Caddy fails to get certificate on opnsense

1. The problem I’m having:

I am using Caddy in opnsense with domains proxied through cloudflare and cloudflare as dns provider. Creating a certificate seems to fail. It worked for a few month before failing now.

2. Error messages and/or full log output:


2025-01-12T11:23:14	Error	caddy	"debug","ts":"2025-01-12T10:23:14Z","logger":"http.stdlib","msg":"http: TLS handshake error from 162.158.86.36:62108: no certificate available for 'nc.mmb.ink'"}	
2025-01-12T11:23:02	Error	caddy	"error","ts":"2025-01-12T10:23:02Z","logger":"tls.obtain","msg":"will retry","error":"[*.mmb.ink] Obtain: [*.mmb.ink] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.mmb.ink.\" (relative=_acme-challenge zone=mmb.ink. resolvers=[127.0.0.1:53 1.1.1.1:53 1.0.0.1:53]): CNAME dns query: dial tcp 1.0.0.1:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/169665893/21945319694) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":722.646918715,"max_duration":2592000}	
2025-01-12T11:23:02	Error	caddy	"debug","ts":"2025-01-12T10:23:02Z","logger":"events","msg":"event","name":"cert_failed","id":"909fe39d-c4ee-4c61-927e-64dbe2fa7010","origin":"tls","data":{"error":{},"identifier":"*.mmb.ink","issuers":["acme-v02.api.letsencrypt.org-directory"],"renewal":false}}	
2025-01-12T11:23:02	Error	caddy	"error","ts":"2025-01-12T10:23:02Z","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.mmb.ink","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.mmb.ink] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.mmb.ink.\" (relative=_acme-challenge zone=mmb.ink. resolvers=[127.0.0.1:53 1.1.1.1:53 1.0.0.1:53]): CNAME dns query: dial tcp 1.0.0.1:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/169665893/21945319694) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}	
2025-01-12T11:22:14	Error	caddy	"debug","ts":"2025-01-12T10:22:14Z","logger":"http.stdlib","msg":"http: TLS handshake error from [2400:cb00:470:1000:598b:335c:fd44:5d18]:59666: no certificate available for 'nc.mmb.ink'"}	
2025-01-12T11:22:14	Error	caddy	"debug","ts":"2025-01-12T10:22:14Z","logger":"http.stdlib","msg":"http: TLS handshake error from 172.70.243.130:44080: no certificate available for 'nc.mmb.ink'"}

3. Caddy version:

os-caddy (installed) 1.7.6

4. How I installed and ran Caddy:

as the opnsense plugin

a. System environment:

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:


# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
		level DEBUG
	}

	servers {
		protocols h1 h2 h3
	}

	dynamic_dns {
		provider cloudflare (redacted)
		domains {
			mmb.ink @
		}
	}

	email (redacted)
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "c7673c81-02f1-4d49-8db8-91876dcf84d7"
*.mmb.ink {
	tls {
		issuer acme {
			dns cloudflare (redacted)
		}
	}

	@29959451-692b-46e8-b592-61aeebf07ad8 {
		host ha.mmb.ink
	}
	handle @29959451-692b-46e8-b592-61aeebf07ad8 {
		handle {
			reverse_proxy homeassistant:8123 {
			}
		}
	}
	@5e3ec597-901c-49f0-8c8d-c8e4a20bff13 {
		host tv.mmb.ink
	}
	handle @5e3ec597-901c-49f0-8c8d-c8e4a20bff13 {
		handle {
			reverse_proxy 10.0.0.10:8096 {
			}
		}
	}
	@caad87fa-3737-4114-aa47-34657f6b6ce5 {
		host pw.mmb.ink
	}
	handle @caad87fa-3737-4114-aa47-34657f6b6ce5 {
		handle {
			reverse_proxy 10.0.0.10:4743 {
			}
		}
	}
	@0c1b3f13-13b1-4484-9709-d8a9a215b435 {
		host img.mmb.ink
	}
	handle @0c1b3f13-13b1-4484-9709-d8a9a215b435 {
		handle {
			reverse_proxy 10.0.0.10:2283 {
			}
		}
	}
	@102724da-a336-4a79-b093-c6301d612733 {
		host nc.mmb.ink
	}
	handle @102724da-a336-4a79-b093-c6301d612733 {
		handle {
			reverse_proxy 10.0.0.10:11000 {
			}
		}
	}
}
# Reverse Proxy Domain: "89826a42-7c63-48f5-9a9e-c6077241c1be"
mmb.ink {
}

import /usr/local/etc/caddy/caddy.d/*.conf

5. Links to relevant resources:

https://docs.opnsense.org/manual/how-tos/caddy.html

Try setting the Resolver setting to 1.1.1.1 in the DNS Provider tab.

2 Likes

Hi @moritzbindewald,

Here is a list of issued certificates crt.sh | mmb.ink, the latest being 2025-01-11.
This is the presently being served certificate https://decoder.link/sslchecker/mmb.ink/443 which matches this certificates serial number crt.sh | 16157247674.
Seems like a certificate was successfully issued and deployed.

This seems to have solved it, thx!!!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.