Cannot connect to website https nor http

offgabriele · March 25, 2021, 11:17am

1. Caddy version (`caddy version`):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

I run caddy with a basic Caddyfile on a linux machine. I have port 443 and 80 of my machine respectively on port 443 and 8080 on my router. I use a domain from duckdns

a. System environment:

Operating System: Ubuntu 20.10
Kernel: Linux 5.8.0-48-generic
Architecture: x86-64

b. Command:

sudo caddy start

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

palmiotto.duckdns.org

respond "Hello, world!"

3. The problem I’m having:

I started caddy with a simple handler on a duck dns domain. Locking at the logs it seemed like caddy kept trying obtaining ssl certificates and continuously fails.
When I try to reach my website I get over https the page gives timeout.

4. Error messages and/or full log output:

2021/03/25 11:03:53.014 INFO    using adjacent Caddyfile
2021/03/25 11:03:53.016 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/03/25 11:03:53.016 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000313420"}
2021/03/25 11:03:53.016 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2021/03/25 11:03:53.016 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/03/25 11:03:53.017 INFO    http    enabling automatic TLS certificate management   {"domains": ["palmiotto.duckdns.org"]}
2021/03/25 11:03:53.017 INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
2021/03/25 11:03:53.017 INFO    serving initial configuration
2021/03/25 11:03:53.018 INFO    tls.obtain      acquiring lock  {"identifier": "palmiotto.duckdns.org"}
2021/03/25 11:03:53.018 INFO    tls     cleaned up storage units
Successfully started Caddy (pid=82196) - Caddy is running in the background
2021/03/25 11:03:53.018 INFO    tls.obtain      lock acquired   {"identifier": "palmiotto.duckdns.org"}
server@palmiottos-server:~$ 2021/03/25 11:03:53.039     INFO    tls.issuance.acme       waiting on internal rate limite{"identifiers": ["palmiotto.duckdns.org"]}
2021/03/25 11:03:53.039 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["palmiotto.duckdns.org"]}
2021/03/25 11:03:54.689 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2021/03/25 11:04:05.257 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 11:04:05.257 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-v02.api.letsencrypt.org/acme/order/116832725/8659066234", "attempt": 1, "max_attempts": 3}
2021/03/25 11:04:06.782 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2021/03/25 11:04:07.457 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "http-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Invalid response from http://palmiotto.duckdns.org/.well-known/acme-challenge/H7n51SKHC04rTFXzi968VzIRRNf_2vjbrJT3pwsKLL4 [83.174.147.135]: 403"}
2021/03/25 11:04:07.457 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Invalid response from http://palmiotto.duckdns.org/.well-known/acme-challenge/H7n51SKHC04rTFXzi968VzIRRNf_2vjbrJT3pwsKLL4 [83.174.147.135]: 403", "order": "https://acme-v02.api.letsencrypt.org/acme/order/116832725/8659069541", "attempt": 2, "max_attempts": 3}
2021/03/25 11:04:09.210 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["palmiotto.duckdns.org"]}
2021/03/25 11:04:09.210 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["palmiotto.duckdns.org"]}
2021/03/25 11:04:11.187 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2021/03/25 11:09:17.267     ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: [palmiotto.duckdns.org] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/tTf-kr1QquMRMFDUep6jJg) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 324.248714153, "max_duration": 2592000}
2021/03/25 11:10:18.629 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/03/25 11:10:20.467 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "http-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Invalid response from http://palmiotto.duckdns.org/.well-known/acme-challenge/Nq-Mi1m09am9R4kX5UbGOWdLwgfZ95-ulWfmasVZ67o [83.174.147.135]: 403"}
2021/03/25 11:10:20.467 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Invalid response from http://palmiotto.duckdns.org/.well-known/acme-challenge/Nq-Mi1m09am9R4kX5UbGOWdLwgfZ95-ulWfmasVZ67o [83.174.147.135]: 403", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/18747809/17663152", "attempt": 1, "max_attempts": 3}
2021/03/25 11:10:21.999 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/03/25 11:10:32.407 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 11:10:32.407 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/18747809/17663180", "attempt": 2, "max_attempts": 3}
2021/03/25 11:10:35.904 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2021/03/25 11:15:36.954 ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: [palmiotto.duckdns.org] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/_TBNrtol9H4d1CozA6NEhQ) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 703.936102239, "max_duration": 2592000}

5. What I already tried:

Originally I forwarded on my router just port 443 and thought the error was somethings like, in the most profane words I’m capable of, the ssl api was trying to send the certificate back to port 80 and found nothing because it was not forwarded. I then talked to my ISP since my router is externally managed and they said I could not forward port 80 because they need it and they forwarded port 80 on my machine running caddy to port 8080 on the router. Will I be able to run caddy with automatic https also with my configuration? Is the error caused by something else? How can I solve this situation?

6. Links to relevant resources:

francislavoie · March 25, 2021, 1:58pm

If you can’t use port 80 but you can use port 443, that’s fine, because you can use the ACME TLS-ALPN challenge which happens over port 443, rather than the ACME HTTP challenge (port 80).

But looking at your logs, there’s clearly still a problem with Let’s Encrypt trying to reach your server on port 443. Are you sure your ISP allows that port to be used?

To turn off the HTTP challenge since you now know it won’t work, you can add this to your Caddyfile:

tls {
	issuer acme {
		disable_http_challenge
	}
	issuer zerossl {
		disable_http_challenge
	}
}

It’s a bit wordy, but this will keep both ACME issuers enabled but turn off the HTTP challenge.

Alternatively, you can use the ACME DNS challenge, which in your case should be quite easy to do since you use duckdns. I actually wrote the duckdns plugin for Caddy to make this work!

This will let you get around any restrictions on ports 80 and 443 for the purposes of ACME, but you’ll still need to find a port that your ISP doesn’t block that you can use for HTTPS (in your config you could use https://palmiotto.duckdns.org:8443 for example, as your site address)

offgabriele · March 25, 2021, 8:26pm

Thanks for your reply. I changed my Caddyfile to this

palmiotto.duckdns.org
tls {
        issuer acme {
                disable_http_challenge
        }
        issuer zerossl {
                disable_http_challenge
        }
}
respond "Hello world!"

But the site still does not work. I checked with the ISP and it confirmed that port 443 is correctly open. Whilst a scan on the port returns colse, i think this was because at the time i checked caddy was not running so no services was andling port 443. These are my logs:

2021/03/25 19:38:15.544 INFO    using adjacent Caddyfile
2021/03/25 19:38:15.547 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/03/25 19:38:15.547 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0003483f0"}
2021/03/25 19:38:15.547 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2021/03/25 19:38:15.547 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/03/25 19:38:15.548 INFO    http    enabling automatic TLS certificate management   {"domains": ["palmiotto.duckdns.org"]}
2021/03/25 19:38:15.548 INFO    tls     cleaned up storage units
2021/03/25 19:38:15.548 INFO    autosaved config        {"file": "/home/server/.config/caddy/autosave.json"}
2021/03/25 19:38:15.548 INFO    serving initial configuration
Successfully started Caddy (pid=4661) - Caddy is running in the background
2021/03/25 19:38:15.549 INFO    tls.obtain      acquiring lock  {"identifier": "palmiotto.duckdns.org"}
2021/03/25 19:38:15.549 INFO    tls.obtain      lock acquired   {"identifier": "palmiotto.duckdns.org"}
server@palmiottos-server:~$ 2021/03/25 19:38:15.568     INFO    tls.issuance.acme       waiting on internal rate limite{"identifiers": ["palmiotto.duckdns.org"]}
2021/03/25 19:38:15.568 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["palmiotto.duckdns.org"]}
2021/03/25 19:38:17.030 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2021/03/25 19:38:27.552 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 19:38:27.552 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-v02.api.letsencrypt.org/acme/order/116832424/8666075088", "attempt": 1, "max_attempts": 3}
2021/03/25 19:38:29.320 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["palmiotto.duckdns.org"]}
2021/03/25 19:38:29.320 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["palmiotto.duckdns.org"]}
2021/03/25 19:38:31.534 ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: palmiotto.duckdns.org: no solvers available for remaining challenges (configured=[tls-alpn-01] offered=[http-01 dns-01] remaining=[http-01 dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/9oKVPxVo9n_p_Al-VFwZHw) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 15.98499125, "max_duration": 2592000}
2021/03/25 19:39:33.286 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/03/25 19:39:44.061 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 19:39:44.061 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/18749544/17920166", "attempt": 1, "max_attempts": 3}
2021/03/25 19:39:48.126 ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: palmiotto.duckdns.org: no solvers available for remaining challenges (configured=[tls-alpn-01] offered=[http-01 dns-01] remaining=[http-01 dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/MK6Tu1MxsWMjyEELPla2qA) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 92.576696971, "max_duration": 2592000}
2021/03/25 19:41:49.780 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/03/25 19:42:00.630 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 19:42:00.630 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/18749544/17921523", "attempt": 1, "max_attempts": 3}
2021/03/25 19:42:04.540 ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: palmiotto.duckdns.org: no solvers available for remaining challenges (configured=[tls-alpn-01] offered=[http-01 dns-01] remaining=[http-01 dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/r0NuL46NB5Cfvph4u0HxMA) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 3, "retrying_in": 120, "elapsed": 228.990886258, "max_duration": 2592000}
2021/03/25 19:44:06.532 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/03/25 19:44:17.124 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 19:44:17.124 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/18749544/17922866", "attempt": 1, "max_attempts": 3}
2021/03/25 19:44:20.629 ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: palmiotto.duckdns.org: no solvers available for remaining challenges (configured=[tls-alpn-01] offered=[http-01 dns-01] remaining=[http-01 dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/BZ4EMFWb8eKqT-mahKOcxw) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 4, "retrying_in": 300, "elapsed": 365.080336174, "max_duration": 2592000}
2021/03/25 19:49:21.831 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/03/25 19:49:32.295 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 19:49:32.295 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/18749544/17925333", "attempt": 1, "max_attempts": 3}
2021/03/25 19:49:35.775 ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: palmiotto.duckdns.org: no solvers available for remaining challenges (configured=[tls-alpn-01] offered=[http-01 dns-01] remaining=[http-01 dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/vWR7Yy0-vNI4pxx2KRFzPg) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 5, "retrying_in": 600, "elapsed": 680.22566445, "max_duration": 2592000}
2021/03/25 19:59:37.446 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/03/25 19:59:47.971 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 19:59:47.971 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/18749544/17929305", "attempt": 1, "max_attempts": 3}
2021/03/25 19:59:51.449 ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: palmiotto.duckdns.org: no solvers available for remaining challenges (configured=[tls-alpn-01] offered=[http-01 dns-01] remaining=[http-01 dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/hmL8M4YOC5bOr9OWDunPHw) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 6, "retrying_in": 1200, "elapsed": 1295.899483435, "max_duration": 2592000}
2021/03/25 20:19:52.736 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/03/25 20:20:03.346 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "palmiotto.duckdns.org", "challenge_type": "tls-alpn-01", "status_code": 400, "problem_type": "urn:ietf:params:acme:error:connection", "error": "Timeout during connect (likely firewall problem)"}
2021/03/25 20:20:03.347 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/18749544/17937772", "attempt": 1, "max_attempts": 3}
2021/03/25 20:20:07.044 ERROR   tls.obtain      will retry      {"error": "[palmiotto.duckdns.org] Obtain: [palmiotto.duckdns.org] solving challenges: palmiotto.duckdns.org: no solvers available for remaining challenges (configured=[tls-alpn-01] offered=[http-01 dns-01] remaining=[http-01 dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/tgivE5aB-pVGUdW4cSjf1A) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 7, "retrying_in": 1200, "elapsed": 2511.494589818, "max_duration": 2592000}

On a side note, I tried installing caddy with the duckdns module but I could not find my way around. I tried installing go and then xcaddy but the command was not found. I also downloaded caddy from the downloads page but i could not run it even after I moved it in a PATH directory. What should I do?

francislavoie · March 25, 2021, 8:39pm

The errors are still pretty clear about it though – the ACME issuers can’t reach your server. Are you sure you properly port forwarded to your server? Are you sure there’s no other firewall software involved? Are you sure your router isn’t taking port 443 for itself (some of them do).

offgabriele · March 26, 2021, 8:17am

The ISP says that 443 is correctly forwarded, I added there rules to my IPtable

-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

but I still get

2021/03/26 08:13:49.330 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "palmiotto.duckdns.org", "error": "authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)", "order": "https://acme-v02.api.letsencrypt.org/acme/order/117011139/8676812119", "attempt": 1, "max_attempts": 3}

What should I check? At this point I don’t know what to do. Thanks for your replies

Mohammed90 · March 26, 2021, 2:05pm

Let’s try this to ensure we have all of our bases right. Generate a self-signed cert and use it to serve something dummy on port 443 then try to browse it. If you can see something, then port 443 is being routed correctly and we need to look into the interaction of ACME and Caddy; otherwise port 443 isn’t being routed properly and the port forwarding need to be configured right.

offgabriele · March 26, 2021, 6:20pm

I looked online on the documentation but I did not found how to use self-signed certificates. What do I have to put in my Caddyconfig?

Mohammed90 · March 26, 2021, 6:33pm

Change your Caddyfile to this:

{
	local_certs
}
palmiotto.duckdns.org
respond "Hello world!"

Then try to navigate to palmiotto.duckdns.org

system · April 24, 2021, 11:17am

This topic was automatically closed after 30 days. New replies are no longer allowed.