W0n9
(w0n9)
April 1, 2020, 4:05pm
1
I want to use AutoTLS for my all website. It worked until last month, but when I modified some parameter for proxy yesterday and restart caddy, it stuck at “Activating privacy features” and tcp 80/443 timeout.
Here is my caddyfile
https://course-proxy2.buct.edu.cn
{
gzip
tls my@mail
proxy / backend_IP {
header_upstream Host course.buct.edu.cn
keepalive 2800
policy ip_hash
fail_timeout 5s
max_fails 100
try_duration 2s
health_check /meol
}
rewrite / {
r ^/$
to /meol/
}
header / Strict-Transport-Security "max-age=31536000;"
status 204 /favicon.ico
prometheus {
address 0.0.0.0:9180
}
}
https://jwglxt-proxy2.buct.edu.cn
{
gzip
tls my@mail
proxy / backend_IP {
header_upstream Host jwglxt.buct.edu.cn
header_upstream X-Forwarded-Port 80
header_upstream X-Forwarded-Proto http
policy ip_hash
keepalive 1000
fail_timeout 5s
max_fails 100
try_duration 2s
}
prometheus {
address 0.0.0.0:9180
}
filter rule {
content_type text/html.*
search_pattern </head>
replacement @/usr/local/bin/jwglxt-proxy2.html
}
header / Strict-Transport-Security "max-age=31536000;"
}
But when I replace “tls my@mail” to “tls crt key”, it worked.
Here is my log
# caddy -conf /usr/local/bin/caddyfile3 -log stdout
2020/04/01 23:30:30 [INFO] Caddy version: v1.0.4
Activating privacy features...
2020/04/01 23:30:30 [INFO][cache:0xc0000db310] Started certificate maintenance routine
2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain certificate
2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain: Waiting on rate limiter...
2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain: Done waiting
2020/04/01 23:30:31 [INFO] [course-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate
2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3675126599
2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] acme: authorization already valid; skipping challenge
2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] acme: Validations succeeded; requesting certificates
2020/04/01 23:30:37 [INFO] [course-proxy2.buct.edu.cn] Server responded with a certificate.
2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain certificate
2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain: Waiting on rate limiter...
2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain: Done waiting
2020/04/01 23:30:38 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate
2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386
2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: use tls-alpn-01 solver
2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Trying to solve TLS-ALPN-01
2020/04/01 23:30:51 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386
2020/04/01 23:30:51 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386
2020/04/01 23:30:51 [ERROR][jwglxt-proxy2.buct.edu.cn] failed to obtain certificate: acme: Error -> One or more domains had a problem:[jwglxt-proxy2.buct.edu.cn] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for jwglxt-proxy2.buct.edu.cn - the domain's nameservers may be malfunctioning, url: (attempt 1/3; challenge=tls-alpn-01)
2020/04/01 23:30:52 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate
2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697096488
2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: use tls-alpn-01 solver
2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Trying to solve TLS-ALPN-01
2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] The server validated our request
2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Validations succeeded; requesting certificates
2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] Server responded with a certificate.
2020/04/01 23:31:38 [WARNING] Stapling OCSP: no OCSP stapling for [course-proxy2.buct.edu.cn]: making OCSP request: Post http://ocsp.int-x3.letsencrypt.org: dial tcp 88.191.249.182:80: i/o timeout
^C
2020/04/01 23:31:59 [INFO] SIGINT: Shutting down
2020/04/01 23:31:59 [INFO][cache:0xc0000db310] Stopped certificate maintenance routine
Thank you for help !
matt
(Matt Holt)
April 1, 2020, 4:12pm
2
Hi, welcome –
What was the log when it got stuck?
W0n9
(w0n9)
April 1, 2020, 4:17pm
3
2020/04/01 23:31:38 [WARNING] Stapling OCSP: no OCSP stapling for [course-proxy2.buct.edu.cn]: making OCSP request: Post http://ocsp.int-x3.letsencrypt.org: dial tcp 88.191.249.182:80: i/o timeout
I think this is the last log before I shutdown the caddy server.
I had try tcping, but the server was no response.
C:\Users\ThinkPad>tcping -t ip 443
** Pinging continuously. Press control-c to stop **
Probing ip:443/tcp - No response - time=2014.238ms
Probing ip:443/tcp - No response - time=2005.158ms
Probing ip:443/tcp - No response - time=2001.582ms
Probing ip:443/tcp - No response - time=2001.878ms
Probing ip:443/tcp - No response - time=2011.162ms
matt
(Matt Holt)
April 1, 2020, 4:25pm
4
What’s the full log, though? Not just one line, please
W0n9
(w0n9)
April 1, 2020, 4:29pm
5
Here is my full log
# caddy -conf /usr/local/bin/caddyfile3 -log stdout
2020/04/01 23:30:30 [INFO] Caddy version: v1.0.4
Activating privacy features...
2020/04/01 23:30:30 [INFO][cache:0xc0000db310] Started certificate maintenance routine
2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain certificate
2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain: Waiting on rate limiter...
2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain: Done waiting
2020/04/01 23:30:31 [INFO] [course-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate
2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3675126599
2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] acme: authorization already valid; skipping challenge
2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] acme: Validations succeeded; requesting certificates
2020/04/01 23:30:37 [INFO] [course-proxy2.buct.edu.cn] Server responded with a certificate.
2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain certificate
2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain: Waiting on rate limiter...
2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain: Done waiting
2020/04/01 23:30:38 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate
2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386
2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: use tls-alpn-01 solver
2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Trying to solve TLS-ALPN-01
2020/04/01 23:30:51 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386
2020/04/01 23:30:51 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386
2020/04/01 23:30:51 [ERROR][jwglxt-proxy2.buct.edu.cn] failed to obtain certificate: acme: Error -> One or more domains had a problem:[jwglxt-proxy2.buct.edu.cn] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for jwglxt-proxy2.buct.edu.cn - the domain's nameservers may be malfunctioning, url: (attempt 1/3; challenge=tls-alpn-01)
2020/04/01 23:30:52 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate
2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697096488
2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: use tls-alpn-01 solver
2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Trying to solve TLS-ALPN-01
2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] The server validated our request
2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Validations succeeded; requesting certificates
2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] Server responded with a certificate.
2020/04/01 23:31:38 [WARNING] Stapling OCSP: no OCSP stapling for [course-proxy2.buct.edu.cn]: making OCSP request: Post http://ocsp.int-x3.letsencrypt.org: dial tcp 88.191.249.182:80: i/o timeout
^C
2020/04/01 23:31:59 [INFO] SIGINT: Shutting down
2020/04/01 23:31:59 [INFO][cache:0xc0000db310] Stopped certificate maintenance routine
matt
(Matt Holt)
April 1, 2020, 4:55pm
6
That’s the same log as you already posted… what is the log before that? Since acme: authorization already valid; skipping challenge
, it seems that the challenge already occurred at a previous recent run, and you said you had to restart the process? So what were the logs before the restart.
Btw, I recommend upgrading to Caddy 2, which has several relevant and important fixes.
1 Like
W0n9
(w0n9)
April 2, 2020, 1:49am
7
I found the problem!
My ISP China Telecom blocked the OCSP domain ocsp.int-x3.letsencrypt.org
I added the real IP in hosts
for OCSP then it worked!
2 Likes
matt
(Matt Holt)
April 2, 2020, 3:12am
8
Interesting! Thanks for following up, glad you figured it out!
Unknwon
(Unknwon)
April 16, 2020, 4:33pm
9
I just ran into the same problem with Caddy 2 on a server in Mainland China, for the record, this is the line I added to my /etc/hosts
file:
23.215.130.83 ocsp.int-x3.letsencrypt.org
1 Like
matt
(Matt Holt)
April 16, 2020, 5:09pm
10
Thanks for the tip @Unknwon !
For anyone finding this later, note that the IP address could very well change…
Unknwon
(Unknwon)
April 19, 2020, 1:43am
11
That’s true, to find up-to-update IP, do ping ocsp.int-x3.letsencrypt.org
on any server outside Mainland China, then use that one.
1 Like
system
(system)
Closed
May 19, 2020, 1:55am
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.