Cannot get certificate for sub domain

DavidFW1960 · April 27, 2021, 3:57am

1. Caddy version (`caddy version`):2.3.0

2. How I run Caddy: Docker

a. System environment:

Debian 10.9

b. Command:

paste command here

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

{
        email myemail@email.com
}

(common) {
        tls {
                dns lego_deprecated namecheap
                on_demand
        }
        header {
                Strict-Transport-Security "max-age=31536000; includeSubdomains"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "same-origin"
				Permissions-Policy "geolocation=(self) , microphone=()"
				Content-Security-Policy "frame-ancestors mydomain.com:xxxxx *.mydomain.com:xxxxx"
                -Server
        }
}

mydomain.com:xxxxx {
        import common
        reverse_proxy localhost:8123 {
        }
}

cockpit.mydomain.com:xxxxx {
        import common
        reverse_proxy localhost:19090 {
        }
}

glances.mydomain.com:xxxxx {
        import common
        reverse_proxy localhost:61208 {
        }
}

logviewer.mydomain.com:xxxxx {
        import common
        reverse_proxy localhost:4277 {
        }
}

portainer.mydomain.com:xxxxx {
        import common
        reverse_proxy localhost:9000 {
        }
}

3. The problem I’m having:

Only one of these domains refuses to renew the ssl certificate. All the others went right through at 30 days. I even tried changing the portainer one to a port I use for Home Assistant itself 8123 that has a valid certificate as I could just change the port back to 9000 later after I get a certificate.
I have also checked at Namecheap and so far as I can tell it’s not even trying to create a txt record. I just don’t understand as with caddy 1 and even the last couple of times with caddy 2 it has worked ok.

So I was considering maybe trying to use a wildcard certificate instead for everything. What would my Caddyfile look like to do this with those sub-domains?

4. Error messages and/or full log output:

INFO: Starting Caddy...
INFO: Setting NAMECHEAP_API_USER to xxxx
INFO: Setting NAMECHEAP_API_KEY to xxxx
INFO: Found custom Caddy at /share/caddy2/caddy
v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=
INFO: Caddyfile found at /share/caddy2/Caddyfile
{"level":"info","ts":1619495035.0704322,"msg":"using provided configuration","config_file":"/share/caddy2/Caddyfile","config_adapter":""}
{"level":"info","ts":1619495035.080027,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
{"level":"info","ts":1619495035.080746,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0008a62a0"}
{"level":"info","ts":1619495036.0828834,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1619495036.0886748,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cockpit.mydomain.com","glances.mydomain.com","mydomain.com","tasmoadmin.mydomain.com","logviewer.mydomain.com","portainer.mydomain.com"]}
{"level":"info","ts":1619495036.0916805,"msg":"autosaved config","file":"/data/caddy/autosave.json"}
{"level":"info","ts":1619495036.0916984,"msg":"serving initial configuration"}
{"level":"info","ts":1619495036.09174,"logger":"watcher","msg":"watching config file for changes","config_file":"/share/caddy2/Caddyfile"}
{"level":"info","ts":1619495036.0947998,"logger":"tls","msg":"cleaned up storage units"}
{"level":"warn","ts":1619495360.8924415,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [portainer.mydomain.com]: parsing OCSP response: ocsp: error from server: unauthorized"}
{"level":"info","ts":1619495360.8925588,"logger":"tls.on_demand","msg":"attempting certificate renewal","server_name":"portainer.mydomain.com","identifiers":["portainer.mydomain.com"],"expiration":1618967179,"remaining":-528181.892548556}
{"level":"info","ts":1619495360.8932967,"logger":"tls.renew","msg":"acquiring lock","identifier":"portainer.mydomain.com"}
2021/04/27 13:49:20 [INFO][FileStorage:/ssl/caddy] Lock for 'issue_cert_portainer.mydomain.com' is stale (created: 2021-04-22 10:50:38.114351762 +1000 AEST, last update: 2021-04-27 13:43:47.922144899 +1000 AEST); removing then retrying: /ssl/caddy/locks/issue_cert_portainer.mydomain.com.lock
{"level":"info","ts":1619495360.8943853,"logger":"tls.renew","msg":"lock acquired","identifier":"portainer.mydomain.com"}
{"level":"info","ts":1619495360.8951108,"logger":"tls.renew","msg":"renewing certificate","identifier":"portainer.mydomain.com","remaining":-528181.895108491}
{"level":"info","ts":1619495360.904245,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["portainer.mydomain.com"]}
{"level":"info","ts":1619495360.90428,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["portainer.mydomain.com"]}
{"level":"warn","ts":1619495360.9056418,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [portainer.mydomain.com]: parsing OCSP response: ocsp: error from server: unauthorized"}
{"level":"info","ts":1619495362.5483077,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"portainer.mydomain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1619495371.231541,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"portainer.mydomain.com","challenge_type":"dns-01","status_code":403,"problem_type":"urn:ietf:params:acme:error:unauthorized","error":"No TXT record found at _acme-challenge.portainer.mydomain.com"}
{"level":"error","ts":1619495371.2315905,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"portainer.mydomain.com","error":"authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.portainer.mydomain.com","order":"https://acme-v02.api.letsencrypt.org/acme/order/92664539/9320088893","attempt":1,"max_attempts":3}
{"level":"error","ts":1619495373.1257763,"logger":"tls.renew","msg":"will retry","error":"[portainer.mydomain.com] Renew: [portainer.mydomain.com] solving challenges: portainer.mydomain.com: no solvers available for remaining challenges (configured=[dns-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[http-01 tls-alpn-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/92664539/9320090899) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":12.231379116,"max_duration":2592000}

5. What I already tried:

6. Links to relevant resources:

DavidFW1960 · April 27, 2021, 4:04am

and just now it renewed and is working once I hit the URL and triggered the on_demand again but I had been trying this for the last 30 days before it expired so I just don’t get it…

I still feel using a wildcard for this might prevent this issue?

system · May 27, 2021, 3:58am

This topic was automatically closed after 30 days. New replies are no longer allowed.