Caddy tries to talk to lets-encrypt for "tls internal" domains

msanft · July 26, 2024, 9:03pm

1. The problem I’m having:

Hey! I’m already using Caddy for quite some time as a LetsEncrypt-using reverse proxy for my public-facing website. Now, I also wanted to use it for my home network’s observability stack. Therefore, I configured the domain I use locally for my services (*.msanft.home) to use internal TLS (tls internal). However, as per the logs, Caddy still seems to try to obtain certificates from LetsEncrypt, which, due to the TLD, fails.

I wondered whether this is a precedence issue and tried adding the tls internal to all affected domains individually, but that didn’t help either.

I’m quite sure that this is a configuration issue on my side. What part am I missing here?

2. Error messages and/or full log output:

Jul 26 21:00:30 zeitgeist systemd[1]: Started Caddy.
Jul 26 21:00:31 zeitgeist caddy[183612]: {"level":"error","ts":1722027631.9028296,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"prometheus.msanft.home","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for \"prometheus.msanft.home\": Domain name does not end with a valid public suffix (TLD)"}
Jul 26 21:00:31 zeitgeist caddy[183612]: {"level":"error","ts":1722027631.9046938,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"grafana.msanft.home","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for \"grafana.msanft.home\": Domain name does not end with a valid public suffix (TLD)"}
Jul 26 21:00:31 zeitgeist caddy[183612]: {"level":"error","ts":1722027631.9082105,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"loki.msanft.home","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for \"loki.msanft.home\": Domain name does not end with a valid public suffix (TLD)"}
Jul 26 21:00:32 zeitgeist caddy[183612]: {"level":"error","ts":1722027632.3889997,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"grafana.msanft.home","issuer":"acme.zerossl.com-v2-DV90","error":"[grafana.msanft.home] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 429: <html>\r\n<head><title>429 Too Many Requests</title></head>\r\n<body>\r\n<center><h1>429 Too Many Requests</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n (ca=https://acme.zerossl.com/v2/DV90)"}
Jul 26 21:00:32 zeitgeist caddy[183612]: {"level":"error","ts":1722027632.389193,"logger":"tls.obtain","msg":"will retry","error":"[grafana.msanft.home] Obtain: [grafana.msanft.home] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 429: <html>\r\n<head><title>429 Too Many Requests</title></head>\r\n<body>\r\n<center><h1>429 Too Many Requests</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":1.470955232,"max_duration":2592000}
Jul 26 21:00:32 zeitgeist caddy[183612]: {"level":"error","ts":1722027632.6411288,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"loki.msanft.home","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - DNS identifier is invalid [loki.msanft.home]"}
Jul 26 21:00:32 zeitgeist caddy[183612]: {"level":"error","ts":1722027632.6412282,"logger":"tls.obtain","msg":"will retry","error":"[loki.msanft.home] Obtain: [loki.msanft.home] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - DNS identifier is invalid [loki.msanft.home] (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":1.723024814,"max_duration":2592000}
Jul 26 21:00:32 zeitgeist caddy[183612]: {"level":"error","ts":1722027632.6444054,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"prometheus.msanft.home","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - DNS identifier is invalid [prometheus.msanft.home]"}
Jul 26 21:00:32 zeitgeist caddy[183612]: {"level":"error","ts":1722027632.6445076,"logger":"tls.obtain","msg":"will retry","error":"[prometheus.msanft.home] Obtain: [prometheus.msanft.home] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - DNS identifier is invalid [prometheus.msanft.home] (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":1.726304095,"max_duration":2592000}

3. Caddy version:

2.8.4

4. How I installed and ran Caddy:

NixOS (systemd)

a. System environment:

Linux zeitgeist 6.8.4 #1-NixOS SMP PREEMPT_DYNAMIC Thu Apr 4 18:25:06 UTC 2024 x86_64 GNU/Linux

systemd 255 (255.6)

b. Command:

caddy run --config /etc/caddy/caddy_config --adapter caddyfile

d. My complete Caddy config:

{
	email certs@msanft.foo

	log {
		level ERROR
	}
}

*.msanft.home {
	log {
		output file /var/log/caddy/access-*.msanft.home.log
	}

	tls internal
}

grafana.msanft.home {
	log {
		output file /var/log/caddy/access-grafana.msanft.home.log
	}

	reverse_proxy localhost:3030
}

loki.msanft.home {
	log {
		output file /var/log/caddy/access-loki.msanft.home.log
	}

	reverse_proxy localhost:3100
}

msanft.foo www.msanft.foo {
	log {
		output file /var/log/caddy/access-msanft.foo.log
	}

	metrics
	encode gzip
	root * /nix/store/s32walvhg06gqy4d48m43fv9jzvahcxs-homepage
	file_server
}

pad.msanft.foo {
	log {
		output file /var/log/caddy/access-pad.msanft.foo.log
	}

	reverse_proxy localhost:3000
}

prometheus.msanft.home {
	log {
		output file /var/log/caddy/access-prometheus.msanft.home.log
	}

	reverse_proxy localhost:9090
}

5. Links to relevant resources:

matt · July 26, 2024, 11:25pm

Welcome!

This site block does not have tls internal so it does not use the internal issuer (because it does not look like an internal hostname).

msanft · July 27, 2024, 9:55am

Hey!

Thanks for responding.

So the wildcard does not take precedence over the “unset” option in the actual subdomains.

By looking at the code in certmagic, it seems to me that I can do .localhost, .home.arpa, or .local (which might clash with mDNS).

Is there an idiomatic way to specify the internal issuer for a group of domains (e.g. through a wildcard match)? I’m aware of the top-level local_certs, but I’d ideally only want to apply it to a part of the domains configured.

Thanks in advance!

matt · July 28, 2024, 2:33am

Correct, site blocks are separate in the Caddyfile; not cascading.

The JSON config gives you this kind of flexibility over your configuration! You can specify an automation policy for any number of domains.

system · August 27, 2024, 2:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.