1. The problem I’m having:
Hello, I’m having difficulties in retrieving LetsEncrypt certificate for my services.
I’ve tried multiple guide to set it up correctly but failed.
I can confirm that the API is working since I can see the DNS entries created by caddy
Any help (or advice for a better setup will be appreciated.
2. Error messages and/or full log output:
{"level":"info","ts":1711185895.8672917,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1711185895.8756478,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"info","ts":1711185895.8763366,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40000a6680"}
{"level":"info","ts":1711185895.8767047,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1711185895.8767984,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1711185895.878436,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1711185895.8794115,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1711185895.8796368,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1711185895.879658,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.example.com","example.com"]}
{"level":"info","ts":1711185895.8821611,"logger":"tls.obtain","msg":"acquiring lock","identifier":"example.com"}
{"level":"info","ts":1711185895.8821611,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.example.com"}
{"level":"info","ts":1711185896.3954601,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1711185896.395672,"msg":"serving initial configuration"}
{"level":"info","ts":1711185896.8004928,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/data/caddy"}
{"level":"info","ts":1711185896.8011806,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1711185896.801613,"logger":"tls.obtain","msg":"lock acquired","identifier":"example.com"}
{"level":"info","ts":1711185896.8020957,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"example.com"}
{"level":"info","ts":1711185896.8883486,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.example.com"}
{"level":"info","ts":1711185896.8887284,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.example.com"}
{"level":"info","ts":1711185897.903199,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"postmaster@example.com"}
{"level":"info","ts":1711185897.9032712,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"postmaster@example.com"}
{"level":"info","ts":1711185898.3031895,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1711185899.001212,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"postmaster@example.com"}
{"level":"info","ts":1711185899.001469,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"postmaster@example.com"}
{"level":"info","ts":1711185899.425506,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"example.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1711186051.2059345,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1633253537/254697189277) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1711186051.206087,"logger":"tls.obtain","msg":"will retry","error":"[*.example.com] Obtain: [*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1633253537/254697189277) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":154.317675551,"max_duration":2592000}
{"level":"error","ts":1711186051.2084112,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1633253547/254697192007) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1711186051.2085667,"logger":"tls.obtain","msg":"will retry","error":"[example.com] Obtain: [example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1633253547/254697192007) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":154.406887818,"max_duration":2592000}
3. Caddy version:
Caddy 2.7.6 from docker container iarekylew00t/caddy-cloudflare:latest
4. How I installed and ran Caddy:
a. System environment:
Hardware: Raspberry Pi 4 Model B Rev 1.2
Docker: docker-ce 5:26.0.0-1~debian.12~bookworm
Docker Compose: docker-compose-plugin 2.25.0-1~debian.12~bookworm
OS: Raspberry Pi OS 64bit running OMV 7.0.4-1 (Sandworm)
b. Command:
docker-compose up -d
c. Service/unit/compose file:
# caddy
#
services:
caddy:
image: iarekylew00t/caddy-cloudflare:latest
container_name: caddy
restart: unless-stopped
cap_add:
- NET_ADMIN
network_mode: host
volumes:
- ${MAIN_DISK}/appdata/caddy/Caddyfile:/etc/caddy/Caddyfile
- ${MAIN_DISK}/data/caddy:/data/caddy
- ./config:/config/caddy
d. My complete Caddy config:
{
email postmaster@example.com
grace_period 60s
}
*.example.com, example.com {
tls {
ca https://acme-v02.api.letsencrypt.org/directory
dns cloudflare $REDACTED$
propagation_delay 30s
resolvers 1.1.1.1
}
# Standard reverse proxy
@dash host example.com
handle @dash {
reverse_proxy localhost:7575
}
# Standard reverse proxy
@cloud host https://cloud.example.com:443
handle @cloud {
reverse_proxy localhost:11000
}
# Standard reverse proxy
@media host media.example.com
handle @media {
reverse_proxy localhost:8096
}
}