Caddy worked until last restart

Help
1
FROM caddy:2.4.5

How I run Caddy:
Starting a Docker container with Caddyfile:

  https://app.ripapp.it {

      tls ripappbrescia@gmail.com

      reverse_proxy /* {
         to backend:48795
         flush interval -1
      }
  }

And Dockerfile:

  FROM caddy:2.4.5

  COPY Caddyfile /etc/caddy/Caddyfile
  ENV ACME_AGREE=true
  EXPOSE 443

System environment:
The OS is Debian, application server Apache and a Docker that has 3 containers and a network.
Caddy container points to a Spring Boot application container called backend.

The problem I’m having:
I am new with Caddy. The system was working until yesterday (the certificate was already expired, but I use it to call rest api in development phase so I can accept also an expired certificate).
Accidentally I stopped the docker container with caddy and I am not able to restart it anymore.

Error messages and/or full log output:

2022-02-24T00:49:13.077709051Z 2022/02/24 00:49:13.077 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
2022-02-24T00:49:13.080517683Z 2022/02/24 00:49:13.080 WARN input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 2}
2022-02-24T00:49:13.082483777Z 2022/02/24 00:49:13.082 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "[127.0.0.1:2019](http://127.0.0.1:2019/)"]}
2022-02-24T00:49:13.083012379Z 2022/02/24 00:49:13.082 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2022-02-24T00:49:13.083044007Z 2022/02/24 00:49:13.082 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022-02-24T00:49:13.083262915Z 2022/02/24 00:49:13.082 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0003bdb90"}
2022-02-24T00:49:13.088176927Z 2022/02/24 00:49:13.087 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"}
2022-02-24T00:49:13.088214299Z 2022/02/24 00:49:13.087 INFO tls finished cleaning storage units
2022-02-24T00:49:13.088566440Z 2022/02/24 00:49:13.088 INFO http enabling automatic TLS certificate management {"domains": ["[app.ripapp.it](http://app.ripapp.it/)"]}
2022-02-24T00:49:13.089217858Z 2022/02/24 00:49:13.088 INFO autosaved config (load with --resume flag) {"file": "/config/caddy/autosave.json"}
2022-02-24T00:49:13.089255497Z 2022/02/24 00:49:13.088 INFO serving initial configuration
2022-02-24T00:49:13.090255185Z 2022/02/24 00:49:13.089 INFO tls.obtain acquiring lock {"identifier": "[app.ripapp.it](http://app.ripapp.it/)"}
2022-02-24T00:49:13.104037308Z 2022/02/24 00:49:13.103 INFO tls.obtain lock acquired {"identifier": "[app.ripapp.it](http://app.ripapp.it/)"}
2022-02-24T00:49:13.980759033Z 2022/02/24 00:49:13.980 INFO tls.issuance.acme waiting on internal rate limiter {"identifiers": ["[app.ripapp.it](http://app.ripapp.it/)"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "[ripappbrescia@gmail.com](mailto:ripappbrescia@gmail.com)"}
2022-02-24T00:49:13.980807648Z 2022/02/24 00:49:13.980 INFO tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["[app.ripapp.it](http://app.ripapp.it/)"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "[ripappbrescia@gmail.com](mailto:ripappbrescia@gmail.com)"}
2022-02-24T00:49:14.538528714Z 2022/02/24 00:49:14.538 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022-02-24T00:49:15.976582736Z 2022/02/24 00:49:15.976 ERROR tls.issuance.acme.acme_client challenge failed {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "tls-alpn-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
2022-02-24T00:49:15.976692391Z 2022/02/24 00:49:15.976 ERROR tls.issuance.acme.acme_client validating authorization {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "order": "https://acme-v02.api.letsencrypt.org/acme/order/422657490/66417417610", "attempt": 1, "max_attempts": 3}
2022-02-24T00:49:17.508224302Z 2022/02/24 00:49:17.507 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022-02-24T00:49:18.933967989Z 2022/02/24 00:49:18.933 ERROR tls.issuance.acme.acme_client challenge failed {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "http-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Invalid response from http://app.ripapp.it/.well-known/acme-challenge/QG2yr7WcBg8Wbj9evi8oyk1CzaTFM0Y9bkgkmqq5Iww [91.187.200.219]: \"<html lang=\\\"en\\\" xml:lang=\\\"en\\\" xmlns=\\\"[http://www.w3.org/1999/xhtml\\\](http://www.w3.org/1999/xhtml%5C%5C%5C)">\\n<head>\\n <title>Connection denied by Geolocation</title>\\n \""}
2022-02-24T00:49:18.934101729Z 2022/02/24 00:49:18.933 ERROR tls.issuance.acme.acme_client validating authorization {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Invalid response from http://app.ripapp.it/.well-known/acme-challenge/QG2yr7WcBg8Wbj9evi8oyk1CzaTFM0Y9bkgkmqq5Iww [91.187.200.219]: \"<html lang=\\\"en\\\" xml:lang=\\\"en\\\" xmlns=\\\"[http://www.w3.org/1999/xhtml\\\](http://www.w3.org/1999/xhtml%5C%5C%5C)">\\n<head>\\n <title>Connection denied by Geolocation</title>\\n \"", "order": "https://acme-v02.api.letsencrypt.org/acme/order/422657490/66417426840", "attempt": 2, "max_attempts": 3}
2022-02-24T00:49:20.696387362Z 2022/02/24 00:49:20.695 ERROR tls.obtain could not get certificate from issuer {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[[app.ripapp.it](http://app.ripapp.it/)] solving challenges: [app.ripapp.it](http://app.ripapp.it/): no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/422657490/66417435240) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2022-02-24T00:49:21.383148322Z 2022/02/24 00:49:21.382 INFO tls.issuance.zerossl generated EAB credentials {"key_id": "fiNQgkXxmfwTdX1q1gFasg"}
2022-02-24T00:49:24.460492479Z 2022/02/24 00:49:24.459 INFO tls.issuance.acme waiting on internal rate limiter {"identifiers": ["[app.ripapp.it](http://app.ripapp.it/)"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "[ripappbrescia@gmail.com](mailto:ripappbrescia@gmail.com)"}
2022-02-24T00:49:24.460580992Z 2022/02/24 00:49:24.460 INFO tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["[app.ripapp.it](http://app.ripapp.it/)"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "[ripappbrescia@gmail.com](mailto:ripappbrescia@gmail.com)"}
2022-02-24T00:49:26.842482059Z 2022/02/24 00:49:26.841 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2022-02-24T00:54:33.951816056Z 2022/02/24 00:54:33.951 ERROR tls.obtain could not get certificate from issuer {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "issuer": "acme.zerossl.com-v2-DV90", "error": "[[app.ripapp.it](http://app.ripapp.it/)] solving challenges: [[app.ripapp.it](http://app.ripapp.it/)] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/vvc7AHQIBYfRzJNt3_3wxQ) (ca=https://acme.zerossl.com/v2/DV90)"}
2022-02-24T00:54:33.951949058Z 2022/02/24 00:54:33.951 ERROR tls.obtain will retry {"error": "[[app.ripapp.it](http://app.ripapp.it/)] Obtain: [[app.ripapp.it](http://app.ripapp.it/)] solving challenges: [[app.ripapp.it](http://app.ripapp.it/)] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/vvc7AHQIBYfRzJNt3_3wxQ) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 320.847651045, "max_duration": 2592000}
2022-02-24T00:55:35.135935104Z 2022/02/24 00:55:35.135 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2022-02-24T00:55:36.565592278Z 2022/02/24 00:55:36.565 ERROR tls.issuance.acme.acme_client challenge failed {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "http-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Invalid response from http://app.ripapp.it/.well-known/acme-challenge/-TSfWZ7pWl8oM3Yj3afvpdEgXT7UIzAMNRaq-VeZCYE [91.187.200.219]: \"<html lang=\\\"en\\\" xml:lang=\\\"en\\\" xmlns=\\\"[http://www.w3.org/1999/xhtml\\\](http://www.w3.org/1999/xhtml%5C%5C%5C)">\\n<head>\\n <title>Connection denied by Geolocation</title>\\n \""}
2022-02-24T00:55:36.565695802Z 2022/02/24 00:55:36.565 ERROR tls.issuance.acme.acme_client validating authorization {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Invalid response from http://app.ripapp.it/.well-known/acme-challenge/-TSfWZ7pWl8oM3Yj3afvpdEgXT7UIzAMNRaq-VeZCYE [91.187.200.219]: \"<html lang=\\\"en\\\" xml:lang=\\\"en\\\" xmlns=\\\"[http://www.w3.org/1999/xhtml\\\](http://www.w3.org/1999/xhtml%5C%5C%5C)">\\n<head>\\n <title>Connection denied by Geolocation</title>\\n \"", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/45163348/1866755948", "attempt": 1, "max_attempts": 3}
2022-02-24T00:55:37.923168556Z 2022/02/24 00:55:37.922 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2022-02-24T00:55:39.351336221Z 2022/02/24 00:55:39.350 ERROR tls.issuance.acme.acme_client challenge failed {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "tls-alpn-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
2022-02-24T00:55:39.351435597Z 2022/02/24 00:55:39.350 ERROR tls.issuance.acme.acme_client validating authorization {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/45163348/1866756108", "attempt": 2, "max_attempts": 3}
2022-02-24T00:55:40.883804533Z 2022/02/24 00:55:40.883 ERROR tls.obtain could not get certificate from issuer {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[[app.ripapp.it](http://app.ripapp.it/)] solving challenges: [app.ripapp.it](http://app.ripapp.it/): no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/45163348/1866756188) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2022-02-24T00:55:43.675440119Z 2022/02/24 00:55:43.675 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2022-02-24T01:00:46.603147360Z 2022/02/24 01:00:46.602 ERROR tls.obtain could not get certificate from issuer {"identifier": "[app.ripapp.it](http://app.ripapp.it/)", "issuer": "acme.zerossl.com-v2-DV90", "error": "[[app.ripapp.it](http://app.ripapp.it/)] solving challenges: [[app.ripapp.it](http://app.ripapp.it/)] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/gh50TIYO4EQZq7nw71c9sw) (ca=https://acme.zerossl.com/v2/DV90)"}
2022-02-24T01:00:46.603267096Z 2022/02/24 01:00:46.602 ERROR tls.obtain will retry {"error": "[[app.ripapp.it](http://app.ripapp.it/)] Obtain: [[app.ripapp.it](http://app.ripapp.it/)] solving challenges: [[app.ripapp.it](http://app.ripapp.it/)] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/gh50TIYO4EQZq7nw71c9sw) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 693.498980443, "max_duration": 2592000}

What I already tried:
Tried to create different Dockerfiles using different caddy images, tried to remove tls with email in Caddyfile but everytime I get the same error.

2

Please upgrade to v2.4.6!

You can simplify this:

reverse_proxy backend:48795 {
	flush_interval -1
}

And you likely don’t need to set flush_interval anyways, because Caddy will set that automatically according to certain heuristics.

You don’t need this, this was only needed for Caddy v1. Caddy v2 doesn’t check for this env anymore. The ACME terms are implicitly accepted by using Caddy, now. We got permission from Let’s Encrypt to do that.

You have something else intercepting requests from reaching Caddy. Are you using CloudFlare or something? You need to make sure nothing it preventing connections from reaching your server.

3

Thanks, I will clear all the statements.
From what I can see with ssh, I have nothing that prevents connections.
OLD
Because there is a third party provider, I opened a ticket to ask if there is something that intercepts connections like CloudFlare, I hope to answer you in a small time.
NEW
There is nothing external that intercepts the request (the provider says).
The last time I started this container was 10 days ago, and it worked without problems.

Should I check some file like hosts or something into apache2 ?

4

This topic was automatically closed after 30 days. New replies are no longer allowed.