Can no longer access local web services over https with caddy

Mohammed90 · February 28, 2025, 8:27pm

You’ll need 2.9.1 for that

github.com/caddyserver/caddy

autohttps: Implement `auto_https prefer_wildcard` option

master ← prefer-wildcard

opened 02:32AM - 04 Mar 24 UTC

francislavoie

+449 -20

Closes https://github.com/caddyserver/caddy/issues/5447 This implements a new… `auto_https prefer_wildcard` option, which drops automation policies for non-wildcard domains when there's already a wildcard in another policy. This allows users to flatten their config, and instead of using a pattern like https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates they can instead do something like: ``` { auto_https prefer_wildcard } *.example.com { tls { dns <provider> } respond "fallback" } foo.example.com { respond "foo" } ``` This would only produce a single wildcard certificate, and no individual certificate for `foo.example.com` since it's already covered by the wildcard. This also allows specifying multiple arguments to `auto_https`, so you can do the following to set multiple Automatic HTTPS options. Previously only one could be set at a time, which was generally fine because there wasn't actually any usecase where it would be useful: ``` { auto_https prefer_wildcard disable_redirects } ``` I've only manually (visually) tested with a few simple usecases. Unfortunately we have a big lack of tests for the Automatic HTTPS logic because it manipulates config at runtime. I probably need help with testing this to make sure it doesn't have weird side effects. Thankfully, this should be safe/backwards compatible as long as users don't enable this option. We could call it experimental for now.

bricksun · March 2, 2025, 12:16pm

Hi again, I have tried what you suggested. However before I did that, my cronjob ran last night to pull the latest docker containers and restart everything. And now I can’t even access my services over http. I get this message in the browser:

Secure Connection Failed

An error occurred during a connection to test111.duckdns.org. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

This is my caddy docker logs after my cronjob ran:

{"level":"error","ts":1740909987.4540865,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"unifi.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: SERVFAIL looking up A for unifi.test111.duckdns.org - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for unifi.test111.duckdns.org - the domain's nameservers may be malfunctioning"}

{"level":"error","ts":1740909987.4547157,"logger":"tls.obtain","msg":"will retry","error":"[unifi.test111.duckdns.org] Obtain: [unifi.test111.duckdns.org] solving challenge: unifi.test111.duckdns.org: [unifi.test111.duckdns.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: SERVFAIL looking up A for unifi.test111.duckdns.org - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for unifi.test111.duckdns.org - the domain's nameservers may be malfunctioning (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":19,"retrying_in":3600,"elapsed":21967.532774566,"max_duration":2592000}

{"level":"info","ts":1740913265.5858204,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.test111.duckdns.org"}

{"level":"info","ts":1740913265.590159,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/165121373","account_contact":[]}

{"level":"info","ts":1740913266.5223,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.test111.duckdns.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}

{"level":"error","ts":1740913267.6229181,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"*.test111.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.test111.duckdns.org\" (usually OK if presenting also failed)"}

{"level":"error","ts":1740913267.7841246,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=wytbHW9_fr92CxVuLBlroSPTykjizUmmHAZhkgFtGW4&verbose=true], body: KO (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22976674484) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}

{"level":"error","ts":1740913267.7849526,"logger":"tls.obtain","msg":"will retry","error":"[*.test111.duckdns.org] Obtain: [*.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=wytbHW9_fr92CxVuLBlroSPTykjizUmmHAZhkgFtGW4&verbose=true], body: KO (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22976674484) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":20,"retrying_in":3600,"elapsed":25247.868530063,"max_duration":2592000}

{"level":"info","ts":1740913518.0077813,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"vaultwarden.test111.duckdns.org"}

{"level":"info","ts":1740913518.012433,"logger":"tls","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/165121373","account_contact":[]}

{"level":"info","ts":1740913518.899204,"logger":"tls.acme_client","msg":"trying to solve challenge","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}

{"level":"error","ts":1740913519.4541924,"logger":"tls.acme_client","msg":"challenge failed","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":[]}}

{"level":"error","ts":1740913519.45434,"logger":"tls.acme_client","msg":"validating authorization","identifier":"vaultwarden.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22976743884","attempt":1,"max_attempts":3}

{"level":"info","ts":1740913520.7920773,"logger":"tls.acme_client","msg":"trying to solve challenge","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}

{"level":"error","ts":1740913521.384268,"logger":"tls.acme_client","msg":"challenge failed","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":[]}}

{"level":"error","ts":1740913521.3846905,"logger":"tls.acme_client","msg":"validating authorization","identifier":"vaultwarden.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22976744164","attempt":2,"max_attempts":3}

{"level":"error","ts":1740913521.385065,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"vaultwarden.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org"}

{"level":"error","ts":1740913521.3854854,"logger":"tls.obtain","msg":"will retry","error":"[vaultwarden.test111.duckdns.org] Obtain: [vaultwarden.test111.duckdns.org] solving challenge: vaultwarden.test111.duckdns.org: [vaultwarden.test111.duckdns.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":20,"retrying_in":3600,"elapsed":25501.46043771,"max_duration":2592000}

{"level":"info","ts":1740913587.455936,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"unifi.test111.duckdns.org"}

{"level":"info","ts":1740913587.4603982,"logger":"tls","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/165121373","account_contact":[]}

{"level":"info","ts":1740913587.9208448,"logger":"tls.acme_client","msg":"trying to solve challenge","identifier":"unifi.test111.duckdns.org","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}

{"level":"error","ts":1740913588.477103,"logger":"tls.acme_client","msg":"challenge failed","identifier":"unifi.test111.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for unifi.test111.duckdns.org; no valid AAAA records found for unifi.test111.duckdns.org","instance":"","subproblems":[]}}

{"level":"error","ts":1740913588.4774845,"logger":"tls.acme_client","msg":"validating authorization","identifier":"unifi.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for unifi.test111.duckdns.org; no valid AAAA records found for unifi.test111.duckdns.org","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22976760474","attempt":1,"max_attempts":3}

{"level":"info","ts":1740913589.804367,"logger":"tls.acme_client","msg":"trying to solve challenge","identifier":"unifi.test111.duckdns.org","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}

{"level":"error","ts":1740913590.3499055,"logger":"tls.acme_client","msg":"challenge failed","identifier":"unifi.test111.duckdns.org","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for unifi.test111.duckdns.org; no valid AAAA records found for unifi.test111.duckdns.org","instance":"","subproblems":[]}}

{"level":"error","ts":1740913590.3499818,"logger":"tls.acme_client","msg":"validating authorization","identifier":"unifi.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for unifi.test111.duckdns.org; no valid AAAA records found for unifi.test111.duckdns.org","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22976760954","attempt":2,"max_attempts":3}

{"level":"error","ts":1740913590.3500414,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"unifi.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for unifi.test111.duckdns.org; no valid AAAA records found for unifi.test111.duckdns.org"}

{"level":"error","ts":1740913590.350143,"logger":"tls.obtain","msg":"will retry","error":"[unifi.test111.duckdns.org] Obtain: [unifi.test111.duckdns.org] solving challenge: unifi.test111.duckdns.org: [unifi.test111.duckdns.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for unifi.test111.duckdns.org; no valid AAAA records found for unifi.test111.duckdns.org (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":20,"retrying_in":3600,"elapsed":25570.428203996,"max_duration":2592000}

I then implemented your suggestion and updated my caddy binary to version: v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

My Caddyfile now looks like this:

{
	auto_https prefer_wildcard
}

*.{$DOMAIN} {
	tls {
		dns duckdns {$DUCKDNS_TOKEN}
	}

	# Logs configuration (optional, adjust as necessary)
	log {
		level INFO
		output file {$LOG_FILE} {
			roll_size 10MB
			roll_keep 10
		}
	}

	# Default reverse proxy to a generic service if no specific service matches
	reverse_proxy service_default:80
}

# Vaultwarden Service
vaultwarden.{$DOMAIN} {
	reverse_proxy vaultwarden:80 {
		header_up X-Real-IP {http.request.remote.host}
		header_up X-Forwarded-For {http.request.remote.host}
		header_up X-Forwarded-Proto {scheme}
	}
	log {
		level INFO
		output file {$LOG_FILE} {
			roll_size 10MB
			roll_keep 10
		}
		format filter {
			wrap json
			fields {
				request>uri query {
					replace access_token REDACTED
				}
			}
		}
	}
}

unifi.{$DOMAIN} {
	reverse_proxy unifi-network-application:8443 {
		transport http {
			tls_insecure_skip_verify
		}
	}

	# Add an optional redirect rule for "http://unifi.<your-domain>"
	#redir https://unifi.{$DOMAIN} permanent

	log {
		level INFO
		output file {$LOG_FILE} {
			roll_size 10MB
			roll_keep 10
		}
	}
}

unifi.{$DOMAIN}:8443 {
	redir https://unifi.{$DOMAIN} permanent
}

I then tried removing all of my docker images and restarting my rasbperry pi then pulling fresh containers and starting the containers up again.

Unfortunately I’m in the same position where I can’t access my services at all not even on http.

These are my latest docker container logs after implementing the changes and restarting:

{"level":"info","ts":1740916854.4519994,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}

{"level":"warn","ts":1740916854.4616659,"logger":"caddyfile","msg":"Unnecessary header_up X-Forwarded-For: the reverse proxy's default behavior is to pass headers to the upstream"}

{"level":"warn","ts":1740916854.4617307,"logger":"caddyfile","msg":"Unnecessary header_up X-Forwarded-Proto: the reverse proxy's default behavior is to pass headers to the upstream"}

{"level":"info","ts":1740916854.465481,"msg":"adapted config to JSON","adapter":"caddyfile"}

{"level":"info","ts":1740916854.4759908,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}

{"level":"info","ts":1740916854.4766889,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x4000431d80"}

{"level":"info","ts":1740916854.476794,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}

{"level":"info","ts":1740916854.4768674,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}

{"level":"info","ts":1740916854.4769154,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}

{"level":"info","ts":1740916854.489698,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}

{"level":"info","ts":1740916854.4902773,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}

{"level":"info","ts":1740916854.4973814,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}

{"level":"info","ts":1740916854.4979267,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}

{"level":"info","ts":1740916854.4985044,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}

{"level":"warn","ts":1740916854.4988914,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}

{"level":"warn","ts":1740916854.4989178,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}

{"level":"info","ts":1740916854.49893,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}

{"level":"info","ts":1740916854.498972,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.test111.duckdns.org","unifi.test111.duckdns.org"]}

{"level":"info","ts":1740916854.506353,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}

{"level":"info","ts":1740916854.5064018,"msg":"serving initial configuration"}

{"level":"info","ts":1740916854.5371943,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"a16163dc-5a65-4977-a1d2-99f3861efde9","try_again":1741003254.5371885,"try_again_in":86399.999998259}

{"level":"info","ts":1740916854.539077,"logger":"tls","msg":"finished cleaning storage units"}

{"level":"info","ts":1740916854.5394452,"logger":"tls.obtain","msg":"acquiring lock","identifier":"unifi.test111.duckdns.org"}

{"level":"info","ts":1740916854.563078,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.test111.duckdns.org"}

{"level":"info","ts":1740916854.5654814,"logger":"tls.obtain","msg":"lock acquired","identifier":"unifi.test111.duckdns.org"}

{"level":"info","ts":1740916854.5677834,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"unifi.test111.duckdns.org"}

{"level":"info","ts":1740916854.5915363,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.test111.duckdns.org"}

{"level":"info","ts":1740916854.5918694,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.test111.duckdns.org"}

{"level":"info","ts":1740916854.6012855,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["unifi.test111.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}

{"level":"info","ts":1740916854.601347,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["unifi.test111.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}

{"level":"info","ts":1740916854.6014102,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1972895377","account_contact":[]}

{"level":"info","ts":1740916854.6017914,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.test111.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}

{"level":"info","ts":1740916854.601884,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.test111.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}

{"level":"info","ts":1740916854.6019523,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1972895377","account_contact":[]}

{"level":"info","ts":1740916855.7510505,"msg":"trying to solve challenge","identifier":"*.test111.duckdns.org","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}

{"level":"info","ts":1740916855.7510507,"msg":"trying to solve challenge","identifier":"unifi.test111.duckdns.org","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}

{"level":"error","ts":1740916856.7132623,"msg":"cleaning up solver","identifier":"*.test111.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.test111.duckdns.org\" (usually OK if presenting also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:318\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:363\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}

{"level":"error","ts":1740916856.838566,"msg":"cleaning up solver","identifier":"unifi.test111.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.unifi.test111.duckdns.org\" (usually OK if presenting also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:318\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:363\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}

{"level":"error","ts":1740916856.9326084,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=nW_8aMmWADbMY1lPcb6xB3BX6hr8JcUfG0CAf6eotgg&verbose=true], body: KO (order=https://acme-v02.api.letsencrypt.org/acme/order/1972895377/359477340555) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

{"level":"error","ts":1740916856.9328873,"logger":"tls.obtain","msg":"will retry","error":"[*.test111.duckdns.org] Obtain: [*.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=nW_8aMmWADbMY1lPcb6xB3BX6hr8JcUfG0CAf6eotgg&verbose=true], body: KO (order=https://acme-v02.api.letsencrypt.org/acme/order/1972895377/359477340555) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.3412822,"max_duration":2592000}

{"level":"error","ts":1740916857.0607114,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"unifi.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[unifi.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=r4owAwP-ADP6NTYCoTVMcXC8V7-nWUM1BNeSuNPoYTk&verbose=true], body: KO (order=https://acme-v02.api.letsencrypt.org/acme/order/1972895377/359477340415) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

{"level":"error","ts":1740916857.0608733,"logger":"tls.obtain","msg":"will retry","error":"[unifi.test111.duckdns.org] Obtain: [unifi.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=r4owAwP-ADP6NTYCoTVMcXC8V7-nWUM1BNeSuNPoYTk&verbose=true], body: KO (order=https://acme-v02.api.letsencrypt.org/acme/order/1972895377/359477340415) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.494280598,"max_duration":2592000}

{"level":"info","ts":1740916916.9356892,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.test111.duckdns.org"}

{"level":"info","ts":1740916916.9435673,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/165121373","account_contact":[]}

{"level":"info","ts":1740916917.0624135,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"unifi.test111.duckdns.org"}

{"level":"info","ts":1740916917.0661652,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/165121373","account_contact":[]}

{"level":"info","ts":1740916918.0338647,"msg":"trying to solve challenge","identifier":"*.test111.duckdns.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}

{"level":"info","ts":1740916918.082845,"msg":"trying to solve challenge","identifier":"unifi.test111.duckdns.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}

{"level":"error","ts":1740916918.1578994,"msg":"cleaning up solver","identifier":"*.test111.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.test111.duckdns.org\" (usually OK if presenting also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:318\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:363\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}

{"level":"error","ts":1740916918.2807739,"msg":"cleaning up solver","identifier":"unifi.test111.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.unifi.test111.duckdns.org\" (usually OK if presenting also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:318\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:363\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}

{"level":"error","ts":1740916918.3239589,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=NHGqtVQfedvjb7xFvPQYePUKGtryVM74Uuo59uQ9Tcs&verbose=true], body: KO (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22977520574) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}

{"level":"error","ts":1740916918.3242044,"logger":"tls.obtain","msg":"will retry","error":"[*.test111.duckdns.org] Obtain: [*.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=NHGqtVQfedvjb7xFvPQYePUKGtryVM74Uuo59uQ9Tcs&verbose=true], body: KO (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22977520574) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":63.73259986,"max_duration":2592000}

{"level":"error","ts":1740916918.443265,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"unifi.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[unifi.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=rrH6fvVm4cXUM8XU1IB3GZIJaJaiCU1GbKHccSXWg-0&verbose=true], body: KO (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22977520594) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}

{"level":"error","ts":1740916918.4435418,"logger":"tls.obtain","msg":"will retry","error":"[unifi.test111.duckdns.org] Obtain: [unifi.test111.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=test111.duckdns.org&token=%2Frun%2Fsecrets%2Fduckdns_token&txt=rrH6fvVm4cXUM8XU1IB3GZIJaJaiCU1GbKHccSXWg-0&verbose=true], body: KO (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/22977520594) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":63.876947574,"max_duration":2592000}

Mohammed90 · March 2, 2025, 12:23pm

Double check your duckdns token or account. The token is failing.

TheRettom · March 4, 2025, 5:13am

Verify the token like Mohammed said. Easiest way to ensure that it’s an incorrect token is to directly list the token instead of using an environmental variable. If that fixes it, then you need to see where Caddy is not parsing it as an environmental variable.

bricksun · March 4, 2025, 8:48pm

My token is correct however after looking at my compose file it appears that this line:
- ADMIN_TOKEN=/run/secrets/vaultwarden_admin_token_hash is one space out of line. I don’t know if docker compose files need to have perfect formatting but after moving this line into the right place everything now works perfectly including https.

Thank you both for your help and time, it’s much appreciated.

TheRettom · March 6, 2025, 4:28am

Yes. Docker, and I presume any .yaml configuration is picky about formatting. YAML uses indentation (spaces, not tabs) to define the hierarchy of elements. Incorrect indentation will lead to parsing errors.

system · April 5, 2025, 4:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.