Caddy and Netlify DNS

1. Output of caddy version:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

I use a systemd file with the Netlify API key in there. This worked just fine with Cloudflare so I’m assuming I have a syntax error in my Caddyfile.

a. System environment:

Raspberry Pi Raspbian
Linux uptime 5.18.19-200.fc36.armv7hl #1 SMP Sun Aug 21 16:47:15 UTC 2022 armv7l armv7l armv7l GNU/Linux

b. Command:

/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force


d. My complete Caddy config: {
        encode zstd gzip
        respond OK
	tls {
		dns netlify personal_access_token={env.NETLIFY_API_TOKEN}
	log {
		output file /var/log/caddy/

3. The problem I’m having:

4. Error messages and/or full log output:

2022/08/27 12:43:34.390	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "", "issuer": "", "error": "[] solving challenges: presenting for challenge: adding temporary record for zone got error status: HTTP 401:  (order= (ca="}

5. What I already tried:

I feel like this is a syntax error but, there’s not a lot of documentation or examples I can find anywhere

6. Links to relevant resources:

Try this instead:

dns netlify {env.NETLIFY_API_TOKEN}

I tried that which did not change anything.

And you do have NETLIFY_API_TOKEN set in your systemd conf? You did an override like this? Keep Caddy Running — Caddy Documentation

Yeah. It’s set. I made sure to check the variables.

I tried pulling the variable directly into the Caddyfile itself and it’s failing with a different timeout error:

2022/08/27 17:37:00.746	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "", "issuer": "", "error": "[] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order= (ca="}

This is an odd one.

If you got that far, then it means you fixed the previous issue.

This is Caddy doing a check to make sure that it can see that the DNS TXT record was actually written, by doing DNS queries itself until it can see it.

First, make sure that you actually do see the TXT record on your Netlify dashboard. If it is there, then read the rest below. If not, then you still have a problem with the DNS plugin, and you might need to ask for help on the github issues for that plugin.

This propagation check is an optional sanity check that Caddy is doing. But lately, we’ve noticed that it seems to cause more trouble than it solves :man_shrugging: we’re considering removing it.

You can turn it off in your config although it’s a bit annoying to do:

	tls {
		issuer acme {
			dns netlify {env.NETLIFY_API_TOKEN}
			propagation_timeout -1
		issuer zerossl {
			dns netlify {env.NETLIFY_API_TOKEN}
			propagation_timeout -1

Unfortunately, it needs to be done the long way like this to retain the Let’s Encrypt + ZeroSSL issuer fallback functionality, because the Caddyfile adapter doesn’t support propagation_timeout at the top-level of the tls directive right now. We might add that later. TBD.

1 Like

I asked the same question in the Netlify forums and learned that basically, what I’m trying to do won’t work because of Netlify: Caddy and Netlify DNS - Support - Netlify Support Forums

I’m going to figure out a solid DDNS provider and run with that on a new domain or something.

What they said there makes no sense. I don’t think they understand how ACME works. I think they’re assuming you’re using a Netlify’s API to have a cert issued by Netlify and not by Let’s Encrypt or ZeroSSL.


For posterity, once I got a working dynamic dns record updating, getting a cert issued by Caddy was easy. At this point, I’m assuming I was auth’d to Netlify but, wasn’t able to update existing records for some reason.

The dynamic dns tool is handling the DNS bits and this is my Caddyfile now: {
	respond OK 200
	encode gzip zstd
	log {
		output file /var/log/caddy/
1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.