.1:20270: no certificate available for 'clevergo.tech'
2020-09-06T16:22:17.308132489Z 2020/09/06 16:22:17 http: TLS handshake error from 10.0.0.1:37061: no certificate available for 'clevergo.tech'
2020-09-06T16:22:17.467270471Z 2020/09/06 16:22:17 http: TLS handshake error from 10.0.0.1:42515: no certificate available for 'clevergo.tech'
2020-09-06T16:22:17.9201458Z 2020/09/06 16:22:17 http: TLS handshake error from 10.0.0.1:2445: no certificate available for 'clevergo.tech'
2020-09-06T16:22:18.097374501Z 2020/09/06 16:22:18 http: TLS handshake error from 10.0.0.1:32804: no certificate available for 'clevergo.tech'
2020-09-06T16:22:19.834614645Z 2020/09/06 16:22:19 http: TLS handshake error from 10.0.0.1:38826: no certificate available for 'clevergo.tech'
2020-09-06T16:22:20.009470321Z 2020/09/06 16:22:20 http: TLS handshake error from 10.0.0.1:18235: no certificate available for 'clevergo.tech'
2020-09-06T16:22:20.297889192Z 2020/09/06 16:22:20 http: TLS handshake error from 10.0.0.1:39196: no certificate available for 'clevergo.tech'
2020-09-06T16:22:20.464780446Z 2020/09/06 16:22:20 http: TLS handshake error from 10.0.0.1:19832: no certificate available for 'clevergo.tech'
2020-09-06T16:22:22.717559828Z 2020/09/06 16:22:22 http: TLS handshake error from 10.0.0.1:5778: no certificate available for 'clevergo.tech'
2020-09-06T16:22:22.725152987Z 2020/09/06 16:22:22 http: TLS handshake error from 10.0.0.1:51125: no certificate available for 'clevergo.tech'
2020-09-06T16:22:22.728162837Z 2020/09/06 16:22:22 [WARNING] Stapling OCSP: no OCSP stapling for [pkg.clevergo.tech]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 108.160.167.158:80: i/o timeout
2020-09-06T16:22:22.760250454Z 2020/09/06 16:22:22 http: TLS handshake error from 10.0.0.1:7957: no certificate available for 'clevergo.tech'
2020-09-06T16:22:22.884387722Z 2020/09/06 16:22:22 http: TLS handshake error from 10.0.0.1:45393: no certificate available for 'clevergo.tech'
2020-09-06T16:22:22.891119502Z 2020/09/06 16:22:22 http: TLS handshake error from 10.0.0.1:36907: no certificate available for 'clevergo.tech'
2020-09-06T16:22:22.935032779Z 2020/09/06 16:22:22 http: TLS handshake error from 10.0.0.1:52410: no certificate available for 'clevergo.tech'
2020-09-06T16:22:23.134293283Z 2020/09/06 16:22:23 http: TLS handshake error from 10.0.0.1:23117: no certificate available for 'clevergo.tech'
2020-09-06T16:22:23.184183493Z 2020/09/06 16:22:23 http: TLS handshake error from 10.0.0.1:38093: no certificate available for 'clevergo.tech'
2020-09-06T16:22:23.281455157Z 2020/09/06 16:22:23 http: TLS handshake error from 10.0.0.1:21563: no certificate available for 'clevergo.tech'
2020-09-06T16:22:23.345850271Z 2020/09/06 16:22:23 http: TLS handshake error from 10.0.0.1:5849: no certificate available for 'clevergo.tech'
2020-09-06T16:22:27.393338292Z 2020/09/06 16:22:27 http: TLS handshake error from 10.0.0.1:26168: no certificate available for 'clevergo.tech'
2020-09-06T16:22:27.522691991Z 2020/09/06 16:22:27 http: TLS handshake error from 10.0.0.1:44514: no certificate available for 'clevergo.tech'
2020-09-06T16:22:27.774465951Z 2020/09/06 16:22:27 http: TLS handshake error from 10.0.0.1:54692: no certificate available for 'clevergo.tech'
2020-09-06T16:22:27.911086976Z 2020/09/06 16:22:27 http: TLS handshake error from 10.0.0.1:24131: no certificate available for 'clevergo.tech'
2020-09-06T16:22:28.799938599Z 2020/09/06 16:22:28 http: TLS handshake error from 10.0.0.1:27242: no certificate available for 'clevergo.tech'
2020-09-06T16:22:28.952254714Z 2020/09/06 16:22:28 http: TLS handshake error from 10.0.0.1:29150: no certificate available for 'clevergo.tech'
2020-09-06T16:22:34.598761571Z 2020/09/06 16:22:34 http: TLS handshake error from 10.0.0.1:45550: no certificate available for 'yii2.razonyang.com'
2020-09-06T16:22:34.625923989Z 2020/09/06 16:22:34 http: TLS handshake error from 10.0.0.1:45482: no certificate available for 'yii2.razonyang.com'
2020-09-06T16:22:35.573406528Z 2020/09/06 16:22:35 http: TLS handshake error from 10.0.0.1:45482: no certificate available for 'yii2.razonyang.com'
2020-09-06T16:22:35.594536696Z 2020/09/06 16:22:35 http: TLS handshake error from 10.0.0.1:45536: no certificate available for 'yii2.razonyang.com'
2020-09-06T16:22:35.882101992Z 2020/09/06 16:22:35 http: TLS handshake error from 10.0.0.1:45536: no certificate available for 'yii2.razonyang.com'
2020-09-06T16:22:35.901569101Z 2020/09/06 16:22:35 http: TLS handshake error from 10.0.0.1:45507: no certificate available for 'yii2.razonyang.com'
2020-09-06T16:22:36.017445898Z 2020/09/06 16:22:36 http: TLS handshake error from 10.0.0.1:45548: no certificate available for 'yii2.razonyang.com'
2020-09-06T16:22:36.035347867Z 2020/09/06 16:22:36 http: TLS handshake error from 10.0.0.1:45538: no certificate available for 'yii2.razonyang.com'
2020-09-06T16:22:36.583731512Z 2020/09/06 16:22:36 http: TLS handshake error from 10.0.0.1:33067: no certificate available for 'clevergo.tech'
2020-09-06T16:22:36.724236497Z 2020/09/06 16:22:36 http: TLS handshake error from 10.0.0.1:45525: no certificate available for 'clevergo.tech'
2020-09-06T16:22:36.798628931Z 2020/09/06 16:22:36 http: TLS handshake error from 10.0.0.1:20938: no certificate available for 'clevergo.tech'
2020-09-06T16:22:36.979797261Z 2020/09/06 16:22:36 http: TLS handshake error from 10.0.0.1:48976: no certificate available for 'clevergo.tech'
2020-09-06T16:22:37.718865647Z 2020/09/06 16:22:37 http: TLS handshake error from 10.0.0.1:18639: no certificate available for 'clevergo.tech'
2020-09-06T16:22:37.920569484Z 2020/09/06 16:22:37 http: TLS handshake error from 10.0.0.1:48805: no certificate available for 'clevergo.tech'
2020-09-06T16:22:52.729387995Z 2020/09/06 16:22:52 [WARNING] Stapling OCSP: no OCSP stapling for [clevergo.tech]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 108.160.170.39:80: i/o timeout
2020-09-06T16:23:22.73070407Z 2020/09/06 16:23:22 [WARNING] Stapling OCSP: no OCSP stapling for [razonyang.com]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 108.160.167.158:80: i/o timeout
2020-09-06T16:23:52.737615456Z 2020/09/06 16:23:52 [WARNING] Stapling OCSP: no OCSP stapling for [yii2.razonyang.com]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 108.160.167.158:80: i/o timeout
2020-09-06T16:24:22.734573169Z 2020/09/06 16:24:22 [WARNING] Stapling OCSP: no OCSP stapling for [www.razonyang.com]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 69.171.245.49:80: i/o timeout
2020-09-06T16:24:52.735770082Z 2020/09/06 16:24:52 [WARNING] Stapling OCSP: no OCSP stapling for [admin.yii2.razonyang.com]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 69.171.245.49:80: i/o timeout
2020-09-06T16:25:22.736945067Z 2020/09/06 16:25:22 [WARNING] Stapling OCSP: no OCSP stapling for [www.clevergo.tech]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 69.171.245.49:80: i/o timeout
2020-09-06T16:25:52.738197433Z 2020/09/06 16:25:52 [WARNING] Stapling OCSP: no OCSP stapling for [gz.lb.clevergo.tech]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 118.193.240.37:80: i/o timeout
2020-09-06T16:26:22.739354334Z 2020/09/06 16:26:22 [WARNING] Stapling OCSP: no OCSP stapling for [go-auth0.razonyang.com]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 208.101.60.87:80: i/o timeout
2020-09-06T16:26:22.739679654Z {"level":"info","ts":1599409582.7394855,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
2020-09-06T16:26:22.739697471Z {"level":"info","ts":1599409582.7395248,"msg":"serving initial configuration"}

5. What I already tried:

I have mounted /data and /config volumes:

# ls /data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/
...list of my certificates...

6. Links to relevant resources:

2

Something about your network stack appears to be causing connections to the OCSP servers to time out. (Either that, or all the OCSP servers are legitimately down, but I’m not aware of any issues.)

Each time you reload, Caddy is trying to staple OCSP if it doesn’t have an OCSP response cached already.

1 Like
3

Thank you for pointing out the reason, ocsp.int-x3.letsencrypt.org seems can’t be accessed/resolved from China.
I use /etc/hosts as a temporary fix.

1 Like
4

I found that Nginx provides some useful options, such as ssl_ocsp_responder for overriding the URL of the OCSP responder. I can set up a forward proxy for OCSP. This solution is much better and stronger than /etc/hosts. How about adding similar features to Caddy?

1 Like
5

Sure, good idea. Can you open an issue to request the feature and link to this thread?

1 Like
6

Done :grinning:
https://github.com/caddyserver/caddy/issues/3714

1 Like
7

This topic was automatically closed after 30 days. New replies are no longer allowed.