Caddy fail to obtain Letsencrypt certificate with Cloudflare DNS

1. The problem I’m having:

Hello, I’m having difficulties in retrieving LetsEncrypt certificate for my services.
I’ve tried multiple guide to set it up correctly but failed.
I can confirm that the API is working since I can see the DNS entries created by caddy

Any help (or advice for a better setup will be appreciated.

2. Error messages and/or full log output:

{"level":"info","ts":1711185895.8672917,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1711185895.8756478,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"info","ts":1711185895.8763366,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40000a6680"}
{"level":"info","ts":1711185895.8767047,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1711185895.8767984,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1711185895.878436,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1711185895.8794115,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1711185895.8796368,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1711185895.879658,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.example.com","example.com"]}
{"level":"info","ts":1711185895.8821611,"logger":"tls.obtain","msg":"acquiring lock","identifier":"example.com"}
{"level":"info","ts":1711185895.8821611,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.example.com"}
{"level":"info","ts":1711185896.3954601,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1711185896.395672,"msg":"serving initial configuration"}
{"level":"info","ts":1711185896.8004928,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/data/caddy"}
{"level":"info","ts":1711185896.8011806,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1711185896.801613,"logger":"tls.obtain","msg":"lock acquired","identifier":"example.com"}
{"level":"info","ts":1711185896.8020957,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"example.com"}
{"level":"info","ts":1711185896.8883486,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.example.com"}
{"level":"info","ts":1711185896.8887284,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.example.com"}
{"level":"info","ts":1711185897.903199,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"postmaster@example.com"}
{"level":"info","ts":1711185897.9032712,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"postmaster@example.com"}
{"level":"info","ts":1711185898.3031895,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1711185899.001212,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"postmaster@example.com"}
{"level":"info","ts":1711185899.001469,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"postmaster@example.com"}
{"level":"info","ts":1711185899.425506,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"example.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1711186051.2059345,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1633253537/254697189277) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1711186051.206087,"logger":"tls.obtain","msg":"will retry","error":"[*.example.com] Obtain: [*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1633253537/254697189277) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":154.317675551,"max_duration":2592000}
{"level":"error","ts":1711186051.2084112,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1633253547/254697192007) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1711186051.2085667,"logger":"tls.obtain","msg":"will retry","error":"[example.com] Obtain: [example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1633253547/254697192007) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":154.406887818,"max_duration":2592000}

3. Caddy version:

Caddy 2.7.6 from docker container iarekylew00t/caddy-cloudflare:latest

4. How I installed and ran Caddy:

a. System environment:

Hardware: Raspberry Pi 4 Model B Rev 1.2
Docker:  docker-ce 5:26.0.0-1~debian.12~bookworm
Docker Compose: docker-compose-plugin 2.25.0-1~debian.12~bookworm
OS: Raspberry Pi OS 64bit running OMV 7.0.4-1 (Sandworm)

b. Command:

docker-compose up -d

c. Service/unit/compose file:

# caddy
# 
services:
  caddy:
    image: iarekylew00t/caddy-cloudflare:latest
    container_name: caddy
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: host
    volumes:
      - ${MAIN_DISK}/appdata/caddy/Caddyfile:/etc/caddy/Caddyfile
      - ${MAIN_DISK}/data/caddy:/data/caddy
      - ./config:/config/caddy

d. My complete Caddy config:

{
	email postmaster@example.com
	grace_period 60s
}

*.example.com, example.com {
	tls {
		ca https://acme-v02.api.letsencrypt.org/directory
		dns cloudflare $REDACTED$
		propagation_delay 30s
		resolvers 1.1.1.1
	}

	# Standard reverse proxy
	@dash host example.com
	handle @dash {
		reverse_proxy localhost:7575
	}

	# Standard reverse proxy
	@cloud host https://cloud.example.com:443
	handle @cloud {
		reverse_proxy localhost:11000
	}

	# Standard reverse proxy
	@media host media.example.com
	handle @media {
		reverse_proxy localhost:8096
	}
}

The propagation checks are failing – we had a known issue where resolvers config wasn’t correctly being used for the propagation checks. This should be resolved in 2.8.0.

But for now, I recommend turning off the propagation checks, they aren’t really needed with Cloudflare because we know they’re fast. You can turn it off with propagation_timeout -1

@eatery9779 is your Cloudflare CDN is SSL option set ‘Full SSL (strict)’ be enabled; typically needed. :slight_smile:

@Bruce5051 that makes no difference for DNS challenge. No HTTP/TLS is happening from the issuer to Caddy when using the DNS challenge.

1 Like

Thanks! You just solved me a 2 day headache! :grin:

2 Likes