Caddy and Netlify DNS

ChrisShort · August 27, 2022, 12:54pm

1. Output of `caddy version`:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

I use a systemd file with the Netlify API key in there. This worked just fine with Cloudflare so I’m assuming I have a syntax error in my Caddyfile.

a. System environment:

Raspberry Pi Raspbian
Linux uptime 5.18.19-200.fc36.armv7hl #1 SMP Sun Aug 21 16:47:15 UTC 2022 armv7l armv7l armv7l GNU/Linux
systemd

b. Command:

/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment="NETLIFY_API_TOKEN=REDACTED"

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

casa.chrisshort.net {
        encode zstd gzip
        respond OK
	tls chris@chrisshort.net {
		dns netlify personal_access_token={env.NETLIFY_API_TOKEN}
	}
	log {
		output file /var/log/caddy/casa.chrisshort.net-access.log
	}
}

3. The problem I’m having:

4. Error messages and/or full log output:

2022/08/27 12:43:34.390	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "casa.chrisshort.net", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[casa.chrisshort.net] solving challenges: presenting for challenge: adding temporary record for zone chrisshort.net.: got error status: HTTP 401:  (order=https://acme-v02.api.letsencrypt.org/acme/order/703769617/120031532197) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

5. What I already tried:

I feel like this is a syntax error but, there’s not a lot of documentation or examples I can find anywhere

6. Links to relevant resources:

francislavoie · August 27, 2022, 2:22pm

Try this instead:

dns netlify {env.NETLIFY_API_TOKEN}

ChrisShort · August 27, 2022, 2:26pm

I tried that which did not change anything.

francislavoie · August 27, 2022, 2:56pm

And you do have NETLIFY_API_TOKEN set in your systemd conf? You did an override like this? Keep Caddy Running — Caddy Documentation

ChrisShort · August 27, 2022, 5:38pm

Yeah. It’s set. I made sure to check the variables.

I tried pulling the variable directly into the Caddyfile itself and it’s failing with a different timeout error:

2022/08/27 17:37:00.746	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "casa.chrisshort.net", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[casa.chrisshort.net] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/703769617/120090285237) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

This is an odd one.

francislavoie · August 27, 2022, 11:35pm

If you got that far, then it means you fixed the previous issue.

This is Caddy doing a check to make sure that it can see that the DNS TXT record was actually written, by doing DNS queries itself until it can see it.

First, make sure that you actually do see the TXT record on your Netlify dashboard. If it is there, then read the rest below. If not, then you still have a problem with the DNS plugin, and you might need to ask for help on the github issues for that plugin.

This propagation check is an optional sanity check that Caddy is doing. But lately, we’ve noticed that it seems to cause more trouble than it solves we’re considering removing it.

You can turn it off in your config although it’s a bit annoying to do:

	tls {
		issuer acme {
			email chris@chrisshort.net
			dns netlify {env.NETLIFY_API_TOKEN}
			propagation_timeout -1
		}
		issuer zerossl {
			email chris@chrisshort.net
			dns netlify {env.NETLIFY_API_TOKEN}
			propagation_timeout -1
		}	
	}

Unfortunately, it needs to be done the long way like this to retain the Let’s Encrypt + ZeroSSL issuer fallback functionality, because the Caddyfile adapter doesn’t support propagation_timeout at the top-level of the tls directive right now. We might add that later. TBD.

ChrisShort · August 28, 2022, 2:12pm

francislavoie:

tls {
		issuer acme {
			email chris@chrisshort.net
			dns netlify {env.NETLIFY_API_TOKEN}
			propagation_timeout -1
		}
		issuer zerossl {
			email chris@chrisshort.net
			dns netlify {env.NETLIFY_API_TOKEN}
			propagation_timeout -1
		}	
	}

I asked the same question in the Netlify forums and learned that basically, what I’m trying to do won’t work because of Netlify: Caddy and Netlify DNS - Support - Netlify Support Forums

I’m going to figure out a solid DDNS provider and run with that on a new domain or something.

francislavoie · August 28, 2022, 2:36pm

What they said there makes no sense. I don’t think they understand how ACME works. I think they’re assuming you’re using a Netlify’s API to have a cert issued by Netlify and not by Let’s Encrypt or ZeroSSL.

ChrisShort · August 28, 2022, 8:26pm

For posterity, once I got a working dynamic dns record updating, getting a cert issued by Caddy was easy. At this point, I’m assuming I was auth’d to Netlify but, wasn’t able to update existing records for some reason.

The dynamic dns tool is handling the DNS bits and this is my Caddyfile now:

casa.chrisshort.net {
	respond OK 200
	encode gzip zstd
	log {
		output file /var/log/caddy/uptime.chrisshort.net-access.log
	}
}

system · September 26, 2022, 12:55pm

This topic was automatically closed after 30 days. New replies are no longer allowed.