2022/08/27 12:43:34.390 ERROR tls.obtain could not get certificate from issuer {"identifier": "casa.chrisshort.net", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[casa.chrisshort.net] solving challenges: presenting for challenge: adding temporary record for zone chrisshort.net.: got error status: HTTP 401: (order=https://acme-v02.api.letsencrypt.org/acme/order/703769617/120031532197) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
5. What I already tried:
I feel like this is a syntax error but, there’s not a lot of documentation or examples I can find anywhere
Yeah. It’s set. I made sure to check the variables.
I tried pulling the variable directly into the Caddyfile itself and it’s failing with a different timeout error:
2022/08/27 17:37:00.746 ERROR tls.obtain could not get certificate from issuer {"identifier": "casa.chrisshort.net", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[casa.chrisshort.net] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/703769617/120090285237) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
If you got that far, then it means you fixed the previous issue.
This is Caddy doing a check to make sure that it can see that the DNS TXT record was actually written, by doing DNS queries itself until it can see it.
First, make sure that you actually do see the TXT record on your Netlify dashboard. If it is there, then read the rest below. If not, then you still have a problem with the DNS plugin, and you might need to ask for help on the github issues for that plugin.
This propagation check is an optional sanity check that Caddy is doing. But lately, we’ve noticed that it seems to cause more trouble than it solves we’re considering removing it.
You can turn it off in your config although it’s a bit annoying to do:
Unfortunately, it needs to be done the long way like this to retain the Let’s Encrypt + ZeroSSL issuer fallback functionality, because the Caddyfile adapter doesn’t support propagation_timeout at the top-level of the tls directive right now. We might add that later. TBD.
What they said there makes no sense. I don’t think they understand how ACME works. I think they’re assuming you’re using a Netlify’s API to have a cert issued by Netlify and not by Let’s Encrypt or ZeroSSL.
For posterity, once I got a working dynamic dns record updating, getting a cert issued by Caddy was easy. At this point, I’m assuming I was auth’d to Netlify but, wasn’t able to update existing records for some reason.
The dynamic dns tool is handling the DNS bits and this is my Caddyfile now: