Caddy cannot pass the SSL challenge

nyuware · October 12, 2022, 11:35am

1. Output of `caddy version`:

v2.6.1

2. How I run Caddy:

sudo caddy run --config /etc/caddy/caddyfile
caddy is not running in a docker, neko is

a. System environment:

Im running the latest version of ubuntu server 22.02 and the latest version of docker,
Im trying to run “neko” which is a browser streaming app
docker version is 20.10.18
docker-compose version 1.29.2

b. Command:

sudo caddy run --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

version: "3.4"
services:
  neko:
    image: "m1k1o/neko:arm-firefox"
    restart: "unless-stopped"
    shm_size: "2gb"
    ports:
      - "8080:8080"
      - "52000-52100:52000-52100/udp"
    environment:
      NEKO_SCREEN: 1920x1080@30
      NEKO_PASSWORD: neko
      NEKO_PASSWORD_ADMIN: admin
      NEKO_EPR: 52000-52100
      NEKO_ICELITE: 1

d. My complete Caddy config:

130.162.254.206:80 {
        route {
                redir https://nyuware.pw
        }
}


130.162.254.206:443 {
        route {
                redir https://nyuware.pw
        }
}


https://rabbit.nyuware.pw {
        tls nyuware@protonmail.com
        reverse_proxy localhost:8080 {
                header_up Host {host}
                header_up X-Real-IP {remote_host}
                header_up X-Forwarded-For {remote_host}
                header_up X-Forwarded-Proto {scheme}
        }
}

3. The problem I’m having:

Im just trying to expose the website to the internet but the SSL challenge keeps failing and I have no idea why

4. Error messages and/or full log output:

2022/10/12 11:26:26.211 INFO    using provided configuration    {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2022/10/12 11:26:26.216 WARN    caddyfile       Unnecessary header_up X-Forwarded-For: the reverse proxy's default behavior is to pass headers to the upstream
2022/10/12 11:26:26.216 WARN    caddyfile       Unnecessary header_up X-Forwarded-Proto: the reverse proxy's default behavior is to pass headers to the upstream
2022/10/12 11:26:26.218 WARN    Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies    {"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 7}
2022/10/12 11:26:26.223 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//127.0.0.1:2019", "//localhost:2019", "//[::1]:2019"]}
2022/10/12 11:26:26.224 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0x40004991f0"}
2022/10/12 11:26:26.225 WARN    http    server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv1", "http_port": 80}
2022/10/12 11:26:26.225 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2022/10/12 11:26:26.225 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2022/10/12 11:26:26.231 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2022/10/12 11:26:26.233 INFO    tls     finished cleaning storage units
2022/10/12 11:26:26.245 INFO    pki.ca.local    root certificate is already trusted by system   {"path": "storage:pki/authorities/local/root.crt"}
2022/10/12 11:26:26.246 INFO    http.log        server running  {"name": "srv1", "protocols": ["h1", "h2", "h3"]}
2022/10/12 11:26:26.246 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2022/10/12 11:26:26.247 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2022/10/12 11:26:26.248 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2022/10/12 11:26:26.248 INFO    http    enabling automatic TLS certificate management   {"domains": ["rabbit.nyuware.pw", "130.162.254.206"]}
2022/10/12 11:26:26.249 WARN    tls     stapling OCSP   {"error": "no OCSP stapling for [130.162.254.206]: no OCSP server specified in certificate", "identifiers": ["130.162.254.206"]}
2022/10/12 11:26:26.250 INFO    tls.obtain      acquiring lock  {"identifier": "rabbit.nyuware.pw"}
2022/10/12 11:26:26.251 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2022/10/12 11:26:26.251 INFO    serving initial configuration
2022/10/12 11:26:26.253 INFO    tls.obtain      lock acquired   {"identifier": "rabbit.nyuware.pw"}
2022/10/12 11:26:26.254 INFO    tls.obtain      obtaining certificate   {"identifier": "rabbit.nyuware.pw"}
2022/10/12 11:26:26.256 INFO    http    waiting on internal rate limiter        {"identifiers": ["rabbit.nyuware.pw"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "nyuware@protonmail.com"}
2022/10/12 11:26:26.256 INFO    http    done waiting on internal rate limiter   {"identifiers": ["rabbit.nyuware.pw"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "nyuware@protonmail.com"}
2022/10/12 11:26:27.347 INFO    http.acme_client        trying to solve challenge       {"identifier": "rabbit.nyuware.pw", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/10/12 11:26:31.115 ERROR   http.acme_client        challenge failed        {"identifier": "rabbit.nyuware.pw", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "130.162.254.206: Error getting validation data", "instance": "", "subproblems": []}}
2022/10/12 11:26:31.115 ERROR   http.acme_client        validating authorization        {"identifier": "rabbit.nyuware.pw", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "130.162.254.206: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/772311766/133867716566", "attempt": 1, "max_attempts": 3}
2022/10/12 11:26:32.631 INFO    http.acme_client        trying to solve challenge       {"identifier": "rabbit.nyuware.pw", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/10/12 11:26:33.194 ERROR   http.acme_client        challenge failed        {"identifier": "rabbit.nyuware.pw", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "130.162.254.206: Fetching http://rabbit.nyuware.pw/.well-known/acme-challenge/8MGs5HJHr5GwWMV7X7a9v6tiFXH0renIKwbeOZZIbbI: Error getting validation data", "instance": "", "subproblems": []}}
2022/10/12 11:26:33.194 ERROR   http.acme_client        validating authorization        {"identifier": "rabbit.nyuware.pw", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "130.162.254.206: Fetching http://rabbit.nyuware.pw/.well-known/acme-challenge/8MGs5HJHr5GwWMV7X7a9v6tiFXH0renIKwbeOZZIbbI: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/772311766/133867731996", "attempt": 2, "max_attempts": 3}
2022/10/12 11:26:33.194 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "rabbit.nyuware.pw", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 130.162.254.206: Fetching http://rabbit.nyuware.pw/.well-known/acme-challenge/8MGs5HJHr5GwWMV7X7a9v6tiFXH0renIKwbeOZZIbbI: Error getting validation data"}
2022/10/12 11:26:33.195 INFO    http    waiting on internal rate limiter        {"identifiers": ["rabbit.nyuware.pw"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "nyuware@protonmail.com"}
2022/10/12 11:26:33.195 INFO    http    done waiting on internal rate limiter   {"identifiers": ["rabbit.nyuware.pw"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "nyuware@protonmail.com"}

as you can see, I just simply start caddy with the provided config and the challenge simply fails and I cannot find why

2022/10/12 11:26:27.347 INFO    http.acme_client        trying to solve challenge       {"identifier": "rabbit.nyuware.pw", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/10/12 11:26:31.115 ERROR   http.acme_client        challenge failed        {"identifier": "rabbit.nyuware.pw", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "130.162.254.206: Error getting validation data", "instance": "", "subproblems": []}}
2022/10/12 11:26:31.115 ERROR   http.acme_client        validating authorization        {"identifier": "rabbit.nyuware.pw", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "130.162.254.206: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/772311766/133867716566", "attempt": 1, "max_attempts": 3}
2022/10/12 11:26:32.631 INFO    http.acme_client        trying to solve challenge       {"identifier": "rabbit.nyuware.pw", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/10/12 11:26:33.194 ERROR   http.acme_client        challenge failed        {"identifier": "rabbit.nyuware.pw", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "130.162.254.206: Fetching http://rabbit.nyuware.pw/.well-known/acme-challenge/8MGs5HJHr5GwWMV7X7a9v6tiFXH0renIKwbeOZZIbbI: Error getting validation data", "instance": "", "subproblems": []}}
2022/10/12 11:26:33.194 ERROR   http.acme_client        validating authorization        {"identifier": "rabbit.nyuware.pw", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "130.162.254.206: Fetching http://rabbit.nyuware.pw/.well-known/acme-challenge/8MGs5HJHr5GwWMV7X7a9v6tiFXH0renIKwbeOZZIbbI: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/772311766/133867731996", "attempt": 2, "max_attempts": 3}
2022/10/12 11:26:33.194 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "rabbit.nyuware.pw", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 130.162.254.206: Fetching http://rabbit.nyuware.pw/.well-known/acme-challenge/8MGs5HJHr5GwWMV7X7a9v6tiFXH0renIKwbeOZZIbbI: Error getting validation data"}

This is where I believe it’s failing but I tried looking everywhere and I don’t find anything related to this error

5. What I already tried:

I guess it’s something outside of caddy because I also tried exposing the website through the IP adress, but it also fails, it just times out, the port 8080 is open on the firewall

any help would be appreciated

6. Links to relevant resources:

francislavoie · October 12, 2022, 2:39pm

The ACME HTTP challenge only happens on port 80, and the ACME TLS-ALPN challenge only happens on port 443. You must make those ports open and accessible to solve those challenges.

Also, it’s not called “SSL” anymore, it’s TLS, since 1999.

matt · October 12, 2022, 3:24pm

“Error getting validation data” is often due to some sort of network misconfiguration, which evidently remains:

Double-check your networking/firewall config. (The error doesn’t come from Caddy.)

matt · October 12, 2022, 6:08pm

Thanks for following up!

system · November 11, 2022, 11:36am

This topic was automatically closed after 30 days. New replies are no longer allowed.