1. Caddy version (caddy version
):
lee@compute01:~/docker/caddy_broken_test$ docker run --rm --name=caddy_test -it caddy_test caddy version
v2.1.1 => /src/caddy
2. How I run Caddy:
I’m just trying to get a wildcard cert working with Caddy using cloudflare, my domain is leeroy.xyz. I have followed this and given zone:read, and dns:edit for all zones and all accounts.
To elaborate a bit more on how I’ve implemented, I’m using docker on ubuntu, and am using a dockerfile to build a docker image which combines the official caddy docker image, and runs caddy-builder to replace the caddy binary so it includes dns cloudflare functionality.
^^ If there’s a better way by the way, I’m all ears. It took me a while to get this far so I assume I’m not doing it the easiest way.
Image builds, docker runs, it tries to list zones to start doing DNS-01 business, and fails due to permissions listing zones. I have since implemented it using certbot to grab certificates, and statically linked certificate files, but this is not desirable.
I would like to help find this problem and fix it.
a. System environment:
Docker 19.03.11 & Ubuntu 20.04, just trying to run manually, systemd/cron not involved.
lee@compute01:~/docker/caddy_broken_test$ docker --version
Docker version 19.03.11, build 42e35e61f3
lee@compute01:~/docker/caddy_broken_test$ lsb_release -d
Description: Ubuntu 20.04 LTS
b. Command:
docker commands
docker build -t caddy_test .
docker run --rm --name=caddy_test \
-it -p 8080:80 -p 8443:443 \
-v "$(pwd)/Caddyfile":/etc/caddy/Caddyfile \
-v "$(pwd)/caddy_data":/data \
-e CLOUDFLARE_API_TOKEN='redacted' \
caddy_test
c. Service/unit/compose file:
Dockerfile:
FROM caddy:builder AS builder
RUN caddy-builder \
github.com/caddy-dns/cloudflare
FROM caddy:alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
d. My complete Caddyfile or JSON config:
Caddyfile
{
acme_ca "https://acme-staging-v02.api.letsencrypt.org/directory"
}
(wildcard_cert) {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
}
*.leeroy.xyz {
import wildcard_cert
respond "Hello, world!"
}
3. The problem I’m having:
I’m just trying to get a wildcard cert working with Caddy using cloudflare, and it fails when it tries to list zones doing DNS-01 business. I have followed this and given zone:read, and dns:edit for all zones and all accounts.
Image builds, docker runs, it tries to list zones to start doing DNS-01 business, and fails due to permissions listing zones.
4. Error messages and/or full log output:
lee@compute01:~/docker/caddy_broken_test$ docker run --rm --name=caddy_test -it -v "$(pwd)/Caddyfile":/etc/caddy/Caddyfile -v "$(pwd)/caddy_data":/data -e CLOUDFLARE_API_TOKEN='REDACTED' caddy_test
2020/07/16 11:48:50.966 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
2020/07/16 11:48:50.969 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["[::1]:2019", "127.0.0.1:2019", "localhost:2019"]}
2020/07/16 11:48:50.969 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/07/16 11:48:50.969 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2020/07/16 11:48:50 [INFO][cache:0xc0002ef260] Started certificate maintenance routine
2020/07/16 11:48:50.971 INFO tls cleaned up storage units
2020/07/16 11:48:50.971 INFO http enabling automatic TLS certificate management {"domains": ["*.leeroy.xyz"]}
2020/07/16 11:48:50.972 INFO autosaved config {"file": "/config/caddy/autosave.json"}
2020/07/16 11:48:50.972 INFO serving initial configuration
2020/07/16 11:48:50 [INFO][*.leeroy.xyz] Obtain certificate; acquiring lock...
2020/07/16 11:48:50 [INFO][*.leeroy.xyz] Obtain: Lock acquired; proceeding...
2020/07/16 11:48:52 [INFO][*.leeroy.xyz] Waiting on rate limiter...
2020/07/16 11:48:52 [INFO][*.leeroy.xyz] Done waiting
2020/07/16 11:48:52 [INFO] [*.leeroy.xyz] acme: Obtaining bundled SAN certificate given a CSR
2020/07/16 11:48:53 [INFO] [*.leeroy.xyz] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/78193488
2020/07/16 11:48:53 [INFO] [*.leeroy.xyz] acme: use dns-01 solver
2020/07/16 11:48:53 [INFO] [*.leeroy.xyz] acme: Preparing to solve DNS-01
2020/07/16 11:48:54 [INFO] [*.leeroy.xyz] acme: Cleaning DNS-01 challenge
2020/07/16 11:48:54 [WARN] [*.leeroy.xyz] acme: cleaning up failed: no memory of presenting a DNS record for leeroy.xyz
2020/07/16 11:48:54 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/78193488
2020/07/16 11:48:55 [ERROR] error: one or more domains had a problem:
[*.leeroy.xyz] [*.leeroy.xyz] acme: error presenting token: got error status: HTTP 403: [{Code:0 Message:Actor 'com.cloudflare.api.token.REDACTED' requires permission 'com.cloudflare.api.account.zone.list' to list zones}]
(challenge=dns-01 remaining=[])
2020/07/16 11:48:57 [ERROR] attempt 1: [*.leeroy.xyz] Obtain: [*.leeroy.xyz] error: one or more domains had a problem:
[*.leeroy.xyz] [*.leeroy.xyz] acme: error presenting token: got error status: HTTP 403: [{Code:0 Message:Actor 'com.cloudflare.api.token.REDACTED' requires permission 'com.cloudflare.api.account.zone.list' to list zones}]
- retrying in 1m0s (6.237607754s/720h0m0s elapsed)...
^C2020/07/16 11:48:58.526 INFO shutting down {"signal": "SIGINT"}
2020/07/16 11:48:58 [INFO][cache:0xc0002ef260] Stopped certificate maintenance routine
2020/07/16 11:48:58 [INFO][*.leeroy.xyz] Obtain: Releasing lock
2020/07/16 11:48:58.527 INFO admin stopped previous server
2020/07/16 11:48:58.527 INFO shutdown done {"signal": "SIGINT"}
5. What I already tried:
I have tried simplifying my config as much as humanly possible to demonstrate the problem and make it easy to reproduce.
I repeated the process on macOS, same behaviour.
I have tumbled and also tried recreating the API token, although I can prove the token is ok:
lee@compute01:~/docker/caddy_broken_test$ curl -sX GET "https://api.cloudflare.com/client/v4/zones?match=all" -H "Authorization: Bearer REDACTED" -H "Content-Type:application/json"| jq '.result[] | {id: .id, name: .name}'
{
"id": "235ccec4ab265bc87340273aa5d7da46",
"name": "leeroy.xyz"
}
6. Links to relevant resources:
Specify Zone ID · Issue #2 · caddy-dns/cloudflare · GitHub ← I believe this would sort my issues, but I am not a programmer. I’ve stared at Go, and I’m just not capable of contributing.
[DNS mode] Cloudflare New API Tokens · Issue #2398 · acmesh-official/acme.sh · GitHub ← some robust conversation in the acme.sh issues section about the same thing
Please help!