Caddy stuck at "Activating privacy features"

I want to use AutoTLS for my all website. It worked until last month, but when I modified some parameter for proxy yesterday and restart caddy, it stuck at “Activating privacy features” and tcp 80/443 timeout.

Here is my caddyfile

https://course-proxy2.buct.edu.cn
{
	gzip 
	tls my@mail
	proxy / backend_IP {
		header_upstream Host course.buct.edu.cn
		keepalive 2800
		policy ip_hash
		fail_timeout 5s
		max_fails 100
		try_duration 2s
		health_check /meol
	}
	rewrite / {
		r ^/$
		to /meol/
	}
	header / Strict-Transport-Security "max-age=31536000;"
	status 204 /favicon.ico
	prometheus {
		address 0.0.0.0:9180
	}
}
https://jwglxt-proxy2.buct.edu.cn 
{
	gzip
	tls my@mail
	proxy / backend_IP {
		header_upstream Host jwglxt.buct.edu.cn
		header_upstream X-Forwarded-Port 80
		header_upstream X-Forwarded-Proto http
		policy ip_hash
		keepalive 1000
		fail_timeout 5s
		max_fails 100
		try_duration 2s
	}
	prometheus {
		address 0.0.0.0:9180
	}
	filter rule {
		content_type text/html.*
		search_pattern </head>
		replacement @/usr/local/bin/jwglxt-proxy2.html
	}
	header / Strict-Transport-Security "max-age=31536000;"
}

But when I replace “tls my@mail” to “tls crt key”, it worked.

Here is my log

    # caddy -conf /usr/local/bin/caddyfile3 -log stdout

    2020/04/01 23:30:30 [INFO] Caddy version: v1.0.4

    Activating privacy features... 

    2020/04/01 23:30:30 [INFO][cache:0xc0000db310] Started certificate maintenance routine

    2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain certificate

    2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain: Waiting on rate limiter...

    2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain: Done waiting

    2020/04/01 23:30:31 [INFO] [course-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate

    2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3675126599

    2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] acme: authorization already valid; skipping challenge

    2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] acme: Validations succeeded; requesting certificates

    2020/04/01 23:30:37 [INFO] [course-proxy2.buct.edu.cn] Server responded with a certificate.

    2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain certificate

    2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain: Waiting on rate limiter...

    2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain: Done waiting

    2020/04/01 23:30:38 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate

    2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386

    2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: use tls-alpn-01 solver

    2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Trying to solve TLS-ALPN-01

    2020/04/01 23:30:51 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386

    2020/04/01 23:30:51 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386

    2020/04/01 23:30:51 [ERROR][jwglxt-proxy2.buct.edu.cn] failed to obtain certificate: acme: Error -> One or more domains had a problem:[jwglxt-proxy2.buct.edu.cn] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for jwglxt-proxy2.buct.edu.cn - the domain's nameservers may be malfunctioning, url: (attempt 1/3; challenge=tls-alpn-01)

    2020/04/01 23:30:52 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate

    2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697096488

    2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: use tls-alpn-01 solver

    2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Trying to solve TLS-ALPN-01

    2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] The server validated our request

    2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Validations succeeded; requesting certificates

    2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] Server responded with a certificate.

2020/04/01 23:31:38 [WARNING] Stapling OCSP: no OCSP stapling for [course-proxy2.buct.edu.cn]: making OCSP request: Post http://ocsp.int-x3.letsencrypt.org: dial tcp 88.191.249.182:80: i/o timeout

    ^C

    2020/04/01 23:31:59 [INFO] SIGINT: Shutting down

    2020/04/01 23:31:59 [INFO][cache:0xc0000db310] Stopped certificate maintenance routine

Thank you for help ! :grinning:

Hi, welcome –

What was the log when it got stuck?

2020/04/01 23:31:38 [WARNING] Stapling OCSP: no OCSP stapling for [course-proxy2.buct.edu.cn]: making OCSP request: Post http://ocsp.int-x3.letsencrypt.org: dial tcp 88.191.249.182:80: i/o timeout

I think this is the last log before I shutdown the caddy server.

I had try tcping, but the server was no response.

C:\Users\ThinkPad>tcping -t ip 443

** Pinging continuously.  Press control-c to stop **

Probing ip:443/tcp - No response - time=2014.238ms
Probing ip:443/tcp - No response - time=2005.158ms
Probing ip:443/tcp - No response - time=2001.582ms
Probing ip:443/tcp - No response - time=2001.878ms
Probing ip:443/tcp - No response - time=2011.162ms

What’s the full log, though? Not just one line, please :slight_smile:

Here is my full log

# caddy -conf /usr/local/bin/caddyfile3 -log stdout

2020/04/01 23:30:30 [INFO] Caddy version: v1.0.4

Activating privacy features... 

2020/04/01 23:30:30 [INFO][cache:0xc0000db310] Started certificate maintenance routine

2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain certificate

2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain: Waiting on rate limiter...

2020/04/01 23:30:31 [INFO][course-proxy2.buct.edu.cn] Obtain: Done waiting

2020/04/01 23:30:31 [INFO] [course-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate

2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3675126599

2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] acme: authorization already valid; skipping challenge

2020/04/01 23:30:33 [INFO] [course-proxy2.buct.edu.cn] acme: Validations succeeded; requesting certificates

2020/04/01 23:30:37 [INFO] [course-proxy2.buct.edu.cn] Server responded with a certificate.

2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain certificate

2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain: Waiting on rate limiter...

2020/04/01 23:30:38 [INFO][jwglxt-proxy2.buct.edu.cn] Obtain: Done waiting

2020/04/01 23:30:38 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate

2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386

2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: use tls-alpn-01 solver

2020/04/01 23:30:39 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Trying to solve TLS-ALPN-01

2020/04/01 23:30:51 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386

2020/04/01 23:30:51 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697093386

2020/04/01 23:30:51 [ERROR][jwglxt-proxy2.buct.edu.cn] failed to obtain certificate: acme: Error -> One or more domains had a problem:[jwglxt-proxy2.buct.edu.cn] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for jwglxt-proxy2.buct.edu.cn - the domain's nameservers may be malfunctioning, url: (attempt 1/3; challenge=tls-alpn-01)

2020/04/01 23:30:52 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Obtaining bundled SAN certificate

2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3697096488

2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: use tls-alpn-01 solver

2020/04/01 23:30:53 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Trying to solve TLS-ALPN-01

2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] The server validated our request

2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] acme: Validations succeeded; requesting certificates

2020/04/01 23:31:08 [INFO] [jwglxt-proxy2.buct.edu.cn] Server responded with a certificate.

2020/04/01 23:31:38 [WARNING] Stapling OCSP: no OCSP stapling for [course-proxy2.buct.edu.cn]: making OCSP request: Post http://ocsp.int-x3.letsencrypt.org: dial tcp 88.191.249.182:80: i/o timeout

^C

2020/04/01 23:31:59 [INFO] SIGINT: Shutting down

2020/04/01 23:31:59 [INFO][cache:0xc0000db310] Stopped certificate maintenance routine

That’s the same log as you already posted… what is the log before that? Since acme: authorization already valid; skipping challenge, it seems that the challenge already occurred at a previous recent run, and you said you had to restart the process? So what were the logs before the restart.

Btw, I recommend upgrading to Caddy 2, which has several relevant and important fixes. :+1:

1 Like

I found the problem! :grinning:
My ISP China Telecom blocked the OCSP domain ocsp.int-x3.letsencrypt.org
I added the real IP in hosts for OCSP then it worked! :grinning:

2 Likes

Interesting! Thanks for following up, glad you figured it out!

I just ran into the same problem with Caddy 2 on a server in Mainland China, for the record, this is the line I added to my /etc/hosts file:

23.215.130.83   ocsp.int-x3.letsencrypt.org
1 Like

Thanks for the tip @Unknwon!

For anyone finding this later, note that the IP address could very well change…

That’s true, to find up-to-update IP, do ping ocsp.int-x3.letsencrypt.org on any server outside Mainland China, then use that one.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.