Caddy cant acquire a LetsEncrypt certificate

nogshale · April 3, 2018, 1:47am

Hi

I am trying to get Caddy to redirect to a certain site using HTTPS but always have a problem with the LetsEncrypt certificate not working correctly. If i change the config to use a self signed cert then the page works but then i get the secure page warning.

Caddy is Running on Windows 7 and caddy version is 0.10.12
Here is my caddyfile. I have swapped out my domain name with “example”

manager.example.com.au:443 {
  tls { max_certs 10 }
  proxy / manager.example.com.au:51235 {
    transparent
 }
  log access.log
  errors error.log
}

Below is the caddy.log file.

2018/04/03 11:29:25 https://manager.example.com.au
2018/04/03 11:29:25 http://manager.example.com.au
2018/04/03 11:32:07 [INFO] Obtaining new certificate for manager.example.com.au
2018/04/03 11:32:08 [INFO][manager.example.com.au] acme: Obtaining bundled SAN certificate
2018/04/03 11:32:09 [INFO][manager.example.com.au] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/9n2P8ea4WyrhtHessisVuVnfoUBZctwlJtzFTmeEVkM
2018/04/03 11:32:09 [INFO][manager.example.com.au] acme: Could not find solver for: dns-01
2018/04/03 11:32:09 [INFO][manager.example.com.au] acme: Trying to solve HTTP-01
2018/04/03 11:32:15 http: TLS handshake error from 119.252.188.52:45482: [manager.example.com.au] failed to get certificate: acme: Error 400 - urn:ietf:params:acme:error:connection - Fetching http://manager.example.com.au/.well-known/acme-challenge/4_snUIABuEuBwCfy3JHLCIEDhTsY8Sl2CFX-nFlU6PI: Error getting validation data
2018/04/03 11:33:04 http: TLS handshake error from 192.168.0.1:54703: manager.example.com.au: throttled; refusing to issue cert since last attempt on 2018-04-03 11:32:15.1250096 +1000 AEST m=+169.358902101 failed
2018/04/03 11:33:04 http: TLS handshake error from 192.168.0.1:54704: manager.example.com.au: throttled; refusing to issue cert since last attempt on 2018-04-03 11:32:15.1250096 +1000 AEST m=+169.358902101 failed
2018/04/03 11:33:04 http: TLS handshake error from 192.168.0.1:54705: tls: client offered an unsupported, maximum protocol version of 302
2018/04/03 11:33:04 http: TLS handshake error from 192.168.0.1:54706: tls: client offered an unsupported, maximum protocol version of 301

I have port 80, 443 allowed in/out using the Windows Firewall and also i have setup NAT on my router to point to my caddy server. 192.168.0.1 is the address of my router. Is it not passing the connection correctly or something?

Whitestrake · April 3, 2018, 4:01am

Hi @nogshale,

There are a few things that seem a little bit odd about your Caddyfile, and it may help to reduce it to the minimum possible configuration.

First, though, lets look at the error returned by LetsEncrypt:

Looks like they tried to retrieve the well-known response from http://manager.example.com.au/ and were unsuccessful in the connection attempt.

Running curl -IL http://manager.example.com.au/ should give us an understanding of exactly what’s happening when LetsEncrypt tries to connect.

nogshale · April 3, 2018, 5:14am

I get this when issuing the curl command:

curl: (7) Failed to connect to manager.example.com.au port 80: Connection refused

I’m wondering if the router im using is not passing on port 80 correctly. I dont actually want HTTP. Is there a way i can force Caddy/LetsEncrypt to do its setup over 443/HTTPS only?

Whitestrake · April 3, 2018, 5:24am

That’s usually the cause of this kind of issue, but I didn’t want to presume; the curl result pretty much confirms it, though, or some similar networking issue at least.

Unfortunately, you can’t complete an ACME challenge using port 443 alone. TLS-SNI-01 validation for new issuances is disabled until further notice which means that validation must occur over HTTP (on port 80) or DNS (via TXT record).

DNS validation might be a solution for you, though - see: Automatic HTTPS — Caddy Documentation

nogshale · April 3, 2018, 5:37am

It looks like my Registrar isn’t in that list, so i take it DNS validation wont work? Or have I misunderstood?

I use VentraIP

Whitestrake · April 3, 2018, 5:46am

You’re correct - your registrar is not listed, so Automatic HTTPS with DNS is not available.

My advice would be, if you’d like to pursue DNS validation further, to delegate your name servers to a supported DNS provider. I have a large number of domains registered through VentraIP (via their Synergy Wholesale arm) and have only had good results from Cloudflare’s free service.

nogshale · April 3, 2018, 5:50am

Ok thanks for much for your help @Whitestrake

system · July 2, 2018, 5:50am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.