Caddy on Windows - could not get certificate from issuer

Oleh_Uskov · August 9, 2023, 9:32pm

1. The problem I’m having:

I`ve just started to check out Caddy on Windows.
I downloaded caddy.exe and run it.
But I see the error with getting a certificate.
I checked, Windows Firewall contains all permission for caddy.exe.
What I could miss?

2. Error messages and/or full log output:

2023/08/09 20:23:20.377 ←[34mINFO←[0m   using adjacent Caddyfile
2023/08/09 20:23:20.458 ←[33mWARN←[0m   Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 1}
2023/08/09 20:23:20.469 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/08/09 20:23:20.500 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0000ca380"}
2023/08/09 20:23:20.510 ←[34mINFO←[0m   http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/08/09 20:23:20.561 ←[34mINFO←[0m   http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/08/09 20:23:20.581 ←[34mINFO←[0m   http    enabling HTTP/3 listener        {"addr": ":443"}
2023/08/09 20:23:20.581 ←[34mINFO←[0m   tls     cleaning storage unit   {"description": "FileStorage:C:\\Users\\ыва\\AppData\\Roaming\\Caddy"}
2023/08/09 20:23:20.667 ←[34mINFO←[0m   tls     finished cleaning storage units
2023/08/09 20:23:20.681 ←[34mINFO←[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/08/09 20:23:20.681 ←[34mINFO←[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/08/09 20:23:20.681 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["example.com"]}
2023/08/09 20:23:20.690 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\ыва\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/08/09 20:23:20.690 ←[34mINFO←[0m   serving initial configuration
2023/08/09 20:23:20.714 ←[34mINFO←[0m   tls.obtain      acquiring lock  {"identifier": "example.com"}
2023/08/09 20:23:20.719 ←[34mINFO←[0m   tls.obtain      lock acquired   {"identifier": "example.com"}
2023/08/09 20:23:20.719 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "example.com"}
2023/08/09 20:23:20.758 ←[34mINFO←[0m   http    waiting on internal rate limiter        {"identifiers": ["example.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/08/09 20:23:20.758 ←[34mINFO←[0m   http    done waiting on internal rate limiter   {"identifiers": ["example.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/08/09 20:23:21.723 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "example.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"example.com\": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy"}
2023/08/09 20:23:21.726 ←[34mINFO←[0m   http    waiting on internal rate limiter        {"identifiers": ["example.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/08/09 20:23:21.726 ←[34mINFO←[0m   http    done waiting on internal rate limiter   {"identifiers": ["example.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/08/09 20:23:23.235 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "example.com", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/08/09 20:23:29.218 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "example.com", "challenge_type": "http-01", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems": []}}
2023/08/09 20:23:38.213 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "example.com", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems": []}, "order": "https://acme.zerossl.com/v2/DV90/order/kkt_D_JfotAVh8A30yc-Pg", "attempt": 1, "max_attempts": 3}
2023/08/09 20:23:38.232 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "example.com", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 0  - "}
2023/08/09 20:23:38.238 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[example.com] Obtain: [example.com] solving challenge: example.com: [example.com] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 17.5187986, "max_duration": 2592000}
2023/08/09 20:24:38.247 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "example.com"}
2023/08/09 20:24:39.167 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "example.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"example.com\": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy"}
2023/08/09 20:24:39.659 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "example.com", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/08/09 20:24:45.530 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "example.com", "challenge_type": "http-01", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems":

3. Caddy version:

v2.7.2 h1:QqThyoyUFAv1B7A2NMeaWlz7xmgKqU49PXBX08A+6xg=

4. How I installed and ran Caddy:

just downloaded the archive “caddy_2.7.2_windows_amd64”

a. System environment:

Windows 10 Pro

b. Command:

caddy run

c. Service/unit/compose file:

d. My complete Caddy config:

example.com
{
	respond "Hello, world!"
}

5. Links to relevant resources:

0xAntoDev · August 9, 2023, 11:25pm

The core of the issue you’re facing is that you’re using “example.com”. This means that it will never point to your Windows server, and thus Caddy can’t resolve HTTP requests for it or pass the Let’s Encrypt challenge.

You’ll need to use a real and active domain that you own and ensure it’s pointing to your Windows server where Caddy is running.

francislavoie · August 10, 2023, 3:12am

Also you have a slight syntax error; the { should be on the same line as the site address, not the next line.

Oleh_Uskov · August 10, 2023, 7:23am

Perhaps, I am using Caddy wrong?
My goal is to block some sites on my PC. kinda parental control.

Also, I try to use another approach using the forwardproxy plugin
I build Caddy using that command:

xcaddy build --with github.com/caddyserver/forwardproxy

but when I am launching Caddy I get a following error

$ ./caddy run
panic: qtls.ClientHelloInfo doesn't match

goroutine 1 [running]:
github.com/marten-seemann/qtls-go1-15.init.0()
        github.com/marten-seemann/qtls-go1-15@v0.1.1/unsafe.go:20 +0x132

My Caddyfile

forwardproxy {
    basicauth
    ports     80 443
    acl {
      allow     *.caddyserver.com
      deny      facebook.com
      allow     all
    }
}

Go version - 1.20
Caddy version - fresh master branch
OS - Windows 10 Pro

For now, can Caddy V2 work with forwardproxy?

francislavoie · August 10, 2023, 12:26pm

You need to use this un-merged branch: https://github.com/caddyserver/forwardproxy/pull/74

system · September 9, 2023, 12:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.