Auto_https off, but still see letsencrypt challenges

1. The problem I’m having:

The problem is that I have put “auto_https off” globally - but I still see http challenges happening with letsencrypt. I do have another server block for :443 but my tls definition serves custom certificates (this is for incoming requests from a trusted cdn reverse proxy).

2. Error messages and/or full log output:

"error": "no information found to solve challenge for identifier: testdomain.com"

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

Installed in a docker container, deployed by Ansible.

a. System environment:

Linux php19 4.15.0-197-generic #208-Ubuntu SMP Tue Nov 1 17:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

b. Command:

Runs via the docker container caddy:alpine from hub.docker.com. 

c. Service/unit/compose file:

FROM caddy:builder-alpine AS builder1

RUN CGO_ENABLED=0 GOARCH=amd64 GOOS=linux xcaddy build \
  --with github.com/RussellLuo/caddy-ext/ratelimit \
  --with github.com/caddyserver/transform-encoder \
  --with github.com/leodido/caddy-jsonselect-encoder
  #--with github.com/hundertzehn/caddy-ratelimit@v0.0.5
  #--with github.com/mholt/caddy-ratelimit

RUN apk add openssl
RUN mkdir -p /etc/ssl
RUN openssl req -x509 -nodes -days 365 -subj "/C=CA/ST=QC/O=Company, Inc./CN=wpservice.app" \
  -addext "subjectAltName=DNS:wpservice.app" -newkey rsa:2048 -keyout \
  /etc/ssl/caddy-selfsigned.key -out /etc/ssl/caddy-selfsigned.crt

COPY . .

FROM caddy:alpine

COPY --from=builder1 /usr/bin/caddy /usr/bin/caddy

COPY --from=builder1 /etc/ssl/caddy-selfsigned.key /etc/ssl/private/caddy-selfsigned.key
COPY --from=builder1 /etc/ssl/caddy-selfsigned.crt /etc/ssl/certs/caddy-selfsigned.crt

ENV ACME_AGREE="true"
RUN apk add --no-cache openssh-client git

ADD ./Caddyfile /etc/caddy/Caddyfile

EXPOSE 80 443

d. My complete Caddy config:

{
  auto_https off
}

(errors) {
   handle_errors {
        rewrite * /{err.status_code}
	        reverse_proxy https://http.cat {
		        header_up Host {upstream_hostport}
		        replace_status {err.status_code}
	      }
    }
}

(wp) {
  error /xmlrpc.php "Unauthorized" 403
  error /wp-content/uploads/*.php "Unauthorized" 403
  root * /wp/sites/{header.X-Siteid}/
  file_server
  header -Server
  header -X-Powered-By
  header X-Powered-By wpservice
  @wplogin {
  	method POST
  	path /wp-login.php
  }
  route @wplogin {
    rate_limit {header.X-Siteid} 6r/m
  }
}

# FROM PROXY1
:80 {
  php_fastcgi {header.X-Siteid}:9000 {
    header_up X-FORWARDED-PROTO https
    env HTTPS on
  }
  import wp
}

# FROM BUNNY
:443 {
  tls /etc/ssl/certs/caddy-selfsigned.crt /etc/ssl/private/caddy-selfsigned.key

  error /xmlrpc.php "Unauthorized" 403
  error /wp-content/uploads/*.php "Unauthorized" 403
  @uploadedphp expression {http.request.uri.path}.startsWith("/wp-content/uploads") && {http.request.uri.path}.endsWith("php")
  error @uploadedphp "Unauthorized" 403

  @wpservice header_regexp siteid Host ^([^\.]+).([^\.]+).([^\.]+).wpservice.app
  vars @wpservice "siteid" {re.siteid.1}
  log {
    format jsonselect "{siteid:resp_headers>X-Siteid>[0]} {level} {method:request>method} {uri:request>uri} {status} {size} {useragent:request>headers>User-Agent>[0]}"
  }

  root @wpservice /wp/sites/{re.siteid.1}/
  header @wpservice X-Siteid {re.siteid.1}
  header X-Phpnode {host}
  php_fastcgi @wpservice {re.siteid.1}:9000 {
    header_up Host {header.Cdn-Host}
  }
  
  file_server
  header -Server
  header -X-Powered-By
  @wplogin {
    header_regexp siteid Host ^([^\.]+).([^\.]+).([^\.]+).wpservice.app
  	method POST
  	path /wp-login.php
  }
  route @wplogin {
    rate_limit {header.X-Real-Ip} 5r/m
  }

  import errors
}

5. Links to relevant resources:

This just means some client made a request to /.well-known/acme-challenge/*. It doesn’t meant Caddy tried to initiate issuance.

You can’t control what clients in the outside world are trying. If you had Automatic HTTPS enabled at some point, then issuers might still be retrying for some amount of time.

Why are you generating certs inside your container build? Why not just use tls internal in Caddy, to let Caddy issue its own certs?

You don’t need this, it was only a thing in Caddy v1.

You can simplify this a bit with the {path} placeholder shortcut.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.