Caddy DNS-01 challenge failing for desec

Help
1

1. The problem I’m having:

Caddy’s automatic DNS 01 challenge doesn’t work. Even dig displays the correct TXT record.

> dig _acme-challenge.wolfn.dedyn.io ANY
; <<>> DiG 9.20.6 <<>> _acme-challenge.wolfn.dedyn.io ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14455
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.wolfn.dedyn.io.        IN      ANY

;; ANSWER SECTION:
_acme-challenge.wolfn.dedyn.io. 3600 IN TXT     "JueCkgU8n3xd6nXx-Vx94h38tVq_KN0IJaRInvZu1ec"
_acme-challenge.wolfn.dedyn.io. 3600 IN RRSIG   TXT 13 4 3600 20250327000000 20250306000000 42287 wolfn.dedyn.io. xmxb6eC5atClGfEVL7n26AjNf12OgS2YI/OhzaXROCyIKyfSSHN8zQuz Syu0pTpkWdsCirRq6LrnkdEX9gmCLg==

;; Query time: 30 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Thu Mar 13 02:16:17 CET 2025
;; MSG SIZE  rcvd: 225

2. Error messages and/or full log output:

caddy-reverse-proxy  | {"level":"error","ts":1741827483.6876132,"msg":"challenge failed","identifier":"wolfn.dedyn.io","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wolfn.dedyn.io - check that a DNS record exists for this domain","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
caddy-reverse-proxy  | {"level":"error","ts":1741827483.6877642,"msg":"validating authorization","identifier":"wolfn.dedyn.io","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wolfn.dedyn.io - check that a DNS record exists for this domain","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2278238646/362968959006","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
caddy-reverse-proxy  | {"level":"error","ts":1741827483.6878684,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"wolfn.dedyn.io","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wolfn.dedyn.io - check that a DNS record exists for this domain"}
caddy-reverse-proxy  | {"level":"error","ts":1741827483.687968,"logger":"tls.obtain","msg":"will retry","error":"[wolfn.dedyn.io] Obtain: [wolfn.dedyn.io] solving challenge: wolfn.dedyn.io: [wolfn.dedyn.io] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wolfn.dedyn.io - check that a DNS record exists for this domain (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":67.520277586,"max_duration":2592000}

3. Caddy version:

> docker compose exec caddy caddy version
v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

a. System environment:

Armbian 25.2.2, aarch64,
Docker Engine version 28.0.1, Buildx 0.21.1, Compose 2.33.1

b. Command:

> docker compose up

c. Service/unit/compose file:

# compose.yml
services:
  caddy:
    build: .
    container_name: caddy-reverse-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./site:/srv
      - ./caddy_data:/data
      - ./caddy_config:/config

#Dockerfile
FROM docker.io/library/caddy:builder AS builder

RUN xcaddy build --with github.com/caddy-dns/desec

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY Caddyfile /etc/caddy/Caddyfile

d. My complete Caddy config:

wolfn.dedyn.io {
        tls {
                dns desec {
                        token REDACTED
                }
        }
        respond "Hello, world!"
}

5. Links to relevant resources:

2

Do you need to increase the propagation_timeout ?

I had to use 120 seconds with ClouDNS for example.

1 Like
3

I’ve set

propagation_timeout 300s
propagation_delay 120s

and that finally made it work.

Thanks for leading me to the right answer :slight_smile:

1 Like