1. Caddy version (caddy version
):2.3.0
2. How I run Caddy: Docker
a. System environment:
Debian 10.9b. Command:
paste command here
c. Service/unit/compose file:
paste full file contents here
d. My complete Caddyfile or JSON config:
{
email myemail@email.com
}
(common) {
tls {
dns lego_deprecated namecheap
on_demand
}
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
Permissions-Policy "geolocation=(self) , microphone=()"
Content-Security-Policy "frame-ancestors mydomain.com:xxxxx *.mydomain.com:xxxxx"
-Server
}
}
mydomain.com:xxxxx {
import common
reverse_proxy localhost:8123 {
}
}
cockpit.mydomain.com:xxxxx {
import common
reverse_proxy localhost:19090 {
}
}
glances.mydomain.com:xxxxx {
import common
reverse_proxy localhost:61208 {
}
}
logviewer.mydomain.com:xxxxx {
import common
reverse_proxy localhost:4277 {
}
}
portainer.mydomain.com:xxxxx {
import common
reverse_proxy localhost:9000 {
}
}
3. The problem I’m having:
Only one of these domains refuses to renew the ssl certificate. All the others went right through at 30 days. I even tried changing the portainer one to a port I use for Home Assistant itself 8123 that has a valid certificate as I could just change the port back to 9000 later after I get a certificate.
I have also checked at Namecheap and so far as I can tell it’s not even trying to create a txt record. I just don’t understand as with caddy 1 and even the last couple of times with caddy 2 it has worked ok.
So I was considering maybe trying to use a wildcard certificate instead for everything. What would my Caddyfile look like to do this with those sub-domains?
4. Error messages and/or full log output:
INFO: Starting Caddy...
INFO: Setting NAMECHEAP_API_USER to xxxx
INFO: Setting NAMECHEAP_API_KEY to xxxx
INFO: Found custom Caddy at /share/caddy2/caddy
v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=
INFO: Caddyfile found at /share/caddy2/Caddyfile
{"level":"info","ts":1619495035.0704322,"msg":"using provided configuration","config_file":"/share/caddy2/Caddyfile","config_adapter":""}
{"level":"info","ts":1619495035.080027,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
{"level":"info","ts":1619495035.080746,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0008a62a0"}
{"level":"info","ts":1619495036.0828834,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1619495036.0886748,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cockpit.mydomain.com","glances.mydomain.com","mydomain.com","tasmoadmin.mydomain.com","logviewer.mydomain.com","portainer.mydomain.com"]}
{"level":"info","ts":1619495036.0916805,"msg":"autosaved config","file":"/data/caddy/autosave.json"}
{"level":"info","ts":1619495036.0916984,"msg":"serving initial configuration"}
{"level":"info","ts":1619495036.09174,"logger":"watcher","msg":"watching config file for changes","config_file":"/share/caddy2/Caddyfile"}
{"level":"info","ts":1619495036.0947998,"logger":"tls","msg":"cleaned up storage units"}
{"level":"warn","ts":1619495360.8924415,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [portainer.mydomain.com]: parsing OCSP response: ocsp: error from server: unauthorized"}
{"level":"info","ts":1619495360.8925588,"logger":"tls.on_demand","msg":"attempting certificate renewal","server_name":"portainer.mydomain.com","identifiers":["portainer.mydomain.com"],"expiration":1618967179,"remaining":-528181.892548556}
{"level":"info","ts":1619495360.8932967,"logger":"tls.renew","msg":"acquiring lock","identifier":"portainer.mydomain.com"}
2021/04/27 13:49:20 [INFO][FileStorage:/ssl/caddy] Lock for 'issue_cert_portainer.mydomain.com' is stale (created: 2021-04-22 10:50:38.114351762 +1000 AEST, last update: 2021-04-27 13:43:47.922144899 +1000 AEST); removing then retrying: /ssl/caddy/locks/issue_cert_portainer.mydomain.com.lock
{"level":"info","ts":1619495360.8943853,"logger":"tls.renew","msg":"lock acquired","identifier":"portainer.mydomain.com"}
{"level":"info","ts":1619495360.8951108,"logger":"tls.renew","msg":"renewing certificate","identifier":"portainer.mydomain.com","remaining":-528181.895108491}
{"level":"info","ts":1619495360.904245,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["portainer.mydomain.com"]}
{"level":"info","ts":1619495360.90428,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["portainer.mydomain.com"]}
{"level":"warn","ts":1619495360.9056418,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [portainer.mydomain.com]: parsing OCSP response: ocsp: error from server: unauthorized"}
{"level":"info","ts":1619495362.5483077,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"portainer.mydomain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1619495371.231541,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"portainer.mydomain.com","challenge_type":"dns-01","status_code":403,"problem_type":"urn:ietf:params:acme:error:unauthorized","error":"No TXT record found at _acme-challenge.portainer.mydomain.com"}
{"level":"error","ts":1619495371.2315905,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"portainer.mydomain.com","error":"authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.portainer.mydomain.com","order":"https://acme-v02.api.letsencrypt.org/acme/order/92664539/9320088893","attempt":1,"max_attempts":3}
{"level":"error","ts":1619495373.1257763,"logger":"tls.renew","msg":"will retry","error":"[portainer.mydomain.com] Renew: [portainer.mydomain.com] solving challenges: portainer.mydomain.com: no solvers available for remaining challenges (configured=[dns-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[http-01 tls-alpn-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/92664539/9320090899) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":12.231379116,"max_duration":2592000}