Hi!
I’m trying to run a Caddy server on my machine but I’m having some difficulties. Namely, I can’t manage to get Authorization for the SSL certificate to work for some odd reason and that doesn’t start my server at all. I’m thinking that it’s mostly my ISP provider.
This is the caddy configuration which I have:
{
debug
}
stan.rare.armor.quest {
respond "Hello"
}
The main focus is on stan.rare.armor.quest
. I have bought the DNS with a Wildcard of *.rare.armor.quest
and it does actually work, i.e. it pings on the correct IP address. I have a couple of other servers runnings on different physical machines and they work without an issue, the issue is only happening on my computer at home.
I’m running caddy via podman, which is rootless docker, but the same issue happens when I have Caddy installed on the system:
podman run --net=host --rm -v /etc/caddy/Caddyfile:/etc/caddy/Caddyfile --name cadddy caddy:latest
{"level":"info","ts":1678096752.3831785,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1678096752.3836074,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":5}
{"level":"info","ts":1678096752.384107,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1678096752.3843634,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1678096752.38437,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1678096752.3844051,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00055a0e0"}
{"level":"info","ts":1678096752.3845134,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1678096752.3845189,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1678096752.3845513,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1678096752.384555,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"debug","ts":1678096752.3845816,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1678096752.3845885,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1678096752.3846035,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1678096752.3846064,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1678096752.384608,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["stan.rare.armor.quest"]}
{"level":"info","ts":1678096752.384791,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1678096752.3847945,"msg":"serving initial configuration"}
{"level":"info","ts":1678096752.3849173,"logger":"tls.obtain","msg":"acquiring lock","identifier":"stan.rare.armor.quest"}
{"level":"info","ts":1678096752.384997,"logger":"tls.obtain","msg":"lock acquired","identifier":"stan.rare.armor.quest"}
{"level":"info","ts":1678096752.3850825,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"stan.rare.armor.quest"}
{"level":"debug","ts":1678096752.3851035,"logger":"events","msg":"event","name":"cert_obtaining","id":"60a153cd-9aba-4712-bcc3-d3704616bbc8","origin":"tls","data":{"identifier":"stan.rare.armor.quest"}}
{"level":"debug","ts":1678096752.3852608,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1678096752.9014864,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["756"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 09:59:12 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1678096753.057221,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 06 Mar 2023 09:59:12 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["327CMi6kDLZkOmnYVBZnYlpiKhCf9A-cEu51RMzOpMTwNJs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1678096753.2429903,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["221"],"Content-Type":["application/problem+json"],"Date":["Mon, 06 Mar 2023 09:59:13 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["327CY46UdDNmYJxYQDRB5v-c0_MmvLzhRBA3lbMxpd2pRVM"],"Server":["nginx"]},"status_code":429}
{"level":"error","ts":1678096753.2431107,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"stan.rare.armor.quest","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/"}
{"level":"debug","ts":1678096753.2431219,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
{"level":"warn","ts":1678096753.2433174,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"info","ts":1678096754.37057,"logger":"http","msg":"generated EAB credentials","key_id":"v7dWfUZ5hOVzJyzeUdCy5g"}
{"level":"debug","ts":1678096754.574131,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 06 Mar 2023 09:59:14 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
{"level":"debug","ts":1678096754.9761448,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.6.3 CertMagic acmez (linux; amd64)"]},"respons
Running certbot directly:
podman run -it --rm --name certbot -p 80:80 -p 443:443 certbot/certbot certonly
Didn’t give me an issue and I managed to register stan.rare.armor.quest
.
This is my curl command to show that it’s not running over IP:
curl -v stan.rare.armor.quest
* Trying 109.245.64.27:80...
* connect to 109.245.64.27 port 80 failed: No route to host
* Failed to connect to stan.rare.armor.quest port 80 after 1 ms: No route to host
* Closing connection 0
curl: (7) Failed to connect to stan.rare.armor.quest port 80 after 1 ms: No route to host
Of course, port 80
and 443
are forwarded to my PC on the router config and I have bought a static IP address. Other servers do work over internet and I can run nginx and see it over my public IP address.
Edit:
Also my DNS isn’t new, it’s there for a few weeks already so it’s not that it didn’t propagate.