Automatic https failed

c_shsf · October 9, 2023, 3:38am

1. The problem I’m having:

There is no problem with the DNS resolution of my domain name, and it can be resolved to my server correctly.
Ports 80 and 443 are open and can be accessed from external networks.
caddy works fine when just http is used in the
caddyfile:

{
        email chb123@gmail.com
}
:80
reverse_proxy localhost:9876

After https is enabled, an error message is displayed, causing a certificate application failure.

2. Error messages and/or full log output:

Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.4480734,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.4481452,"logger":"tls","msg":"finished cleaning storage units"}
Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.4482486,"logger":"tls.obtain","msg":"acquiring lock","identifier":"www.ex-nofity.top"}
Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.4482882,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.448325,"msg":"serving initial configuration"}
Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.4864845,"logger":"tls.obtain","msg":"lock acquired","identifier":"www.ex-nofity.top"}
Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.4866147,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"www.ex-nofity.top"}
Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.4937303,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["www.ex-nofity.top"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"chb123@gmail.com"}
Oct 09 02:11:35 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817495.493765,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["www.ex-nofity.top"],"ca":"https://acmev02.api.letsencrypt.org/directory","account":"chb123@gmail.com"}
Oct 09 02:11:37 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817497.6288013,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.ex-nofity.top","challenge_type":"http01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Oct 09 02:11:49 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817509.3985543,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"www.ex-nofity.top","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"211.123.75.228: Fetching http://www.ex-nofity.top/.well-known/acme-challenge/Yf0M-T8e-dF0soOLQxBXwElnEMqkl02hJBNUVvsf_Lc: Timeout during connect (likely firewall                   problem)","instance":"","subproblems":[]}}
Oct 09 02:11:49 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817509.3986027,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"www.ex-nofity.top","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"211.123.75.228: Fetching http://www.ex-nofity.top/.well-known/acme-challenge/Yf0M-T8e-dF0soOLQxBXwElnEMqkl02hJBNUVvsf_Lc: Timeout during connect (likely firewall problem)","instance                  ":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1349812566/213802657336","attempt":1,"max_attempts":3}
Oct 09 02:11:51 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817511.1904821,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.ex-nofity.top","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Oct 09 02:12:02 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817522.2106516,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"www.ex-nofity.top","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"211.123.75.228: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
Oct 09 02:12:02 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817522.2107036,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"www.ex-nofity.top","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"211.123.75.228: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1349812566/213802709246","a ttempt":2,"max_attempts":3}
Oct 09 02:12:02 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817522.2107475,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"www.ex-nofity.top","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 rn:ietf:params:acme:error:connection - 211.123.75.228: Timeout during connect (likely firewall problem)"}
Oct 09 02:12:02 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817522.3516479,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["www.ex-nofity.top"],"ca":"https://acme.zerossl.com/v2/DV90","account":"chb123@gmail.com"}
Oct 09 02:12:02 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817522.351804,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rat                  e limiter","identifiers":["www.ex-nofity.top"],"ca":"https://acme.zerossl.com/v2/DV90","account":"chb123@gmail.com"}
Oct 09 02:12:06 Dev_Payment_111 caddy[18404]: {"level":"info","ts":1696817526.396537,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve                   challenge","identifier":"www.ex-nofity.top","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
Oct 09 02:12:20 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817540.312028,"logger":"tls.issuance.zerossl.acme_client","msg":"challenge failed","identifier":"www.ex-nofity.top","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}}
Oct 09 02:12:20 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817540.312073,"logger":"tls.issuance.zerossl.acme_client","msg":"validating authorization","identifier":"www.ex-nofity.top","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/GPCD7FAjoDQM8ZM5aQ41og","attempt":1,"max_attempts":3}
Oct 09 02:12:20 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817540.312127,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"www.ex-nofity.top","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0  - "}
Oct 09 02:12:20 Dev_Payment_111 caddy[18404]: {"level":"error","ts":1696817540.3121705,"logger":"tls.obtain","msg":"will retry","error":"[www.ex-nofity.top] Obtain: [www.ex-nofity.top] solving challenge: www.ex-nofity.top: [www.ex-nofity.top] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":44.825670399,"max_duration":2592000}

3. Caddy version:

[developer@Dev_Payment_111 caddy]$ caddy version
v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=
[developer@Dev_Payment_111 caddy]$ whereis caddy
caddy: /usr/bin/caddy /etc/caddy /usr/share/caddy /usr/share/man/man8/caddy.8.gz
[developer@Dev_Payment_111 caddy]$ pwd
/usr/share/caddy
[developer@Dev_Payment_111 caddy]$ tree
.
└── index.html
0 directories, 1 file

4. How I installed and ran Caddy:

a. System environment:

CentOS 7

b. Command:

yum install yum-plugin-copr
yum copr enable @caddy/caddy
yum install caddy

c. Service/unit/compose file:

caddy.service by yum

d. My complete Caddy config:

{
        email chb123@gmail.com
}

www.ex-notify.top:443

reverse_proxy localhost:9876

5. Links to relevant resources:

[developer@Dev_Payment_111 caddy]$ caddy version
v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=
[developer@Dev_Payment_111 caddy]$ whereis caddy
caddy: /usr/bin/caddy /etc/caddy /usr/share/caddy /usr/share/man/man8/caddy.8.gz
[developer@Dev_Payment_111 caddy]$ pwd
/usr/share/caddy
[developer@Dev_Payment_111 caddy]$ tree
.
└── index.html
0 directories, 1 file

Whitestrake · October 9, 2023, 5:50am

Howdy @c_shsf, welcome to the Caddy community.

LetsEncrypt and ZeroSSL seem to disagree. As for me, I can’t resolve your domain name at all; I get NXDOMAIN.

# whois.nic.top

The queried object does not exist: ex-notify.top
>>> Last update of WHOIS database: 2023-10-09T05:47:15Z <<<

Did you redact your actual domain name without telling us that?

Both providers tried to connect but were not responded to. Is 211.123.75.228 the correct IP address to resolve?

c_shsf · October 10, 2023, 4:44am

Sorry, I didn’t tell you before that I had redacted the actual ip and domain name.

The following is the original problem (actual ip and domian name); please help to solve, thank you:

1. The problem I’m having:

There is no problem with the DNS resolution of my domain name, and it can be resolved to my server correctly.
Ports 80 and 443 are open and can be accessed from external networks.
caddy works fine when just http is used in the
caddyfile:

{
        email chenhongbao123@gmail.com
}

:80

reverse_proxy localhost:9876

After https is enabled, an error message is displayed, causing a certificate application failure.

2. Error messages and/or full log output:

Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.665144,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.6651504,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["dev.pay-notify.top"]}
Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.6653965,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.6654449,"msg":"serving initial configuration"}
Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.6655912,"logger":"tls.obtain","msg":"acquiring lock","identifier":"dev.pay-notify.top"}
Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.7016592,"logger":"tls.obtain","msg":"lock acquired","identifier":"dev.pay-notify.top"}
Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.7018092,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"dev.pay-notify.top"}
Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.7201042,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["dev.pay-notify.top"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"chenhongbao123@gmail.com"}
Oct 10 04:09:23 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910963.7201352,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["dev.pay-notify.top"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"chenhongbao123@gmail.com"}
Oct 10 04:09:26 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910966.13871,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"dev.pay-notify.top","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Oct 10 04:09:37 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696910977.978809,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"dev.pay-notify.top","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"211.100.75.229: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
Oct 10 04:09:37 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696910977.978896,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"dev.pay-notify.top","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"211.100.75.229: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1349812566/214047115356","attempt":1,"max_attempts":3}
Oct 10 04:09:40 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910980.1473274,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"dev.pay-notify.top","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Oct 10 04:09:52 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696910992.5611007,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"dev.pay-notify.top","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"211.100.75.229: Fetching http://dev.pay-notify.top/.well-known/acme-challenge/42_BIAcl_8C1hGYxYM-h7TMKv8AyFNJcWtyTGU5ni28: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
Oct 10 04:09:52 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696910992.561159,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"dev.pay-notify.top","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"211.100.75.229: Fetching http://dev.pay-notify.top/.well-known/acme-challenge/42_BIAcl_8C1hGYxYM-h7TMKv8AyFNJcWtyTGU5ni28: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1349812566/214047148396","attempt":2,"max_attempts":3}
Oct 10 04:09:52 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696910992.5611873,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"dev.pay-notify.top","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 211.100.75.229: Fetching http://dev.pay-notify.top/.well-known/acme-challenge/42_BIAcl_8C1hGYxYM-h7TMKv8AyFNJcWtyTGU5ni28: Timeout during connect (likely firewall problem)"}
Oct 10 04:09:52 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910992.5726748,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["dev.pay-notify.top"],"ca":"https://acme.zerossl.com/v2/DV90","account":"chenhongbao123@gmail.com"}
Oct 10 04:09:52 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910992.5726914,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["dev.pay-notify.top"],"ca":"https://acme.zerossl.com/v2/DV90","account":"chenhongbao123@gmail.com"}
Oct 10 04:09:56 Dev_Payment_229 caddy[3407]: {"level":"info","ts":1696910996.4290123,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"dev.pay-notify.top","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
Oct 10 04:10:09 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696911009.804883,"logger":"tls.issuance.zerossl.acme_client","msg":"challenge failed","identifier":"dev.pay-notify.top","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}}
Oct 10 04:10:09 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696911009.804925,"logger":"tls.issuance.zerossl.acme_client","msg":"validating authorization","identifier":"dev.pay-notify.top","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/w7ioTwtxlG7QEco6kcavdw","attempt":1,"max_attempts":3}
Oct 10 04:10:09 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696911009.8049486,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"dev.pay-notify.top","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0  - "}
Oct 10 04:10:09 Dev_Payment_229 caddy[3407]: {"level":"error","ts":1696911009.8049858,"logger":"tls.obtain","msg":"will retry","error":"[dev.pay-notify.top] Obtain: [dev.pay-notify.top] solving challenge: dev.pay-notify.top: [dev.pay-notify.top] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":46.103308888,"max_duration":2592000}

3. Caddy version:

[developer@Dev_Payment_111 caddy]$ caddy version
v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=
[developer@Dev_Payment_111 caddy]$ whereis caddy
caddy: /usr/bin/caddy /etc/caddy /usr/share/caddy /usr/share/man/man8/caddy.8.gz
[developer@Dev_Payment_111 caddy]$ pwd
/usr/share/caddy
[developer@Dev_Payment_111 caddy]$ tree
.
└── index.html
0 directories, 1 file

4. How I installed and ran Caddy:

a. System environment:

CentOS 7

b. Command:

yum install yum-plugin-copr
yum copr enable @caddy/caddy
yum install caddy

c. Service/unit/compose file:

caddy.service by yum

[developer@Dev_Payment_229 ~]$ cat /usr/lib/systemd/system/caddy.service
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        email chenhongbao123@gmail.com
}

dev.pay-notify.top:443

reverse_proxy localhost:9876

5. Links to relevant resources:

[developer@Dev_Payment_229 caddy]$ caddy version
v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=
[developer@Dev_Payment_229 caddy]$ whereis caddy
caddy: /usr/bin/caddy /etc/caddy /usr/share/caddy /usr/share/man/man8/caddy.8.gz
[developer@Dev_Payment_229 caddy]$ pwd
/usr/share/caddy
[developer@Dev_Payment_229 caddy]$ tree
.
└── index.html
0 directories, 1 file

Whitestrake · October 10, 2023, 5:02am

Try adding

tls internal

to your Caddyfile. This will allow Caddy to start up and run with a self-signed certificate rather than relying on an external service. It won’t produce valid certificates, but this is just to troubleshoot.

Then, start Caddy make a local HTTPS request to check that it’s running and accessible:

curl -kv --resolve dev.pay-notify.top:443:127.0.0.1 https://dev.pay-notify.top

Also run a remote HTTPS request:

curl -kv https://dev.pay-notify.top

Let us know what results you get back.

c_shsf · October 10, 2023, 5:50am

results are as follows:

caddyfile:

developer@Dev_Payment_229 caddy]$ cat Caddyfile
{
        email chenhongbao123@gmail.com
}

dev.pay-notify.top:443

tls internal

reverse_proxy localhost:9876

log:

● caddy.service - Caddy
   Loaded: loaded (/usr/lib/systemd/system/caddy.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2023-10-10 05:37:16 GMT; 56s ago
     Docs: https://caddyserver.com/docs/
 Main PID: 12675 (caddy)
    Tasks: 9
   Memory: 17.6M
   CGroup: /system.slice/caddy.service
           └─12675 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"info","ts":1696916236.1672547,"logger":"tls","msg":"finished cleaning storage units"}
Oct 10 05:37:16 Dev_Payment_229 systemd[1]: Started Caddy.
Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"info","ts":1696916236.1675098,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"info","ts":1696916236.1675632,"msg":"serving initial configuration"}
Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"info","ts":1696916236.167621,"logger":"tls.obtain","msg":"acquiring lock","identifier":"dev.pay-notify.top"}
Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"info","ts":1696916236.180097,"logger":"tls.obtain","msg":"lock acquired","identifier":"dev.pay-notify.top"}
Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"info","ts":1696916236.1801713,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"dev.pay-notify.top"}
Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"info","ts":1696916236.1979399,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"dev.pay-notify.top"}
Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"info","ts":1696916236.1980238,"logger":"tls.obtain","msg":"releasing lock","identifier":"dev.pay-notify.top"}
Oct 10 05:37:16 Dev_Payment_229 caddy[12675]: {"level":"warn","ts":1696916236.198339,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [dev.pay-notify.top]: no OCSP server specified in certificate","identifiers":["dev.pay-notify.top"]}

the local HTTPS request:

[developer@Dev_Payment_229 caddy]$ curl -kv --resolve dev.pay-notify.top:443:127.0.0.1 https://dev.pay-notify.top
* Added dev.pay-notify.top:443:127.0.0.1 to DNS cache
* Hostname dev.pay-notify.top was found in DNS cache
*   Trying 127.0.0.1:443...
* Connected to dev.pay-notify.top (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*  CAfile: none
*  CApath: none
* loaded libnssckbi.so
* ALPN: offers h2,http/1.1
* skipping SSL peer certificate verification
* ALPN: server accepted h2
* Server certificate:
* subject: (nil)
*  start date: Oct 10 05:37:16 2023 GMT
*  expire date: Oct 10 17:37:16 2023 GMT
*  common name: (nil)
*  issuer: CN=Caddy Local Authority - ECC Intermediate
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: dev.pay-notify.top]
* h2h3 [user-agent: curl/8.0.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0xbafb40)
> GET / HTTP/2
> Host: dev.pay-notify.top
> user-agent: curl/8.0.1
> accept: */*
>
< HTTP/2 403
< alt-svc: h3=":443"; ma=2592000
< content-type: application/json
< date: Tue, 10 Oct 2023 05:39:11 GMT
< server: Caddy
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers
<
* Connection #0 to host dev.pay-notify.top left intact

remote HTTPS request:

[developer@208_K8S_Jenkins ~]$ curl -kv https://dev.pay-notify.top
* About to connect() to dev.pay-notify.top port 443 (#0)
*   Trying 211.100.75.229...
* Connected to dev.pay-notify.top (211.100.75.229) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: (nil)
*       start date: Oct 10 05:37:16 2023 GMT
*       expire date: Oct 10 17:37:16 2023 GMT
*       common name: (nil)
*       issuer: CN=Caddy Local Authority - ECC Intermediate
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: dev.pay-notify.top
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Alt-Svc: h3=":443"; ma=2592000
< Content-Type: application/json
< Date: Tue, 10 Oct 2023 05:44:30 GMT
< Server: Caddy
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Transfer-Encoding: chunked
<
* Connection #0 to host dev.pay-notify.top left intact

Whitestrake · October 10, 2023, 6:05am

Both of these look pretty good, actually, exactly what I’d expect.

Is your Caddy instance still running following these tests? I tried to curl your server just now, but timed out trying to connect.

If you did stop Caddy afterwards, can you put it back up and run curl -kv https://dev.pay-notify.top again, but from another host across the internet? (Or let me know when it’s up and I’ll try connect from here?)

c_shsf · October 10, 2023, 6:31am

I have not stopped caddy service since the last reply.

remote HTTPS request:

[mli@DFHSproxy ~]$ curl -kv https://dev.pay-notify.top
* About to connect() to dev.pay-notify.top port 443 (#0)
*   Trying 211.100.75.229... connected
* Connected to dev.pay-notify.top (211.100.75.229) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: (nil)
*       start date: Oct 10 05:37:16 2023 GMT
*       expire date: Oct 10 17:37:16 2023 GMT
*       common name: (nil)
*       issuer: CN=Caddy Local Authority - ECC Intermediate
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: dev.pay-notify.top
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Alt-Svc: h3=":443"; ma=2592000
< Content-Type: application/json
< Date: Tue, 10 Oct 2023 06:19:44 GMT
< Server: Caddy
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Transfer-Encoding: chunked
<
* Connection #0 to host dev.pay-notify.top left intact
* Closing connection #0
{"code":210403,"message":"Forbidden "}[mli@DFHSproxy ~]$

My server is in China. Could that be the reason?

But I successfully implemented automatic https using caddy on this machine 2 years ago.

Whitestrake · October 10, 2023, 6:39am

I suppose that it could be. I do not know where the LetsEncrypt and ZeroSSL servers are physically located, off the top of my head, but if they’re experiencing the same lack of connectivity to your server as I am, it would explain why they can’t validate.

I gave it another go just to check, and on a VPS, and got timeouts both.

~
❯ curl -kv https://dev.pay-notify.top
*   Trying 211.100.75.229:443...
* connect to 211.100.75.229 port 443 failed: Operation timed out
* Failed to connect to dev.pay-notify.top port 443 after 76281 ms: Couldn't connect to server
* Closing connection
curl: (28) Failed to connect to dev.pay-notify.top port 443 after 76281 ms: Couldn't connect to server

whitestrake in ~ at kairos is 🐳 v24.0.6
➜ curl -kv https://dev.pay-notify.top
*   Trying 211.100.75.229:443...
* TCP_NODELAY set
* connect to 211.100.75.229 port 443 failed: Connection timed out
* Failed to connect to dev.pay-notify.top port 443: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to dev.pay-notify.top port 443: Connection timed out

Your last recourse may be configuring DNS validation instead of HTTP or TLS-ALPN.

c_shsf · October 10, 2023, 6:41am

All of our corporate networks are probably configured with intranets. I will confirm the firewall problem with operation and maintenance again.

*   Trying 211.100.75.229:443...                                                                                                                        
* connect to 211.100.75.229 port 443 failed: Connection refused                                                                                         
* Failed to connect to dev.pay-notify.top port 443: Connection refused                                                                                  
* Closing connection 0                                                                                                                                  
curl: (7) Failed to connect to dev.pay-notify.top port 443: Connection refused

Whitestrake · October 10, 2023, 6:47am

Actually, it occurs to me that if the issue was geographical / political, the connectivity issue would probably be bi-directional.

The fact that Caddy is able to reach out to LetsEncrypt and ZeroSSL to request the challenge in the first place (and retrieve error responses when the challenges fail) indicates to me that it’s more likely a misconfigured firewall at a level more localized than that.

c_shsf · October 10, 2023, 6:58am

It is indeed a misconfigured firewall at the localization level.

Automatic https now works properly,thank you.

[developer@Dev_Payment_229 caddy]$ cat Caddyfile
{
        email chenhongbao123@gmail.com
}

dev.pay-notify.top:443

# tls internal

reverse_proxy localhost:9876
[developer@Dev_Payment_229 caddy]$ sudo systemctl status  caddy -l
● caddy.service - Caddy
   Loaded: loaded (/usr/lib/systemd/system/caddy.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2023-10-10 06:50:05 GMT; 2min 32s ago
     Docs: https://caddyserver.com/docs/
 Main PID: 4444 (caddy)
    Tasks: 9
   Memory: 18.5M
   CGroup: /system.slice/caddy.service
           └─4444 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

Oct 10 06:50:05 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920605.2188413,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["dev.pay-notify.top"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"chenhongbao123@gmail.com"}
Oct 10 06:50:07 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920607.2686102,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"dev.pay-notify.top","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Oct 10 06:50:08 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920608.501761,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"dev.pay-notify.top","challenge":"http-01","remote":"18.191.141.144:51672","distributed":false}
Oct 10 06:50:08 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920608.5756266,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"dev.pay-notify.top","challenge":"http-01","remote":"23.178.112.209:18484","distributed":false}
Oct 10 06:50:08 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920608.5823407,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"dev.pay-notify.top","challenge":"http-01","remote":"54.213.139.231:20140","distributed":false}
Oct 10 06:50:10 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920610.3428059,"logger":"tls.issuance.acme.acme_client","msg":"authorization finalized","identifier":"dev.pay-notify.top","authz_status":"valid"}
Oct 10 06:50:10 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920610.3428373,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/1349812566/214072643836"}
Oct 10 06:50:12 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920612.4074175,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/04cadce07341aba67a752d59aa9086bb555d"}
Oct 10 06:50:12 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920612.407792,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"dev.pay-notify.top"}
Oct 10 06:50:12 Dev_Payment_229 caddy[4444]: {"level":"info","ts":1696920612.4078882,"logger":"tls.obtain","msg":"releasing lock","identifier":"dev.pay-notify.top"}

system · November 9, 2023, 6:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.