Authorization failed on server

Hi!

I’m trying to run a Caddy server on my machine but I’m having some difficulties. Namely, I can’t manage to get Authorization for the SSL certificate to work for some odd reason and that doesn’t start my server at all. I’m thinking that it’s mostly my ISP provider.

This is the caddy configuration which I have:

{
        debug
}

stan.rare.armor.quest {
        respond "Hello"
}

The main focus is on stan.rare.armor.quest. I have bought the DNS with a Wildcard of *.rare.armor.quest and it does actually work, i.e. it pings on the correct IP address. I have a couple of other servers runnings on different physical machines and they work without an issue, the issue is only happening on my computer at home.

I’m running caddy via podman, which is rootless docker, but the same issue happens when I have Caddy installed on the system:

podman run --net=host --rm -v /etc/caddy/Caddyfile:/etc/caddy/Caddyfile --name cadddy caddy:latest
{"level":"info","ts":1678096752.3831785,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1678096752.3836074,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":5}
{"level":"info","ts":1678096752.384107,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1678096752.3843634,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1678096752.38437,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1678096752.3844051,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00055a0e0"}
{"level":"info","ts":1678096752.3845134,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1678096752.3845189,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1678096752.3845513,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1678096752.384555,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"debug","ts":1678096752.3845816,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1678096752.3845885,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1678096752.3846035,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1678096752.3846064,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1678096752.384608,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["stan.rare.armor.quest"]}
{"level":"info","ts":1678096752.384791,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1678096752.3847945,"msg":"serving initial configuration"}
{"level":"info","ts":1678096752.3849173,"logger":"tls.obtain","msg":"acquiring lock","identifier":"stan.rare.armor.quest"}
{"level":"info","ts":1678096752.384997,"logger":"tls.obtain","msg":"lock acquired","identifier":"stan.rare.armor.quest"}
{"level":"info","ts":1678096752.3850825,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"stan.rare.armor.quest"}
{"level":"debug","ts":1678096752.3851035,"logger":"events","msg":"event","name":"cert_obtaining","id":"60a153cd-9aba-4712-bcc3-d3704616bbc8","origin":"tls","data":{"identifier":"stan.rare.armor.quest"}}
{"level":"debug","ts":1678096752.3852608,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1678096752.9014864,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["756"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 09:59:12 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1678096753.057221,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 06 Mar 2023 09:59:12 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["327CMi6kDLZkOmnYVBZnYlpiKhCf9A-cEu51RMzOpMTwNJs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1678096753.2429903,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["221"],"Content-Type":["application/problem+json"],"Date":["Mon, 06 Mar 2023 09:59:13 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["327CY46UdDNmYJxYQDRB5v-c0_MmvLzhRBA3lbMxpd2pRVM"],"Server":["nginx"]},"status_code":429}
{"level":"error","ts":1678096753.2431107,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"stan.rare.armor.quest","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/"}
{"level":"debug","ts":1678096753.2431219,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
{"level":"warn","ts":1678096753.2433174,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"info","ts":1678096754.37057,"logger":"http","msg":"generated EAB credentials","key_id":"v7dWfUZ5hOVzJyzeUdCy5g"}
{"level":"debug","ts":1678096754.574131,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 09:59:14 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
{"level":"debug","ts":1678096754.9761448,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"respons

Running certbot directly:

podman run -it --rm --name certbot -p 80:80 -p 443:443 certbot/certbot certonly

Didn’t give me an issue and I managed to register stan.rare.armor.quest.

This is my curl command to show that it’s not running over IP:

curl -v stan.rare.armor.quest
*   Trying 109.245.64.27:80...
* connect to 109.245.64.27 port 80 failed: No route to host
* Failed to connect to stan.rare.armor.quest port 80 after 1 ms: No route to host
* Closing connection 0
curl: (7) Failed to connect to stan.rare.armor.quest port 80 after 1 ms: No route to host

Of course, port 80 and 443 are forwarded to my PC on the router config and I have bought a static IP address. Other servers do work over internet and I can run nginx and see it over my public IP address.

Edit:

Also my DNS isn’t new, it’s there for a few weeks already so it’s not that it didn’t propagate.

You’ve been rate limited.

How are you running Caddy exactly? Make sure you’re persisting Caddy’s /data volume.

You didn’t fill out the help topic template, as per the forum rules, so we’re missing some details.

Which machine are you making this request from? Try from a machine outside your network.

If it connects when outside but not inside, then the problem is probably that your home router doesn’t support NAT hairpinning.

The typical solution is to run a DNS server in your LAN to resolve the domain to your LAN IP (e.g. 192.168.x.x) instead of your WAN IP so that it can route properly.

Hi, thanks for the response!

I’ve put in the command with which I start caddy at the top of the logs:
podman run --net=host --rm -v /etc/caddy/Caddyfile:/etc/caddy/Caddyfile --name cadddy caddy:latest, maybe it just wasn’t as seeable as I thought it was.

Here is what happened when I persist /data:

# podman run --net=host --rm -v /etc/caddy/Caddyfile.ssl:/etc/caddy/Caddyfile -v caddydata:/data --name caddy caddy:latest
{"level":"info","ts":1678127932.905679,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1678127932.9065595,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"info","ts":1678127932.9067852,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1678127932.9067914,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1678127932.9069061,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1678127932.906918,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1678127932.906925,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0001a3500"}
{"level":"info","ts":1678127932.906932,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1678127932.906973,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"debug","ts":1678127932.9069958,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1678127932.9069982,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1678127932.9069998,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["stan.rare.armor.quest"]}
{"level":"info","ts":1678127932.907136,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1678127932.9071872,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1678127932.9071906,"msg":"serving initial configuration"}
{"level":"info","ts":1678127932.907305,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1678127932.9073172,"logger":"tls.obtain","msg":"acquiring lock","identifier":"stan.rare.armor.quest"}
{"level":"info","ts":1678127932.90827,"logger":"tls.obtain","msg":"lock acquired","identifier":"stan.rare.armor.quest"}
{"level":"info","ts":1678127932.9083865,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"stan.rare.armor.quest"}
{"level":"debug","ts":1678127932.908456,"logger":"events","msg":"event","name":"cert_obtaining","id":"a8877bd0-04fd-4d2f-b2ae-2b94f2b0e63a","origin":"tls","data":{"identifier":"stan.rare.armor.quest"}}
{"level":"debug","ts":1678127932.9093802,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
{"level":"info","ts":1678127932.9097214,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["stan.rare.armor.quest"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1678127932.909736,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["stan.rare.armor.quest"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"debug","ts":1678127933.5398564,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["756"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 18:38:53 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1678127933.7257576,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 06 Mar 2023 18:38:53 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["A5FEyuFWUDnH2KMaLvZkD9O1B9LSC5jgJZvhhw7JlPigJ50"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1678127933.9213922,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["996902747"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["213"],"Content-Type":["application/problem+json"],"Date":["Mon, 06 Mar 2023 18:38:53 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["A5FE123tBLonD9hciiVYDKkl-4g6KZo92Kebu8jYNNR5qls"],"Server":["nginx"]},"status_code":429}
{"level":"error","ts":1678127933.921468,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"stan.rare.armor.quest","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}
{"level":"debug","ts":1678127933.9214764,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
{"level":"info","ts":1678127933.921794,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["stan.rare.armor.quest"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
{"level":"info","ts":1678127933.9217997,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["stan.rare.armor.quest"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
{"level":"debug","ts":1678127934.132444,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 18:38:54 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
{"level":"debug","ts":1678127934.2071426,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Mon, 06 Mar 2023 18:38:54 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["yGEx3mi8qnRWkzTZE3wAOpp2YkF1QTz_PjsidGu-C2w"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
{"level":"debug","ts":1678127934.3918715,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["283"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 18:38:54 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/-Owu3JolYa7VQbG8pkHgPQ"],"Replay-Nonce":["mANmFcvGUEmweY8eUlLO5I9ZAxbTPekdALbzP32DJU8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
{"level":"debug","ts":1678127934.481007,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/Z6t7DExZaEtTW9LBp7Mj2w","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["451"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 18:38:54 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["bpJK8dWJ36UY8Ih_m9xRJN_ZdI1rV6XmaRZLdvh_NR4"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
{"level":"debug","ts":1678127934.4811785,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1678127934.4811883,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"stan.rare.armor.quest","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1678127934.4815774,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"stan.rare.armor.quest","challenge_type":"http-01"}
{"level":"debug","ts":1678127934.4815893,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"stan.rare.armor.quest","challenge_type":"http-01"}
{"level":"debug","ts":1678127934.6067219,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/lTVLrzi_JFrOWooNJdHzFA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 18:38:54 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90/authz/Z6t7DExZaEtTW9LBp7Mj2w>;rel=\"up\""],"Replay-Nonce":["G6nflu08HPlExu42YbBEBxYybGSOCd7s1XU0iwp9xG8"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
{"level":"debug","ts":1678127934.6067753,"logger":"http.acme_client","msg":"challenge accepted","identifier":"stan.rare.armor.quest","challenge_type":"http-01"}
{"level":"debug","ts":1678127935.1332593,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/Z6t7DExZaEtTW9LBp7Mj2w","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 18:38:55 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["WvglvP2_vwRS9lBZssIpEln1K2kl9fvKjeXEg2FVaYE"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
{"level":"debug","ts":1678127940.2333186,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/Z6t7DExZaEtTW9LBp7Mj2w","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["301"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 18:39:00 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["jQpmSvAqT8EmAgzfCdJDJ9qiOll6bq9SjktHHmGLNZs"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
{"level":"error","ts":1678127940.2334352,"logger":"http.acme_client","msg":"challenge failed","identifier":"stan.rare.armor.quest","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}}
{"level":"error","ts":1678127940.2334452,"logger":"http.acme_client","msg":"validating authorization","identifier":"stan.rare.armor.quest","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/-Owu3JolYa7VQbG8pkHgPQ","attempt":1,"max_attempts":3}
{"level":"error","ts":1678127940.233467,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"stan.rare.armor.quest","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0  - "}
{"level":"debug","ts":1678127940.2334795,"logger":"events","msg":"event","name":"cert_failed","id":"8056bdc1-ee6a-47a7-b062-80693be2e462","origin":"tls","data":{"error":{},"identifier":"stan.rare.armor.quest","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
{"level":"error","ts":1678127940.2334971,"logger":"tls.obtain","msg":"will retry","error":"[stan.rare.armor.quest] Obtain: [stan.rare.armor.quest] solving challenge: stan.rare.armor.quest: [stan.rare.armor.quest] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":7.325222135,"max_duration":2592000}

The /data folder was empty throughout the whole run of the docker container.

The issue is happending irregardless of where I curl from. Both of my servers don’t see anything running on the URL and the port shows that it is closed on tools like Open Port Check Tool - Test Port Forwarding on Your Router. It’s probably that the server itself doesn’t start as running nginx runs without an issue (without certbot though).

Then that’s your problem. You need port 80 and 443 to be open and publicly reachable by ACME issuers.

Heads-up, because I’m a new user I can’t post more than one embed so this is all images merged into one, I will be referencing them:

As I’ve stated on both of my posts, the ports do work and I can make nginx listen to them. This is only an issue with caddy.

I’ve ran nginx with the following for HTTP (as it’s too much of a hassle to make HTTPS work on nginx, more on that later):

podman run --name nginx -d -p 80:80 nginx

And when I go to the browser page for http://stan.rare.armor.quest you can see HTTP working so port 80 works (see figure 1).

For an ease-of-access HTTPS server I’m using this blog post for a quick HTTPS server.

Of course, I did modify the command:

podman run -it -p 443:8443 --name opensslserver wechris/opensslserver

Just so that it binds to 443.

Going to the page of https://stan.rare.armor.quest on my browser you can see port 443 working (see figure 2).
So both of the ports are open and can definitely work. It’s that caddy doesn’t work for some odd reason on my machine.

Figure 3 is for my router settings that I did open the ports there.

There still isn’t an update on this. Caddy is working how it should on machines outside of my network while it’s not working how it should in my network.

Is there a chance that my ISP itself is not allowing for ZeroSSL to connect to the server?

I’m dumbfounded regarding this because as only Caddy isn’t working. It acts as if it’s not binded as when I and edit /etc/hosts and put in 192.168.1.130 stan.rare.armor.quest it does connect to caddy kind-of:

[zastrix@kinoite ~]$ curl https://stan.rare.armor.quest -v 
*   Trying 109.245.64.27:443...
* connect to 109.245.64.27 port 443 failed: No route to host
* Failed to connect to stan.rare.armor.quest port 443 after 1 ms: No route to host
* Closing connection 0
curl: (7) Failed to connect to stan.rare.armor.quest port 443 after 1 ms: No route to host
[zastrix@kinoite ~]$ echo '192.168.1.130 stan.rare.armor.quest' | sudo tee -a /etc/hosts
192.168.1.130 stan.rare.armor.quest
[zastrix@kinoite ~]$ curl https://stan.rare.armor.quest -v 
*   Trying 192.168.1.130:443...
* Connected to stan.rare.armor.quest (192.168.1.130) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
[zastrix@kinoite ~]$ curl stan.rare.armor.quest -v 
*   Trying 192.168.1.130:80...
* Connected to stan.rare.armor.quest (192.168.1.130) port 80 (#0)
> GET / HTTP/1.1
> Host: stan.rare.armor.quest
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://stan.rare.armor.quest/
< Server: Caddy
< Date: Tue, 21 Mar 2023 00:04:09 GMT
< Content-Length: 0
< 
* Closing connection 0

Again, to point out. I can run non-caddy servers with port 443 and 80 without an issue. Other servers with other ports also work.

I’m not sure I can answer that. It really seems like a networking problem, not a problem with Caddy itself. Running traceroute stan.rare.armor.quest results in not finding a valid route to your server.

Have you tried contacting your ISP? If they’re using CGNAT then it might not be possible to reach your server. You might want to try using something like Cloudflare Tunnels to get around the problem.

Just contacted them and they’re 100% sure the issue is not on their side. I don’t know what to do anymore, it’s not the ISPs fault apparently, it’s not Caddys fault apparently and it’s not Namecheap as I know it works on some other servers without an issue with the same configuration.

It’s only Caddy which is having this issue as I can get the certificate when I use certbot directly from a container. And other servers using the same ports work without an issue.

Running traceroute stan.rare.armor.quest also doesn’t lead me to an IP address when I do it from my console line but when I go on any online traceroute tool it works without an issue:

From remote SSH machine:

From local machine:

The only reason I’m using Caddy is because of the automatic SSL, if that doesn’t work then I don’t know what’s the point of the automatic SSL.

Edit:

I’m buying a Fujitsu Futro s920 to work as a router rather than the closed-type one I have. Maybe just MAYBE it’s because of some firewall settings?

Well, your server needs to be reachable for that to work, of course.

I don’t know what to tell you.

You could use the ACME DNS challenge which doesn’t require ACME issuers to reach your server over HTTP or HTTPS, and instead does validation via DNS TXT records.

Or you could use a solution like Cloudflare Tunnels like I said, which would completely sidestep the networking by establishing an direct tunnel originating from your server to Cloudflare, which Cloudflare can then send traffic through. (Or you could do that manually yourself with an SSH tunnel port forwarding from your own VPS)

I’ll have to see at the acmedns thing but won’t probably do anything about it. I found your github repo for it but I’ll have to build caddy with it to use it, which is honestly too much of a hassle for me, so I’ll probably just figure out how to do certificates by myself and just use Nginx.

I don’t really want to use tunnels as that’s going to increase latency and is another point of failure.

Not really. Maybe like 5ms at most with Cloudflare Tunnels. Negligible.

You don’t have to use acmedns. You can use the DNS provider module for your DNS provider:

And building Caddy with plugins is very easy. You can just download a build directly from Download Caddy with the plugins you need, or follow these instructions Build from source — Caddy Documentation which is as simple as downloading Go, downloading xcaddy, then running xcaddy build --with <plugins>.

So the to-be-router arrived, installed proxmox and a Debian container with caddy. I changed the ports on my router to go to my container and Caddy just started working. It appears that the issue is specifically on my PC but I have no idea why. All of my firewalls were disabled on my PC.

I did switch my DHCP server from 192.168.1.0 to 10.17.17.0, that’s the only variable I can think of.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.