Caddy Server is unable to validate an SSL certificate with Let's Encrypt due to a failure in the tls-alpn-01 challenge

1. The problem I’m having:

i have a vps in which i have configured docker and caddy server as reverse proxy so when i point my domain name to the ip address of my vps 93.115.23.21 i get this error

2. Error messages and/or full log output:

"error","ts":1735303331.4409313,"logger":"tls.obtain","msg":"will retry","error":"[facilitygroup-drc.org] Obtain: [facilitygroup-drc.org] solving challenge: facilitygroup-drc.org: [facilitygroup-drc.org] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":3.982092054,"max_duration":2592000} " 

3. Caddy version:

caddy:2-alpine

4. How I installed and ran Caddy:

a. System environment:

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04 LTS
Release: 24.04
Codename: noble

Docker Version:
Docker version 27.2.0, build 3ab4256

b. Command:

services:
  caddy:
    image: caddy:2-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./data/caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./data/caddy/logs:/var/log/caddy
    networks:
      - web

networks:
  web:
    external: true

c. Caddyfile:

facilitygroup-drc.org {
  reverse_proxy facility:8077
}

d. Command already checked:

sudo ufw allow 443
tcp   LISTEN 0      4096         0.0.0.0:443        0.0.0.0:*
tcp   LISTEN 0      4096            [::]:443           [::]:*

sudo ufw allow 80
tcp   LISTEN 0      4096         0.0.0.0:8077       0.0.0.0:*
tcp   LISTEN 0      4096         0.0.0.0:8000       0.0.0.0:*
tcp   LISTEN 0      4096         0.0.0.0:8020       0.0.0.0:*
tcp   LISTEN 0      4096         0.0.0.0:8016       0.0.0.0:*
tcp   LISTEN 0      4096         0.0.0.0:8050       0.0.0.0:*
tcp   LISTEN 0      4096         0.0.0.0:80         0.0.0.0:*
tcp   LISTEN 0      4096            [::]:8077          [::]:*
tcp   LISTEN 0      4096            [::]:8000          [::]:*
tcp   LISTEN 0      4096            [::]:8020          [::]:*
tcp   LISTEN 0      4096            [::]:8016          [::]:*
tcp   LISTEN 0      4096            [::]:8050          [::]:*
tcp   LISTEN 0      4096            [::]:80            [::]:*
root@vps:/opt/caddy# sudo ss -tuln | grep 8077
tcp   LISTEN 0      4096         0.0.0.0:8077       0.0.0.0:*
tcp   LISTEN 0      4096            [::]:8077          [::]:*

dig facilitygroup-drc.org +short
93.115.23.21

5. Links to relevant resources:

You’re missing a volume for /data.

Are you sure you don’t have something intercepting connections on port 443? Do you have somekind of proxy in front of your server?

Thank you @francislavoie for answering me

I haven’t installed any proxy in front of my server.

set | grep -i proxy

On the other hand, I noticed that when I use a domain name provider like “Namecheap” the communication is direct with caddy server but when I use another provider like “Hostinger or Godaddy” the communication is not.

Namecheap Configuration

With the Hostinger configuration I get this error:

{"level":"error","ts":1735737838.5889306,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"facilitygroup-drc.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}

{"level":"error","ts":1735737838.5892015,"logger":"tls.obtain","msg":"will retry","error":"[facilitygroup-drc.org] Obtain: [facilitygroup-drc.org] solving challenge: facilitygroup-drc.org: [facilitygroup-drc.org] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":67.901183016,"max_duration":2592000}

Hello @francislavoie do you have any suggestions about my concerns?

Your DNS is misconfigured

Currently, your facilitygroup-drc.org domain points to Hostinger’s hPanel, which uses LiteSpeed instead of Caddy:

$ http.curl.headers https://facilitygroup-drc.org -L

----------------------------------------
Request Headers:
----------------------------------------

## https://facilitygroup-drc.org
> GET / HTTP/2
> Host: facilitygroup-drc.org
> User-Agent: curl/8.11.1
> Accept: */*

## https://facilitygroup-rdc.org/
> GET / HTTP/2
> Host: facilitygroup-rdc.org
> User-Agent: curl/8.11.1
> Accept: */*

----------------------------------------
Response Headers:
----------------------------------------

## https://facilitygroup-drc.org
< HTTP/2 301
< content-type: text/html
< content-length: 795
< date: Mon, 06 Jan 2025 19:01:21 GMT
< server: LiteSpeed
< location: https://facilitygroup-rdc.org
< platform: hostinger
< panel: hpanel
< content-security-policy: upgrade-insecure-requests
< alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

## https://facilitygroup-rdc.org/
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< content-type: text/html; charset=utf-8
< date: Mon, 06 Jan 2025 19:01:22 GMT
< referrer-policy: same-origin
< server: Caddy
< server: WSGIServer/0.2 CPython/3.11.11
< x-content-type-options: nosniff
< x-frame-options: DENY
< content-length: 36907

For Caddy to complete the TLS-ALPN-01 challenge for facilitygroup-drc.org, the domain must be directly reachable on the Internet. However, that site is NOT Caddy and only redirects to facilitygroup-rdc.org served by Caddy via an HTTP response header. Take note of this Location header:

location: https://facilitygroup-rdc.org

In summary, you have two domains configured differently:

• facilitygroup-drc.org: Served by Hostinger’s hPanel running on LiteSpeed
• facilitygroup-rdc.org: Served by a Caddy server

Your Caddy instance serving facilitygroup-rdc.org has a valid certificate because it successfully completed the TLS-ALPN-01 challenge:

$ x509.info facilitygroup-rdc.org

###############################################################################
# Connecting to server facilitygroup-rdc.org, port 443/tcp
###############################################################################

Subject (CN)        = facilitygroup-rdc.org

Serial Number       = 04EB7FAB6CA6DC003157445A5D09C508C9B7
Thumbprint (SHA1)   = B4676051E19C516BA0072239FA2C11BDB0E2172E
Signature Algorithm = ecdsa-with-SHA384

Issue Date          = Jan  6 11:29:41 2025 GMT / Jan  6 03:29:41 2025 PST
Expiry Date         = Apr  6 11:29:40 2025 GMT / Apr  6 04:29:40 2025 PDT
Revocation Date     = N/A

Subject Alternative Names
   facilitygroup-rdc.org

Certificate chain
 0 s:CN=facilitygroup-rdc.org
   i:C=US, O=Let's Encrypt, CN=E5
 1 s:C=US, O=Let's Encrypt, CN=E5
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = E5
    Produced At: Jan  6 12:28:00 2025 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 1E11C0C9ACFDA453EF4B2F6A732115604D54ADB9
      Issuer Key Hash: 99CD29C3A15826AF7A7A4C845A8F738860B0DFDE
      Serial Number: 04EB7FAB6CA6DC003157445A5D09C508C9B7
    Cert Status: good
    This Update: Jan  6 12:28:00 2025 GMT
    Next Update: Jan 13 12:27:58 2025 GMT

To fix this issue, update your DNS to point facilitygroup-drc.org to the same server running Caddy for facilitygroup-rdc.org. You can do this with an A or CNAME record. Then, configure your Caddy instance to serve both domains, including facilitygroup-drc.org.