Caddy server SSL installed but not working

Help
1

1. Caddy version (caddy version):

v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I=

2. How I run Caddy:

/usr/bin/caddy run --environ --config Caddyfile.dev

a. System environment:

CentOS7

b. Command:

/usr/bin/caddy run --environ --config Caddyfile.dev

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddyfile or JSON config:

# Learn how to configure the Mercure.rocks Hub on https://mercure.rocks/docs/hub/config
{
    http_port 4133
    https_port 4134
    # email masked for privacy
    email xx@gmail.com
    # Debug mode (disable it in production!)
    {$DEBUG:debug}
    # HTTP/3 support
    servers {
        protocol {
            experimental_http3
        }
    }
}

{$SERVER_NAME:mercure.mobiuspod.com}
log

route {
    redir / /.well-known/mercure/ui/
    encode zstd gzip
    mercure {
        # Transport to use (default to Bolt)
        transport_url bolt://mercure.db
        # Publisher JWT key
        publisher_jwt xxxxxx
        # Subscriber JWT key
        subscriber_jwt xxxxxx
        # Permissive configuration for the development environment
        cors_origins *
        publish_origins *
        demo
        anonymous
        subscriptions
        # Extra directives
        #{$MERCURE_EXTRA_DIRECTIVES}
    }

    respond /healthz 200

    respond "Not Found" 404
}

3. The problem I’m having:

The server runs and I can see this as debug:
021/08/16 16:43:45.313 INFO    using provided configuration    {"config_file": "Caddyfile.dev", "config_adapter": ""}
2021/08/16 16:43:45.315 WARN    input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile.dev", "line": 3}
2021/08/16 16:43:45.317 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/08/16 16:43:45.317 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00022c000"}
2021/08/16 16:43:45.317 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS        {"server_name": "srv0", "https_port": 4134}
2021/08/16 16:43:45.317 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/08/16 16:43:45.325 INFO    http    enabling experimental HTTP/3 listener   {"addr": ":4134"}
2021/08/16 16:43:45.325 DEBUG   http    starting server loop    {"address": "[::]:4134", "http3": true, "tls": true}
2021/08/16 16:43:45.325 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2021/08/16 16:43:45.325 DEBUG   http    starting server loop    {"address": "[::]:4133", "http3": false, "tls": false}
2021/08/16 16:43:45.325 INFO    http    enabling automatic TLS certificate management   {"domains": ["mercure.mobiuspod.com"]}
2021/08/16 16:43:45.325 INFO    tls     finished cleaning storage units
2021/08/16 16:43:45.325 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2021/08/16 16:43:45.325 INFO    serving initial configuration
2021/08/16 16:43:45.326 INFO    tls.obtain      acquiring lock  {"identifier": "mercure.mobiuspod.com"}
2021/08/16 16:43:45.327 INFO    tls.obtain      lock acquired   {"identifier": "mercure.mobiuspod.com"}
2021/08/16 16:43:45.342 DEBUG   tls.obtain      trying issuer 1/2       {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2021/08/16 16:43:45.342 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["mercure.mobiuspod.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "xxx@gmail.com"}
2021/08/16 16:43:45.342 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["mercure.mobiuspod.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "xxx@gmail.com"}
2021/08/16 16:43:45.721 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["658"],"Content-Type":["application/json"],"Date":["Mon, 16 Aug 2021 16:43:45 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
2021/08/16 16:43:45.797 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 16 Aug 2021 16:43:45 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001spwHpiV827tu4Z_BqglCiuqRS8QLNk-dSiHK6bZJzo4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
2021/08/16 16:43:45.916 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 429, "response_headers": {"Boulder-Requester":["163828690"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["201"],"Content-Type":["application/problem+json"],"Date":["Mon, 16 Aug 2021 16:43:45 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002SuojrOsc0yzZEKtp5DfglHA9l14FJH4CwYqwJMOFj0Y"],"Server":["nginx"]}}
2021/08/16 16:43:45.916 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "mercure.mobiuspod.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/"}
2021/08/16 16:43:45.916 DEBUG   tls.obtain      trying issuer 2/2       {"issuer": "acme.zerossl.com-v2-DV90"}
2021/08/16 16:43:45.916 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["mercure.mobiuspod.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "xxx@gmail.com"}
2021/08/16 16:43:45.916 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["mercure.mobiuspod.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "xxx@gmail.com"}
2021/08/16 16:43:46.041 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "GET", "url": "https://acme.zerossl.com/v2/DV90", "headers": {"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 16 Aug 2021 16:43:45 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
2021/08/16 16:43:46.085 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Mon, 16 Aug 2021 16:43:45 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["6TWEnhGlXyBcnS19DbsDasdWigQZsTQHMrFKQ9pr4o4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
2021/08/16 16:43:46.160 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 201, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["283"],"Content-Type":["application/json"],"Date":["Mon, 16 Aug 2021 16:43:45 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/9h0UX8Yo34p_GGZaT_zWIQ"],"Replay-Nonce":["-NvTW4RchLS_pXnCMh0HrS67MCTvWTUG76gqnKM-A7g"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
2021/08/16 16:43:46.212 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/we6-Zltjgw9VPYbSx0AF1Q", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["451"],"Content-Type":["application/json"],"Date":["Mon, 16 Aug 2021 16:43:46 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["FfegJK6gtDZEEFpf-GFvRRNJ9GduDyYiPZCTmMADJMw"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
2021/08/16 16:43:46.212 DEBUG   tls.issuance.acme.acme_client   no solver configured    {"challenge_type": "dns-01"}
2021/08/16 16:43:46.212 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "mercure.mobiuspod.com", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2021/08/16 16:43:46.293 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/chall/3hFG1IMiTMekeXpAKrW-oQ", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Mon, 16 Aug 2021 16:43:46 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/we6-Zltjgw9VPYbSx0AF1Q>;rel=\"up\""],"Replay-Nonce":["SLSrlRBpsURZN5YncK0_z6oK64ddQdWDLY5uuNk4NC8"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
2021/08/16 16:43:46.293 DEBUG   tls.issuance.acme.acme_client   challenge accepted      {"identifier": "mercure.mobiuspod.com", "challenge_type": "http-01"}
2021/08/16 16:43:46.602 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/we6-Zltjgw9VPYbSx0AF1Q", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.3 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Mon, 16 Aug 2021 16:43:46 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["JrRWFqor2XunNEPssEjwQGpGQiB6a-jqlwpGj0owKhE"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}

4. Error messages and/or full log output:

I cannot have SSL working, when I go to https://mercure.mobiuspod.com:4134 I get:
This site can’t provide a secure connection 
mercure.mobiuspod.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

5. What I already tried:

6. Links to relevant resources:

2

ACME CAs require ports 80 and 443 to be used to solve the HTTP and/or TLS-ALPN challenges.

If you need to use a different port than those, then you’ll need to configure the DNS challenge which has no specific port requirement, but does require building (or downloading a build of Caddy from Download Caddy) with the appropriate plugin for your DNS provider.

Please review the docs here to better understand:

That said, your logs seem incomplete. I’m only seeing a rate limit error from Let’s Encrypt in there (which would happen if you’ve attempted too many times without success), and ZeroSSL still seems to be pending. It would be more useful to see the error that ZeroSSL gives you.

3

Hi, thanks for replying so quick.
I had to shutoff the server to copy the logs so I will add below the full debug.
Regarding the DNS provider plugin, I can build Caddy with that plugin using xcaddy but my website is hosted with GoDaddy so I don’t seem to find an appropriate provider here:

Also, the reason why I used port 4134 is that 443 is already in use by apache and I get that as error message.
Full Debug
Any help please?

4

Then you’ll need to change Apache to use a different port so that Caddy can use it.

Your logs do confirm that’s the issue. Let’s Encrypt is trying to reach your server on port 80 and isn’t receiving the response it expects.

You must have Caddy use ports 80 and 443, and move off other software to use different ports. You may have Caddy proxy requests to your other sites served by Apache if you need to.

Unfortunately, nobody’s written a GoDaddy plugin yet. You could use the lego-deprecated plugin which does support it, but your mileage may vary.

5

OK, I used xcaddy to compile caddy with lego-deprecated
Now, what change should I add to my Caddy config file please?
I found that I have to use dns lego_deprecated godaddy but I don’t see where exactly in the config file.
Also they motioned provider’s credentials, is that something I have to deal with too please?
Thanks.

6

Unfortunately all my sites use Apache on port 80 and 443 SSL and I cannot change that.
Is it possible to use an already installed SSL certificate whitout leaving it use Let’s Encrypt SSL?

7

The README explains:

The “code” for GoDaddy is godaddy:

https://go-acme.github.io/lego/dns/godaddy/

Just make sure Caddy’s environment has the appropriate environment variables set for connecting to GoDaddy’s API.

You can have Caddy automate TLS, and have Caddy terminate all TLS connections. Have Caddy accept all HTTP/HTTPS connections, and if one of your sites you serve with Apache is requested, proxy to Apache.

For example, in your Caddyfile, you could add:

somesite.example.com {
	reverse_proxy localhost:8080
}

And change Apache to listen on port 8080 instead of 80/443.

That way, you don’t need to buy TLS certificates anymore, and simply let Caddy automate it.

Yes. Specify a cert and key to the tls directive:

8

Hi, to anyone who is struggling with having SSL to work with Caddy while you cannot use ports 80 and 443 due to Apache or Nginx using them, all you have to do is use your domain certificates in PEM format. All I did to get it to work is to add this line in my Caddy file:

{$SERVER_NAME:xxx.com}
#Add tls directive after $SERVER_NAME
tls /etc/ssl/private/xxx.com.cert.pem /etc/ssl/private/xxx.com.key.pem

9

This topic was automatically closed after 30 days. New replies are no longer allowed.