Caddy Start - Could not get certificate from issuer

CJRumbold · February 28, 2023, 3:16pm

1. The problem I’m having:

Hey guys Im new to Caddy and Im trying to setup HTTPS for my test server, however I keep getting some errors when trying to run the "caddy start" command

Details and Logs below, if you could provide some insight where I'm going wrong I'd definitely appreciate it

Chris :)

2. Error messages and/or full log output:

2023/02/28 15:12:48.973 INFO    using adjacent Caddyfile
2023/02/28 15:12:48.974 WARN    Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2023/02/28 15:12:48.976 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//[::1]:2019", "//127.0.0.1:2019", "//localhost:2019"]}
2023/02/28 15:12:48.976 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/02/28 15:12:48.976 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/02/28 15:12:48.976 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000565650"}
2023/02/28 15:12:48.976 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2023/02/28 15:12:48.977 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/02/28 15:12:48.977 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2023/02/28 15:12:48.977 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/02/28 15:12:48.977 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/02/28 15:12:48.977 INFO    http    enabling automatic TLS certificate management   {"domains": ["rdcs-dev01.rapid-network.co"]}
2023/02/28 15:12:48.977 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2023/02/28 15:12:48.977 INFO    serving initial configuration
2023/02/28 15:12:48.978 INFO    tls.obtain      acquiring lock  {"identifier": "rdcs-dev01.rapid-network.co"}
2023/02/28 15:12:48.978 INFO    tls     finished cleaning storage units
Successfully started Caddy (pid=271373) - Caddy is running in the background
2023/02/28 15:12:48.979 INFO    tls.obtain      lock acquired   {"identifier": "rdcs-dev01.rapid-network.co"}
2023/02/28 15:12:48.979 INFO    tls.obtain      obtaining certificate   {"identifier": "rdcs-dev01.rapid-network.co"}
2023/02/28 15:12:48.980 INFO    http    waiting on internal rate limiter        {"identifiers": ["rdcs-dev01.rapid-network.co"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/02/28 15:12:48.980 INFO    http    done waiting on internal rate limiter   {"identifiers": ["rdcs-dev01.rapid-network.co"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
[rapidadmin@rdcs-dev01 caddy]$ 2023/02/28 15:12:49.900  INFO    http.acme_client        trying to solve challenge       {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/02/28 15:12:50.396 ERROR   http.acme_client        challenge failed        {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "109.169.85.158: Error getting validation data", "instance": "", "subproblems": []}}
2023/02/28 15:12:50.396 ERROR   http.acme_client        validating authorization        {"identifier": "rdcs-dev01.rapid-network.co", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "109.169.85.158: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/978859706/167396125386", "attempt": 1, "max_attempts": 3}
2023/02/28 15:12:51.767 INFO    http.acme_client        trying to solve challenge       {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/02/28 15:12:52.262 ERROR   http.acme_client        challenge failed        {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "109.169.85.158: Fetching http://rdcs-dev01.rapid-network.co/.well-known/acme-challenge/-WvNy5E1xWLZkZiUnd_1b7uOdwLaFkxnQAqQDbpSvj8: Error getting validation data", "instance": "", "subproblems": []}}
2023/02/28 15:12:52.262 ERROR   http.acme_client        validating authorization        {"identifier": "rdcs-dev01.rapid-network.co", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "109.169.85.158: Fetching http://rdcs-dev01.rapid-network.co/.well-known/acme-challenge/-WvNy5E1xWLZkZiUnd_1b7uOdwLaFkxnQAqQDbpSvj8: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/978859706/167396128236", "attempt": 2, "max_attempts": 3}
2023/02/28 15:12:52.262 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "rdcs-dev01.rapid-network.co", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 109.169.85.158: Fetching http://rdcs-dev01.rapid-network.co/.well-known/acme-challenge/-WvNy5E1xWLZkZiUnd_1b7uOdwLaFkxnQAqQDbpSvj8: Error getting validation data"}
2023/02/28 15:12:52.263 INFO    http    waiting on internal rate limiter        {"identifiers": ["rdcs-dev01.rapid-network.co"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/02/28 15:12:52.264 INFO    http    done waiting on internal rate limiter   {"identifiers": ["rdcs-dev01.rapid-network.co"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/02/28 15:12:55.278 INFO    http.acme_client        trying to solve challenge       {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/02/28 15:13:00.809 ERROR   http.acme_client        challenge failed        {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "http-01", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems": []}}
2023/02/28 15:13:00.809 ERROR   http.acme_client        validating authorization        {"identifier": "rdcs-dev01.rapid-network.co", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems": []}, "order": "https://acme.zerossl.com/v2/DV90/order/zg_mvzRg1V8NEIUUJQZEpA", "attempt": 1, "max_attempts": 3}
2023/02/28 15:13:00.809 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "rdcs-dev01.rapid-network.co", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 0  - "}
2023/02/28 15:13:00.810 ERROR   tls.obtain      will retry      {"error": "[rdcs-dev01.rapid-network.co] Obtain: [rdcs-dev01.rapid-network.co] solving challenge: rdcs-dev01.rapid-network.co: [rdcs-dev01.rapid-network.co] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 11.830206939, "max_duration": 2592000}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

Caddy installed via portainer app templates as well as documentation on their website (git: https://github.com/caddyserver/caddy.git)

a. System environment:

CentOS 8 w/ docker

b. Command:

sudo caddy start

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

rdcs-dev01.rapid-network.co {

        file_server

        reverse_proxy localhost:9000

}

flydev · February 28, 2023, 8:09pm

Hi,

I suggest you to give a read there and to increase the maximum buffer as suggested (non BSD) :

Then try to start caddy again.

CJRumbold · March 1, 2023, 9:44am

Hey budd, thanks for the suggestion. Sadly ran through the link you suggested and I’m still getting the same error messages.

flydev · March 1, 2023, 9:59am

@CJRumbold can you post the new log output please ?

CJRumbold · March 1, 2023, 10:02am

Sure, apologies:

2023/03/01 09:43:23.735 INFO    using adjacent Caddyfile
2023/03/01 09:43:23.737 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/03/01 09:43:23.738 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/03/01 09:43:23.738 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/03/01 09:43:23.738 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00020bea0"}
2023/03/01 09:43:23.738 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2023/03/01 09:43:23.738 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2023/03/01 09:43:23.738 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/03/01 09:43:23.738 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/03/01 09:43:23.739 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/03/01 09:43:23.739 INFO    http    enabling automatic TLS certificate management   {"domains": ["rdcs-dev01.rapid-network.co", "file_server"]}
2023/03/01 09:43:23.740 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2023/03/01 09:43:23.740 INFO    serving initial configuration
2023/03/01 09:43:23.741 INFO    tls.obtain      acquiring lock  {"identifier": "rdcs-dev01.rapid-network.co"}
2023/03/01 09:43:23.741 INFO    tls.obtain      acquiring lock  {"identifier": "file_server"}
2023/03/01 09:43:23.742 INFO    tls     finished cleaning storage units
Successfully started Caddy (pid=3036) - Caddy is running in the background
2023/03/01 09:43:23.743 INFO    tls.obtain      lock acquired   {"identifier": "file_server"}
2023/03/01 09:43:23.743 INFO    tls.obtain      lock acquired   {"identifier": "rdcs-dev01.rapid-network.co"}
2023/03/01 09:43:23.743 INFO    tls.obtain      obtaining certificate   {"identifier": "file_server"}
2023/03/01 09:43:23.743 INFO    tls.obtain      obtaining certificate   {"identifier": "rdcs-dev01.rapid-network.co"}
2023/03/01 09:43:23.746 INFO    http    waiting on internal rate limiter        {"identifiers": ["rdcs-dev01.rapid-network.co"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/01 09:43:23.746 INFO    http    done waiting on internal rate limiter   {"identifiers": ["rdcs-dev01.rapid-network.co"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/01 09:43:23.747 INFO    http    waiting on internal rate limiter        {"identifiers": ["file_server"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/01 09:43:23.747 INFO    http    done waiting on internal rate limiter   {"identifiers": ["file_server"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
[rapidadmin@rdcs-dev01 ~]$ 2023/03/01 09:43:24.385      ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "file_server", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"file_server\": Domain name contains an invalid character"}
2023/03/01 09:43:24.387 INFO    http    waiting on internal rate limiter        {"identifiers": ["file_server"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/03/01 09:43:24.387 INFO    http    done waiting on internal rate limiter   {"identifiers": ["file_server"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/03/01 09:43:24.637 INFO    http.acme_client        trying to solve challenge       {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/03/01 09:43:25.152 ERROR   http.acme_client        challenge failed        {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "109.169.85.158: Fetching http://rdcs-dev01.rapid-network.co/.well-known/acme-challenge/4sRAcp5qa-SjI2uvEM5Og3ibHVIpRR2FUauh4yuW3Ew: Error getting validation data", "instance": "", "subproblems": []}}
2023/03/01 09:43:25.152 ERROR   http.acme_client        validating authorization        {"identifier": "rdcs-dev01.rapid-network.co", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "109.169.85.158: Fetching http://rdcs-dev01.rapid-network.co/.well-known/acme-challenge/4sRAcp5qa-SjI2uvEM5Og3ibHVIpRR2FUauh4yuW3Ew: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/978859706/167546565416", "attempt": 1, "max_attempts": 3}
2023/03/01 09:43:26.285 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "rdcs-dev01.rapid-network.co", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}
2023/03/01 09:43:26.286 INFO    http    waiting on internal rate limiter        {"identifiers": ["rdcs-dev01.rapid-network.co"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/03/01 09:43:26.286 INFO    http    done waiting on internal rate limiter   {"identifiers": ["rdcs-dev01.rapid-network.co"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/03/01 09:43:28.222 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "file_server", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [file_server]"}
2023/03/01 09:43:28.222 ERROR   tls.obtain      will retry      {"error": "[file_server] Obtain: [file_server] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [file_server] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 4.479488578, "max_duration": 2592000}
2023/03/01 09:43:32.104 INFO    http.acme_client        trying to solve challenge       {"identifier": "rdcs-dev01.rapid-network.co", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}

flydev · March 1, 2023, 10:18am

You still have the same error about the buffer:

2023/03/01 09:43:23.738 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See UDP Receive Buffer Size · quic-go/quic-go Wiki · GitHub for details.

In the terminal, type sysctl net.core.rmem_max, it should give you as answer net.core.rmem_max = 2500000.
If it’s not the case then type sudo sysctl -w net.core.rmem_max=2500000, then sysctl net.core.rmem_max to confirm that the value is taken and sudo systemctl restart caddy to get caddy’s log entries.

flydev · March 1, 2023, 10:38am

Also, there is an error and it seem a prompt popped :

[rapidadmin@rdcs-dev01 ~]$ 2023/03/01 09:43:24.385 ERROR tls.obtain could not get certificate from issuer {“identifier”: “file_server”, “issuer”: “acme-v02.api.letsencrypt.org-directory”, “error”: “HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for "file_server": Domain name contains an invalid character”}

in the config block, add the tls email directive, eg :

rdcs-dev01.rapid-network.co {
        # Your email address. Mainly used when creating an ACME account with your CA, and is highly recommended in case there are problems with your certificates.   
        tls foo@rdcs-dev01.rapid-network.co     

        file_server

        reverse_proxy localhost:9000

}

Mohammed90 · March 1, 2023, 10:45am

This is not the reason why the certificate fetching fails. It’s also not an error as much as a warning or an informative message.

This is closer to the probable issue.

@CJRumbold, does your file have odd encodings? Invisible characters? It appears that Caddy thinks file_server is a domain name, so there are probably confusing invisible characters or unformatted Caddyfile.

Also it seems like the problems and subproblems descriptions in the logs are not available. If you redacted the messages, please share the logs as-is.

system · March 31, 2023, 10:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.