1. My Caddy version (caddy -version
):
v2.0.0-beta6 h1:tGZaM3NfxlBZhllJYKEehYYY9SMOyz8UNjMBoYALaT4=
2. How I run Caddy:
caddy is installed in /usr/local/bin/caddy
a. System environment:
centos-release-7-7.1908.0.el7.centos.x86_64
systemd 219
b. Command:
caddy start -adapter caddyfile -config /caddy/caddy.conf
c. Service/unit/compose file:
> no compose file
d. My complete Caddyfile:
www.domain2.com:443, domain2.com:443 {
reverse_proxy / ip-address:port
}
3. The problem I’m having:
I have installed caddy version 2 yesterday. Experimented with domain1.com
as a load balancer / reverse proxy and it was working great. Happy with it.
Today I tried to use with domain2.com
and noticed the error rate limit applied by letsencrypt . One thing I forgot was pointing the domain to the IP address when I tried to start caddy.
4. Error messages and/or full log output:
2019/10/22 05:21:19 Caddy 2 admin endpoint listening on localhost:2019
2019/10/22 05:21:19 [INFO] Enabling automatic TLS certificate management for [www.domain2.com domain2.com]
2019/10/22 05:21:19 [INFO][cache:0xc000099a40] Started certificate maintenance routine
2019/10/22 05:21:19 [INFO][www.domain2.com] Obtain certificate
2019/10/22 05:21:19 [INFO] [www.domain2.com] acme: Obtaining bundled SAN certificate
2019/10/22 05:21:19 [ERROR][www.domain2.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt, url: (attempt 1/3; challenge=http-01)
2019/10/22 05:21:20 [INFO] [www.domain2.com] acme: Obtaining bundled SAN certificate
2019/10/22 05:21:20 [ERROR][www.domain2.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt, url: (attempt 2/3; challenge=http-01)
2019/10/22 05:21:21 [INFO] [www.domain2.com] acme: Obtaining bundled SAN certificate
2019/10/22 05:21:21 [ERROR][www.domain2.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt, url: (attempt 3/3; challenge=http-01)
2019/10/22 05:21:22 [INFO] [www.domain2.com] acme: Obtaining bundled SAN certificate
2019/10/22 05:21:23 [ERROR][www.domain2.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt, url: (attempt 1/3; challenge=tls-alpn-01)
2019/10/22 05:21:24 [INFO] [www.domain2.com] acme: Obtaining bundled SAN certificate
2019/10/22 05:21:24 [ERROR][www.domain2.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt, url: (attempt 2/3; challenge=tls-alpn-01)
2019/10/22 05:21:25 [INFO] [www.domain2.com] acme: Obtaining bundled SAN certificate
2019/10/22 05:21:25 [ERROR][www.domain2.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt, url: (attempt 3/3; challenge=tls-alpn-01)
5. What I already tried:
I pointed the domain domain2.com to an entirely new ip address.
Tried starting domain2.com via caddy. But it still shows the letsencrypt rate limit has occurred. On further checks I noticed a message as
2019/10/22 05:45:53 http: TLS handshake error from ip-address:46502: tls: first record does not look like a TLS handshake
I have noticed this error message many times when I started caddy yesterday. I wonder whether this has something to do with rate limit or due to the domain was not pointed to the ip when I tried to start caddy caused the rate limit issue.
It would have been nice if caddy don’t exceed too many requests when we issue only a single command like caddy start if the domain ip is not pointed.
6. Links to relevant resources:
One last question is what will happen if we have multiple domains in single caddyfile and an ssl certificate renewal failed due to some reason, does all servers goes down / fail to reload ?