Caddy won't renew certs (again)

deip · January 17, 2025, 12:21am

Hi, about one month ago I opened an issue on GH regarding Caddy failing to renew my certs.

renew cert issue

opened 01:39PM - 03 Dec 24 UTC

closed 12:36PM - 04 Dec 24 UTC

Hi, recently As it is managed Now we are Also I can ``` {"level":"info","ts {"level":"info","ts {"level":"info","ts 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 {"level":"info","ts 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:26 2024/12/03 13:11:27 2024/12/03 13:11:27 2024/12/03 13:11:27 2024/12/03 13:11:27 2024/12/03 13:13:31 2024/12/03 13:13:31 2024/12/03 13:14:31 2024/12/03 13:14:31 2024/12/03 13:14:32 2024/12/03 13:16:35 2024/12/03 13:16:35 ``` Is that expected? my config _redacted_ ``` { email me@gmail.com dynamic_dns { provider domains { mydomain.fr } check_interval 10m versions ipv4 dynamic_domains } servers { metrics } # debug } *.mydomain.fr, mydomain.fr { tls { dns cloudflare } [...] ``` I started to receive emails from Let's Encrypt _certificate expirat…ion notice_ regarding cert for my wildcare domain about to expire soon. by caddy (running in as docker container) I thought caddy will automatically renew it. a few days after the expiration deadline but caddy didnt renewed it and my cert are not valid anymore. see a bunch of errors in caddy logs ":1733231486.255284,"msg":"using config from file","file":"/etc/caddy/Caddyfile"} ":1733231486.2589455,"msg":"adapted config to JSON","adapter":"caddyfile"} ":1733231486.2598727,"msg":"redirected default logger","from":"stderr","to":"stdout"} INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//[::1]:2019", "//127.0.0.1:2019", "//localhost:2019"]} INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00071fb80"} INFO http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv1", "https_port": 443} INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv1"} INFO crowdsec initializing streaming bouncer {"instance_id": "1234"} INFO crowdsec using API key auth {"instance_id": "1234", "address": "http://crowdsec:8080/"} INFO crowdsec started {"instance_id": "1234"} INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]} INFO http enabling HTTP/3 listener {"addr": ":443"} ":1733231486.2620034,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."} INFO dynamic_dns Loaded dynamic domains {"domains": ["*.mydomain.fr", "mydomain.fr"]} INFO dynamic_dns Adding dynamic domain {"domain": "*"} INFO dynamic_dns Adding dynamic domain {"domain": "@"} INFO http.log server running {"name": "srv1", "protocols": ["h1", "h2", "h3"]} INFO http.log server running {"name": "srv2", "protocols": ["h1", "h2", "h3"]} INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]} INFO http enabling automatic TLS certificate management {"domains": ["mydomain.fr", "*.mydomain.fr"]} WARN tls stapling OCSP {"error": "no OCSP stapling for [*.mydomain.fr]: parsing OCSP response: ocsp: error from server: unauthorized", "identifiers": ["*.mydomain.fr"]} INFO tls certificate needs renewal based on ARI window {"subjects": ["*.mydomain.fr"], "expiration": "2024/11/29 09:15:23", "ari_cert_id": "qsdlfkjqsmdfjqsm", "next_ari_update": "2024/12/03 18:23:28", "renew_check_interval": 600, "window_start": "2024/10/29 09:34:52", "window_end": "2024/10/31 09:34:52", "selected_time": "2024/10/30 16:09:40", "renewal_cutoff": "2024/10/30 15:59:40"} INFO autosaved config (load with --resume flag) {"file": "/config/caddy/autosave.json"} INFO serving initial configuration INFO tls.renew acquiring lock {"identifier": "*.mydomain.fr"} INFO tls.renew lock acquired {"identifier": "*.mydomain.fr"} INFO tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:/data/caddy", "instance": "qsdjhfqskdfhqsd", "try_again": "2024/12/04 13:11:26", "try_again_in": 86399.999999577} INFO tls finished cleaning storage units INFO tls.renew renewing certificate {"identifier": "*.mydomain.fr", "remaining": -359763.565185262} INFO tls.issuance.acme waiting on internal rate limiter {"identifiers": ["*.mydomain.fr"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "me@gmail.com"} INFO tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["*.mydomain.fr"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "me@gmail.com"} INFO tls.issuance.acme using ACME account {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/1111", "account_contact": ["mailto:me@gmail.com"]} INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "*.mydomain.fr", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"} INFO dynamic_dns domain not found in DNS {"domain": "mydomain.fr"} INFO dynamic_dns domain not found in DNS {"domain": "*.mydomain.fr"} INFO dynamic_dns domain not found in DNS {"domain": "mydomain.fr"} ERROR tls.renew could not get certificate from issuer {"identifier": "*.mydomain.fr", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.mydomain.fr] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1111/111) (ca=https://acme-v02.api.letsencrypt.org/directory)"} ERROR tls.renew will retry {"error": "[*.mydomain.fr] Renew: [*.mydomain.fr] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1111/111) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 124.610196519, "max_duration": 2592000} INFO tls.renew renewing certificate {"identifier": "*.mydomain.fr", "remaining": -359948.17783085} INFO tls.issuance.acme using ACME account {"account_id": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/1234", "account_contact": ["mailto:me@gmail.com"]} INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "*.mydomain.fr", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"} ERROR tls.renew could not get certificate from issuer {"identifier": "*.mydomain.fr", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.mydomain.fr] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/111/111) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"} ERROR tls.renew will retry {"error": "[*.mydomain.fr] Renew: [*.mydomain.fr] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/111/111) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 2, "retrying_in": 120, "elapsed": 308.595021981, "max_duration": 2592000} cloudflare {env.CLOUDFLARE_API_TOKEN} {env.CLOUDFLARE_API_TOKEN}

Then suddently the problem was gone before I managed to really understand the root cause. But, since few days ago the issue is back. Definitly Caddy is failing to auto renew the certs for some reasons, related to DNS failure.
Few days ago I received some email from expiry@letsencrypt.org

Your certificate (or certificates) for the names listed below will expire in x days (on x date). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

In caddy logs I can see the related errors:

ERROR   tls.renew       could not get certificate from issuer   {"identifier": "mydomain.fr", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[mydomain.fr] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1197323837/345101897055) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
ERROR   tls.renew       will retry      {"error": "[mydomain.fr] Renew: [mydomain.fr] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1234/1234) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 123.673620015, "max_duration": 2592000}

### it even endup being rate limited ###

ERROR   tls.renew       will retry      {"error": "[mydomain.fr] Renew: [mydomain.fr] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 429 urn:ietf:params:acme:error:rateLimited - too many failed authorizations (5) for \"mydomain.fr\" in the last 1h0m0s, retry after 2025-01-16 23:23:23 UTC: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 4, "retrying_in": 300, "elapsed": 316.281999645, "max_duration": 2592000}

As a reminder Im running caddy as a docker container on a Linux host. There is nothing special with the host DNS setup. Just using the classic raw /etc/resolv.conf with some nameserver. Same for docker DNS config. Basically it’s whatever is the default.
The only thing DNS related is that I expose and run my own dns server (blocky) via a docker container too (on the same host). Which maps at host level on port 53. But it is not the the dns server used by the host for dns query resolution.

My Caddyfile (simplified)

{
	email me@me.me

	dynamic_dns {
		provider cloudflare {env.CLOUDFLARE_API_TOKEN}
		domains {
			mydomain.fr
		}
		check_interval 10m
		versions ipv4
		dynamic_domains
	}

	crowdsec {
    ...
	}
	order crowdsec first
}

*.mydomain.fr, mydomain.fr {
	tls {
		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
	}
  ...
}

Any idea?

caddy v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=
using cloudflare and GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare module to manage DNS zones and records
also using GitHub - mholt/caddy-dynamicdns: Caddy app that keeps your DNS records (A/AAAA) pointed at itself.

Mohammed90 · January 17, 2025, 12:48pm

Have you checked your certificates? You aren’t sharing the real domain, so we can’t check the certificate transparency log, but it’s very possible Caddy couldn’t renew the cert of Let’s Encrypt and got one from ZeroSSL.

Mohammed90 · January 17, 2025, 4:51pm

The error is from Caddy saying it cannot see the DNS record propagated properly. In the DNS01 challenge, Caddy sets a TXT record with some value, and it tells the CA to check that record for verification. However, for robustness, Caddy doesn’t tell the CA to check until Caddy itself can see it by querying DNS for that specific TXT record. What’s happening is that Caddy doesn’t see the record, so it thinks DNS failed to propagate properly. It keeps checking for certain duration, then cancels it after a pre-defined (though configurable) timeout.

The default timeout for propagation_timeout is 2 minutes. You can increase that value. You can also configure propagation_delay to tell Caddy to wait before checking DNS for propagation, otherwise Caddy checks immediately.

This is more of a combination of DNS and network issue. Though there’s been an increase of these experiences. I wonder if we should increase the default timeout or change the default delay.

deip · January 17, 2025, 10:23pm

Hi @Mohammed90 and thx for the help.
So I increased the timeout duration to 10m (not sure what kind of value I’m supposed to use so letme know) and even set the DNS resolvers used by the challenge:

	tls {
		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
		resolvers 1.1.1.1
		propagation_delay 10m
	}

then reloaded Caddy to take the changes into account.

But after some time, the issue seems not fixed as I still see the errors in the logs

2025/01/17 22:06:14     INFO    tls.renew       renewing certificate    {"identifier": "my.fr", "remaining": 918732.316684333}
2025/01/17 22:06:14     INFO    tls.issuance.acme       using ACME account      {"account_id": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/1234", "account_contact": ["mailto:me@me.me"]}
2025/01/17 22:06:15     INFO    authorization finalized {"identifier": "my.fr", "authz_status": "valid"}
2025/01/17 22:06:15     INFO    validations succeeded; finalizing order {"order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/12234/1234"}
2025/01/17 22:06:19     INFO    got renewal info        {"names": ["my.fr"], "window_start": "2025/03/17 21:27:15", "window_end": "2025/03/19 21:27:15", "selected_time": "2025/03/17 23:06:36", "recheck_after": "2025/01/18 04:06:19", "explanation_url": ""}
2025/01/17 22:06:19     INFO    got renewal info        {"names": ["my.fr"], "window_start": "2025/03/17 21:27:15", "window_end": "2025/03/19 21:27:15", "selected_time": "2025/03/18 22:10:39", "recheck_after": "2025/01/18 04:06:19", "explanation_url": ""}
2025/01/17 22:06:19     INFO    successfully downloaded available certificate chains    {"count": 2, "first_url": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/1234"}
2025/01/17 22:06:19     INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["my.fr"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "me@me.me"}
2025/01/17 22:06:19     INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["my.fr"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "me@me.me"}
2025/01/17 22:06:19     INFO    tls.issuance.acme       using ACME account      {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/1234", "account_contact": ["mailto:me@me.me"]}
2025/01/17 22:06:20     INFO    trying to solve challenge       {"identifier": "my.fr", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2025/01/17 22:08:07     INFO    dynamic_dns     Loaded dynamic domains  {"domains": ["*.my.fr", "my.fr"]}
2025/01/17 22:08:07     INFO    dynamic_dns     Adding dynamic domain   {"domain": "*"}
2025/01/17 22:08:07     INFO    dynamic_dns     Adding dynamic domain   {"domain": "@"}
2025/01/17 22:08:22     ERROR   tls.renew       could not get certificate from issuer   {"identifier": "my.fr", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[my.fr] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1234/1234) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2025/01/17 22:08:22     INFO    tls.renew       releasing lock  {"identifier": "my.fr"}
2025/01/17 22:08:22     ERROR   tls     job failed      {"error": "[my.fr] [my.fr] Renew: [my.fr] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1234/1234) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

deip · January 17, 2025, 11:14pm

Ah finally it seems that it worked (after a few more unsuccessful attempts)

INFO    tls.renew       certificate renewed successfully