Caddy doesn't run becasue too many failed Let's Encrypt renewal attempts

pepa65 · July 28, 2020, 5:21pm

Caddy 0.11.5 (non-commercial use only)

Run:

/usr/local/bin/caddy -agree -log /var/log/caddy/caddy.log \
  -email peter@passchier.net -conf /etc/caddy/Caddyfile -root /var/www/none \
  -disabled-metrics all -pidfile /var/run/caddy.pid &

a. System environment:

Ubuntu 16.04.6 LTS

b. Command:

See above

d. My complete Caddyfile or JSON config:

(log) {
  tls peter@passchier.net
  gzip
  errors /var/log/caddy/error.log
  log /var/log/caddy/access.log
}

(php) {
  import log
  fastcgi / /var/run/php/php7.0-fpm.sock php
}

kelly.passchier.net {
  import php
  root /var/www/site/
}
giving.passchier.net {
  import php
  root /var/www/give/
}

3. The problem I’m having:

Let’s Encrypt certificates can’t seem to renew…

4. Error messages and/or full log output:

2020/07/28 19:11:23 [ERROR] Renewing [kelly.passchier.net]: acme: error: 429 :: 
POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:a
cme:error:rateLimited :: Error creating new order :: too many failed authorizati
ons recently: see https://letsencrypt.org/docs/rate-limits/, url: ; trying again
 in 10s
2020/07/28 19:11:33 [ERROR] too many renewal attempts; last error: acme: error: 
429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:p
arams:acme:error:rateLimited :: Error creating new order :: too many failed auth
orizations recently: see https://letsencrypt.org/docs/rate-limits/, url: 
2020/07/28 19:11:33 [INFO] Certificate for [giving.passchier.net] expires in 452
h23m51.800834969s; attempting renewal
2020/07/28 19:11:38 [ERROR] Renewing [giving.passchier.net]: acme: Error -> One 
or more domains had a problem:
[giving.passchier.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthoriz
ed :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url
: 
; trying again in 10s

(etc. for all domainnames)

5. What I already tried:

No idea what I should try… I thought caddy is just supposed to auto-renew these. Is there something I can add to the Caddyfile to use a different method perhaps?

francislavoie · July 28, 2020, 6:32pm

You’re using a very old version of Caddy. Please upgrade to Caddy v2

pepa65 · July 29, 2020, 4:15am

Not the solution. Caddy v2 doesn’t serve markdown, which I use for one site. The problem was some AAAA records that got inserted for each of the domain when the hoster tried to be helpful…

I did try to convert to v2, but it didn’t quite work… V1 runs solidly…!

matt · July 29, 2020, 4:30am

Then can you explain how our docs – which is 99% of our site – is markdown served by Caddy 2? (Hint)

Yep, that would definitely break things, and the ACME challenge is doing its job.

It actually is, just as much as having correct DNS records! Upon failures, Caddy 2 reverts to Let’s Encrypt’s staging endpoint so you won’t hit rate limits so easily.

system · August 27, 2020, 5:21pm

This topic was automatically closed after 30 days. New replies are no longer allowed.