Caddy is unable to fetch certificates for new domain

1. Caddy version (caddy version):

v2.5.0 h1:eRHzZ4l3X6Ag3kUt8nj5IxATprhqKq/wToP7OHlXWA0=

2. How I run Caddy:

Linux Systemd

a. System environment:

$ uname -a
Linux 5.13.0-1025-raspi #27-Ubuntu SMP PREEMPT Tue Apr 5 12:05:22 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux

b. Command:

sudo service caddy start

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
        servers {
                protocol {
                        experimental_http3
                }
        }
}

tucablanca.narwhal-nominal.ts.net, metricas.pinayalcachofa.es {
        encode zstd gzip
        reverse_proxy localhost:3000
}

3. The problem I’m having:

I’m trying to add a new domain (metricas.pinayalcachofa.es) to my existing configuration that was working just fine.

4. Error messages and/or full log output:

May 04 12:59:16 tucaBlanca systemd[1]: Reloaded Caddy.
May 04 12:59:17 tucaBlanca caddy[123825]: {"level":"info","ts":1651669157.79132,"logger":"tls.obtain","msg":"lock acquired","identifier":"metricas.pinayalcachofa.es"}
May 04 12:59:17 tucaBlanca caddy[123825]: {"level":"info","ts":1651669157.7960844,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["metricas.pinayalcachofa.es"],"ca":"h
ttps://acme-v02.api.letsencrypt.org/directory","account":"plorenzo@hey.com"}
May 04 12:59:17 tucaBlanca caddy[123825]: {"level":"info","ts":1651669157.7962883,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["metricas.pinayalcachofa.es"],"c
a":"https://acme-v02.api.letsencrypt.org/directory","account":"plorenzo@hey.com"}
May 04 12:59:19 tucaBlanca caddy[123825]: {"level":"info","ts":1651669159.1608107,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"metricas.pinayalcachofa.es","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
May 04 12:59:20 tucaBlanca caddy[123825]: {"level":"error","ts":1651669160.3862174,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"metricas.pinayalcachofa.es","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: remote error: tls: internal error","instance":"","subproblems":[]}}
May 04 12:59:20 tucaBlanca caddy[123825]: {"level":"error","ts":1651669160.3864515,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"metricas.pinayalcachofa.es","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: remote error: tls: internal error","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/528443056/85731870216","attempt":1,"max_attempts":3}
May 04 12:59:21 tucaBlanca caddy[123825]: {"level":"info","ts":1651669161.9948442,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"metricas.pinayalcachofa.es","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
May 04 12:59:23 tucaBlanca caddy[123825]: {"level":"error","ts":1651669163.6842563,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"metricas.pinayalcachofa.es","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: Fetching https://metricas.pinayalcachofa.es/.well-known/acme-challenge/GsQdxxJpgWzDudQWUc_GHw9JzU5XlhzABaUeVQKhxT0: remote error: tls: internal error","instance":"","subproblems":[]}}
May 04 12:59:23 tucaBlanca caddy[123825]: {"level":"error","ts":1651669163.6845248,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"metricas.pinayalcachofa.es","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: Fetching https://metricas.pinayalcachofa.es/.well-known/acme-challenge/GsQdxxJpgWzDudQWUc_GHw9JzU5XlhzABaUeVQKhxT0: remote error: tls: internal error","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/528443056/85731879576","attempt":2,"max_attempts":3}
May 04 12:59:23 tucaBlanca caddy[123825]: {"level":"error","ts":1651669163.6847627,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"metricas.pinayalcachofa.es","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:tls - 156.249.12.173: Fetching https://metricas.pinayalcachofa.es/.well-known/acme-challenge/GsQdxxJpgWzDudQWUc_GHw9JzU5XlhzABaUeVQKhxT0: remote error: tls: internal error"}
May 04 12:59:23 tucaBlanca caddy[123825]: {"level":"info","ts":1651669163.687205,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["metricas.pinayalcachofa.es"],"ca":"https://acme.zerossl.com/v2/DV90","account":"plorenzo@hey.com"}
May 04 12:59:23 tucaBlanca caddy[123825]: {"level":"info","ts":1651669163.6873858,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["metricas.pinayalcachofa.es"],"ca":"https://acme.zerossl.com/v2/DV90","account":"plorenzo@hey.com"}
May 04 12:59:24 tucaBlanca caddy[123825]: {"level":"error","ts":1651669164.9179,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"metricas.pinayalcachofa.es","issuer":"acme.zerossl.com-v2-DV90","error":"[metricas.pinayalcachofa.es] creating new order: fetching new nonce from server: HTTP 500:  (ca=https://acme.zerossl.com/v2/DV90)"}
May 04 12:59:24 tucaBlanca caddy[123825]: {"level":"error","ts":1651669164.9181328,"logger":"tls.obtain","msg":"will retry","error":"[metricas.pinayalcachofa.es] Obtain: [metricas.pinayalcachofa.es] creating new order: fetching new nonce from server: HTTP 500:  (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":7.126639868,"max_duration":2592000}
May 04 13:00:26 tucaBlanca caddy[123825]: {"level":"info","ts":1651669226.0745986,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"metricas.pinayalcachofa.es","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
May 04 13:00:27 tucaBlanca caddy[123825]: {"level":"error","ts":1651669227.2416818,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"metricas.pinayalcachofa.es","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: remote error: tls: internal error","instance":"","subproblems":[]}}
May 04 13:00:27 tucaBlanca caddy[123825]: {"level":"error","ts":1651669227.2419264,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"metricas.pinayalcachofa.es","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: remote error: tls: internal error","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/53007614/2483555194","attempt":1,"max_attempts":3}
May 04 13:00:28 tucaBlanca caddy[123825]: {"level":"info","ts":1651669228.6962085,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"metricas.pinayalcachofa.es","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
May 04 13:00:29 tucaBlanca caddy[123825]: {"level":"error","ts":1651669229.8588178,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"metricas.pinayalcachofa.es","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: Fetching https://metricas.pinayalcachofa.es/.well-known/acme-challenge/PcHwDS4kpVwVDIMf90Js1N3jKq0OUA3
dT8K8JWsIQuI: remote error: tls: internal error","instance":"","subproblems":[]}}
May 04 13:00:29 tucaBlanca caddy[123825]: {"level":"error","ts":1651669229.8590786,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"metricas.pinayalcachofa.es","prob
lem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: Fetching https://metricas.pinayalcachofa.es/.well-known/acme-challenge/PcHwDS4kpVwVDIMf90Js1N3jKq0OUA3dT8K8JWsIQuI: remot
e error: tls: internal error","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/53007614/2483555584","attempt":2,"max_attempts":3}
May 04 13:00:29 tucaBlanca caddy[123825]: {"level":"error","ts":1651669229.8593311,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"metricas.pinayalcachofa.es","issuer":"a
cme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:tls - 156.249.12.173: Fetching https://metricas.pinayalcachofa.es/.well-known/acme-challenge/PcHwDS4kpVwVDIMf90Js1N3jKq0
OUA3dT8K8JWsIQuI: remote error: tls: internal error"}
May 04 13:01:01 tucaBlanca caddy[123825]: {"level":"info","ts":1651669261.5975342,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"metricas.pinayalcachofa.es","chal
lenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}

5. What I already tried:

I’ve tried to reload the config and wait for a while to avoid rate limiters, I’ve also tried to split the block in 2 like:

tucablanca.narwhal-nominal.ts.net {
        encode zstd gzip
        reverse_proxy localhost:3000
}

metricas.pinayalcachofa.es {
        encode zstd gzip
        reverse_proxy localhost:3000
}

Same result, certificated is not fetched, previous domain (tucablanca.narwhal-nominal.ts.net) works just fine.

I feel like the issue may be here:

May 04 12:59:20 tucaBlanca caddy[123825]: {"level":"error","ts":1651669160.3862174,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"metricas.pinayalcachofa.es","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"156.249.12.173: remote error: tls: internal error","instance":"","subproblems":[]}}

I’m not sure if it’s normal for "title":"" and "subproblems":[] to be empty.

Maybe has something to do with trying to serve a Tailscale domain and a normal domain on the same block ?

Any help is welcome :slight_smile:

Update: now the certificate for the old domain (tucablanca.narwhal-nominal.ts.net) is gone.

May 04 14:19:05 tucaBlanca caddy[125376]: {"level":"debug","ts":1651673945.7146585,"logger":"http.stdlib","msg":"http: TLS handshake error from 100.106.90.42:61450: no certificate available for 'tucablanca.narwhal-nominal.ts.net'"}

And even reverting the Caddyfile to the original state and restarting Caddy won’t get new ones.

May 04 14:20:58 tucaBlanca caddy[125376]: {"level":"info","ts":1651674058.7480574,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
May 04 14:20:58 tucaBlanca caddy[125376]: {"level":"warn","ts":1651674058.748234,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
May 04 14:20:58 tucaBlanca systemd[1]: Stopping Caddy...
May 04 14:20:58 tucaBlanca caddy[125376]: {"level":"info","ts":1651674058.772287,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x4000210770"}
May 04 14:20:58 tucaBlanca caddy[125376]: {"level":"info","ts":1651674058.7942314,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
May 04 14:20:58 tucaBlanca caddy[125376]: {"level":"info","ts":1651674058.7944574,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
May 04 14:20:58 tucaBlanca systemd[1]: caddy.service: Deactivated successfully.
May 04 14:20:58 tucaBlanca systemd[1]: Stopped Caddy.
May 04 14:20:58 tucaBlanca systemd[1]: caddy.service: Consumed 1.356s CPU time.
May 04 14:20:58 tucaBlanca systemd[1]: Starting Caddy...
May 04 14:20:59 tucaBlanca caddy[126138]: caddy.HomeDir=/var/lib/caddy
May 04 14:20:59 tucaBlanca caddy[126138]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
May 04 14:20:59 tucaBlanca caddy[126138]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
May 04 14:20:59 tucaBlanca caddy[126138]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
May 04 14:20:59 tucaBlanca caddy[126138]: caddy.Version=v2.5.0 h1:eRHzZ4l3X6Ag3kUt8nj5IxATprhqKq/wToP7OHlXWA0=
May 04 14:20:59 tucaBlanca caddy[126138]: runtime.GOOS=linux
May 04 14:20:59 tucaBlanca caddy[126138]: runtime.GOARCH=arm64
May 04 14:20:59 tucaBlanca caddy[126138]: runtime.Compiler=gc
May 04 14:20:59 tucaBlanca caddy[126138]: runtime.NumCPU=4
May 04 14:20:59 tucaBlanca caddy[126138]: runtime.GOMAXPROCS=4
May 04 14:20:59 tucaBlanca caddy[126138]: runtime.Version=go1.18.1
May 04 14:20:59 tucaBlanca caddy[126138]: os.Getwd=/
May 04 14:20:59 tucaBlanca caddy[126138]: LANG=C.UTF-8
May 04 14:20:59 tucaBlanca caddy[126138]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
May 04 14:20:59 tucaBlanca caddy[126138]: NOTIFY_SOCKET=/run/systemd/notify
May 04 14:20:59 tucaBlanca caddy[126138]: HOME=/var/lib/caddy
May 04 14:20:59 tucaBlanca caddy[126138]: LOGNAME=caddy
May 04 14:20:59 tucaBlanca caddy[126138]: USER=caddy
May 04 14:20:59 tucaBlanca caddy[126138]: INVOCATION_ID=dd6c23e3a2aa4b5aa1b40a52c7d9d2b4
May 04 14:20:59 tucaBlanca caddy[126138]: JOURNAL_STREAM=8:892963
May 04 14:20:59 tucaBlanca caddy[126138]: SYSTEMD_EXEC_PID=126138
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.2444057,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.2635627,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.2648993,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.2651174,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.2683725,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.268594,"logger":"http","msg":"enabling experimental HTTP/3 listener","addr":":443"}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.2686489,"logger":"tls","msg":"finished cleaning storage units"}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"debug","ts":1651674059.2705564,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":true,"tls":true}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"debug","ts":1651674059.2711685,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.272643,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.2733967,"msg":"serving initial configuration"}
May 04 14:20:59 tucaBlanca systemd[1]: Started Caddy.
May 04 14:20:59 tucaBlanca caddy[126138]: {"level":"info","ts":1651674059.274118,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40003b9e30"}
May 04 14:21:10 tucaBlanca caddy[126138]: {"level":"debug","ts":1651674070.5502234,"logger":"admin.api","msg":"received request","method":"GET","host":"localhost:2019","uri":"/metrics","remote_ip":"127.0.
0.1","remote_port":"36214","headers":{"Accept":["application/openmetrics-text; version=0.0.1,text/plain;version=0.0.4;q=0.5,*/*;q=0.1"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/2.33.5"],"X-Pro
metheus-Scrape-Timeout-Seconds":["10"]}}
May 04 14:21:21 tucaBlanca caddy[126138]: {"level":"debug","ts":1651674081.0562875,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"tucablanca.narwhal-
nominal.ts.net"}
May 04 14:21:21 tucaBlanca caddy[126138]: {"level":"debug","ts":1651674081.056424,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.narwhal-nominal.ts
.net"}
May 04 14:21:21 tucaBlanca caddy[126138]: {"level":"debug","ts":1651674081.0564725,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.ts.net"}
May 04 14:21:21 tucaBlanca caddy[126138]: {"level":"debug","ts":1651674081.05651,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.net"}
May 04 14:21:21 tucaBlanca caddy[126138]: {"level":"debug","ts":1651674081.056554,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}

Is that your server’s IP? If so, something is terminating TLS and blocking the connection from Let’s Encrypt.

yes, it is.

mm what could that be?

I have more domains hosted in other server behind the same router (same ip, i.e. chat.pinayalcachofa.es) and I don’t have any issue getting or renewing certificates.

update 2: now I’m extremely confused

Because of what you mentioned @matt I went to see the Caddy logs for my other server and I found a ton of tls errors from Caddy trying to get a certificate for metrics.pinayalcachofa.es which is not configured in this server :exploding_head:

May 04 08:53:27 azabache caddy[16234]: {"level":"info","ts":1651654407.7590532,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
May 04 08:53:27 azabache caddy[16234]: {"level":"info","ts":1651654407.7820816,"logger":"tls","msg":"finished cleaning storage units"}
May 04 12:29:43 azabache caddy[16234]: {"level":"error","ts":1651667383.7601256,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:43 azabache caddy[16234]: {"level":"error","ts":1651667383.761205,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no infor
mation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:43 azabache caddy[16234]: {"level":"error","ts":1651667383.7834108,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:43 azabache caddy[16234]: {"level":"error","ts":1651667383.7837973,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:43 azabache caddy[16234]: {"level":"error","ts":1651667383.7927444,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:43 azabache caddy[16234]: {"level":"error","ts":1651667383.7932332,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:44 azabache caddy[16234]: {"level":"error","ts":1651667384.0178933,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:44 azabache caddy[16234]: {"level":"error","ts":1651667384.0182006,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:46 azabache caddy[16234]: {"level":"error","ts":1651667386.8850777,"logger":"tls","msg":"tls-alpn challenge","server_name":"metricas.pinayalcachofa.es","error":"no information found to solve
challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:46 azabache caddy[16234]: {"level":"error","ts":1651667386.9079728,"logger":"tls","msg":"tls-alpn challenge","server_name":"metricas.pinayalcachofa.es","error":"no information found to solve
challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:46 azabache caddy[16234]: {"level":"error","ts":1651667386.9692585,"logger":"tls","msg":"tls-alpn challenge","server_name":"metricas.pinayalcachofa.es","error":"no information found to solve
challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:29:47 azabache caddy[16234]: {"level":"error","ts":1651667387.2045543,"logger":"tls","msg":"tls-alpn challenge","server_name":"metricas.pinayalcachofa.es","error":"no information found to solve
challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:47 azabache caddy[16234]: {"level":"error","ts":1651667447.7451453,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:47 azabache caddy[16234]: {"level":"error","ts":1651667447.7454636,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:56 azabache caddy[16234]: {"level":"error","ts":1651667456.8117285,"logger":"tls","msg":"tls-alpn challenge","server_name":"metricas.pinayalcachofa.es","error":"no information found to solve
challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:56 azabache caddy[16234]: {"level":"error","ts":1651667456.825632,"logger":"tls","msg":"tls-alpn challenge","server_name":"metricas.pinayalcachofa.es","error":"no information found to solve c
hallenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:57 azabache caddy[16234]: {"level":"error","ts":1651667457.009415,"logger":"tls","msg":"tls-alpn challenge","server_name":"metricas.pinayalcachofa.es","error":"no information found to solve c
hallenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:59 azabache caddy[16234]: {"level":"error","ts":1651667459.113516,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no infor
mation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:59 azabache caddy[16234]: {"level":"error","ts":1651667459.1140215,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:59 azabache caddy[16234]: {"level":"error","ts":1651667459.1449306,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:59 azabache caddy[16234]: {"level":"error","ts":1651667459.1455016,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}
May 04 12:30:59 azabache caddy[16234]: {"level":"error","ts":1651667459.2091477,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"metricas.pinayalcachofa.es","error":"no info
rmation found to solve challenge for identifier: metricas.pinayalcachofa.es"}

am I missing something here? is this normal?

Are you sure your have both ports 80 and 443 port forwarding to the right server? It reads to me like requests on port 80 are hitting the wrong server, but 443 hits the right one.

1 Like

That’s common if someone else points to your IP, or used to use your IP address before you had it.

1 Like

My bad, indeed both :80 and :443 are being forwarded to the other server, so I just reverse_proxy from there and now it’s working just fine. Thanks for the pointers!

Anyway, now I wonder how the Tailscale domain managed to get the certificate in the first place… I always had the 2 servers and I’ve never touched the network configuration

2 Likes

Tailscale can break through anything :joy:

sorry to open this again, but now the my main server (the one :80 and :443 are forwarded to) stop having a certificate for my Tailscale domain, but other 3 domains I’m serving from the the same Caddy instance are working just fine.

May 06 13:40:14 azabache caddy[328148]: {"level":"debug","ts":1651844414.714738,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"azabache.narwhal-nominal.ts.net"}
May 06 13:40:14 azabache caddy[328148]: {"level":"debug","ts":1651844414.7148476,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.narwhal-nominal.ts.net"}
May 06 13:40:14 azabache caddy[328148]: {"level":"debug","ts":1651844414.7149622,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.ts.net"}
May 06 13:40:14 azabache caddy[328148]: {"level":"debug","ts":1651844414.7150018,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.net"}
May 06 13:40:14 azabache caddy[328148]: {"level":"debug","ts":1651844414.7150383,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
May 06 13:40:14 azabache caddy[328148]: {"level":"debug","ts":1651844414.715091,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"azabache.narwhal-nominal.ts.net","remote":"100.106.90.42:50309","identifier":"azabache.narwhal-nominal.ts.net","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
May 06 13:40:14 azabache caddy[328148]: {"level":"debug","ts":1651844414.7153354,"logger":"http.stdlib","msg":"http: TLS handshake error from 100.106.90.42:50309: no certificate available for 'azabache.narwhal-nominal.ts.net'"}

Update to include Caddyfile

{
        debug
        servers {
                protocol {
                        experimental_http3
                }
        }
}

azabache.narwhal-nominal.ts.net {
        encode zstd gzip
        rewrite * /admin{uri}
        reverse_proxy localhost:1080
        log {
                output file /var/log/caddy/pihole.log
        }
}

chat.pinayalcachofa.es {
        encode zstd gzip
        reverse_proxy localhost:3000
        log {
                output file /var/log/caddy/rocket-chat.log
        }
}

manual.pinayalcachofa.es {
        encode zstd gzip
        reverse_proxy unix//var/discourse/shared/standalone/nginx.http.sock
        log {
                output file /var/log/caddy/discourse.log
        }
}

metricas.pinayalcachofa.es {
        encode zstd gzip
        reverse_proxy 192.168.10.65:3000
        log {
                output file /var/log/caddy/grafana.log
        }
}

Update 2:

after being stuck on this for a while I’ve decide to open a new topic, as it’s a different issue: No matching certificate for Tailscale domain