1. The problem I’m having:
I am using Caddy in opnsense with domains proxied through cloudflare and cloudflare as dns provider. Creating a certificate seems to fail. It worked for a few month before failing now.
2. Error messages and/or full log output:
2025-01-12T11:23:14 Error caddy "debug","ts":"2025-01-12T10:23:14Z","logger":"http.stdlib","msg":"http: TLS handshake error from 162.158.86.36:62108: no certificate available for 'nc.mmb.ink'"}
2025-01-12T11:23:02 Error caddy "error","ts":"2025-01-12T10:23:02Z","logger":"tls.obtain","msg":"will retry","error":"[*.mmb.ink] Obtain: [*.mmb.ink] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.mmb.ink.\" (relative=_acme-challenge zone=mmb.ink. resolvers=[127.0.0.1:53 1.1.1.1:53 1.0.0.1:53]): CNAME dns query: dial tcp 1.0.0.1:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/169665893/21945319694) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":722.646918715,"max_duration":2592000}
2025-01-12T11:23:02 Error caddy "debug","ts":"2025-01-12T10:23:02Z","logger":"events","msg":"event","name":"cert_failed","id":"909fe39d-c4ee-4c61-927e-64dbe2fa7010","origin":"tls","data":{"error":{},"identifier":"*.mmb.ink","issuers":["acme-v02.api.letsencrypt.org-directory"],"renewal":false}}
2025-01-12T11:23:02 Error caddy "error","ts":"2025-01-12T10:23:02Z","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.mmb.ink","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.mmb.ink] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.mmb.ink.\" (relative=_acme-challenge zone=mmb.ink. resolvers=[127.0.0.1:53 1.1.1.1:53 1.0.0.1:53]): CNAME dns query: dial tcp 1.0.0.1:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/169665893/21945319694) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2025-01-12T11:22:14 Error caddy "debug","ts":"2025-01-12T10:22:14Z","logger":"http.stdlib","msg":"http: TLS handshake error from [2400:cb00:470:1000:598b:335c:fd44:5d18]:59666: no certificate available for 'nc.mmb.ink'"}
2025-01-12T11:22:14 Error caddy "debug","ts":"2025-01-12T10:22:14Z","logger":"http.stdlib","msg":"http: TLS handshake error from 172.70.243.130:44080: no certificate available for 'nc.mmb.ink'"}
3. Caddy version:
os-caddy (installed) 1.7.6
4. How I installed and ran Caddy:
as the opnsense plugin
a. System environment:
b. Command:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
c. Service/unit/compose file:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
d. My complete Caddy config:
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
# caddy_user=root
# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
level DEBUG
}
servers {
protocols h1 h2 h3
}
dynamic_dns {
provider cloudflare (redacted)
domains {
mmb.ink @
}
}
email (redacted)
grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}
# Reverse Proxy Configuration
# Reverse Proxy Domain: "c7673c81-02f1-4d49-8db8-91876dcf84d7"
*.mmb.ink {
tls {
issuer acme {
dns cloudflare (redacted)
}
}
@29959451-692b-46e8-b592-61aeebf07ad8 {
host ha.mmb.ink
}
handle @29959451-692b-46e8-b592-61aeebf07ad8 {
handle {
reverse_proxy homeassistant:8123 {
}
}
}
@5e3ec597-901c-49f0-8c8d-c8e4a20bff13 {
host tv.mmb.ink
}
handle @5e3ec597-901c-49f0-8c8d-c8e4a20bff13 {
handle {
reverse_proxy 10.0.0.10:8096 {
}
}
}
@caad87fa-3737-4114-aa47-34657f6b6ce5 {
host pw.mmb.ink
}
handle @caad87fa-3737-4114-aa47-34657f6b6ce5 {
handle {
reverse_proxy 10.0.0.10:4743 {
}
}
}
@0c1b3f13-13b1-4484-9709-d8a9a215b435 {
host img.mmb.ink
}
handle @0c1b3f13-13b1-4484-9709-d8a9a215b435 {
handle {
reverse_proxy 10.0.0.10:2283 {
}
}
}
@102724da-a336-4a79-b093-c6301d612733 {
host nc.mmb.ink
}
handle @102724da-a336-4a79-b093-c6301d612733 {
handle {
reverse_proxy 10.0.0.10:11000 {
}
}
}
}
# Reverse Proxy Domain: "89826a42-7c63-48f5-9a9e-c6077241c1be"
mmb.ink {
}
import /usr/local/etc/caddy/caddy.d/*.conf
5. Links to relevant resources:
https://docs.opnsense.org/manual/how-tos/caddy.html