Cannot get Certificate

1. The problem I’m having:

2. Error messages and/or full log output:

Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.6444707,"logger":"events","msg":"event","name":"cert_obtaining","id":"6437245c-d77c-48e8-87d5-d92bdfabb3
f3","origin":"tls","data":{"identifier":"folky.me"}}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.6449792,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-v02.api.letsencrypt.org-directory
"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"info","ts":1719339787.6458468,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt
.org/acme/acct/153478463","account_contact":[]}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.6458805,"logger":"http.acme_client","msg":"creating order","account":"https://acme-staging-v02.api.letse
ncrypt.org/acme/acct/153478463","identifiers":["folky.me"]}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.7666464,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02
.api.letsencrypt.org/acme/authz-v3/12908577483","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_he
aders":{"Boulder-Requester":["153478463"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 25 Jun 2
024 18:23:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["TyHFzOMWHmL0DoRGzM23SJi-g9SYZf_HbnbxMOLH_qaonxgyjtk"],"
Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.7668216,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"info","ts":1719339787.7668467,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cache.mapcomplete.org
","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.767457,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"cache.mapc
omplete.org","challenge_type":"http-01"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.7674873,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"cache.mapcomplete.org"
,"challenge_type":"http-01"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.8012164,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 25 Jun 2024 18:23:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["TyHFzOMWUKDz_CuPRDQ5f9LL_Q58sLVMOvJnooDnsIHBjFOhUNA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.9346392,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12908577483/z8WYZw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["153478463"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["194"],"Content-Type":["application/json"],"Date":["Tue, 25 Jun 2024 18:23:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12908577483>;rel=\"up\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12908577483/z8WYZw"],"Replay-Nonce":["TyHFzOMWVH8YOUVsC2hLbelvipZzX_C_gIq7bTcLvHGTvgr-pdk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.9347405,"logger":"http.acme_client","msg":"challenge accepted","identifier":"cache.mapcomplete.org","challenge_type":"http-01"}
Jun 25 18:23:08 lain caddy[221430]: {"level":"debug","ts":1719339788.0153015,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["153478463"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Tue, 25 Jun 2024 18:23:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/153478463/17419052013"],"Replay-Nonce":["324AHNKgKPxTQi3DDgDbO3sgT3vD3J2DYHIe3UkXvK1TErtmHSs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Jun 25 18:23:08 lain caddy[221430]: {"level":"debug","ts":1719339788.1781397,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12908577583","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["153478463"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["813"],"Content-Type":["application/json"],"Date":["Tue, 25 Jun 2024 18:23:08 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["TyHFzOMWDtj3vO53BYOXyDGFckrs8TZ-51tdqPJIBP3EqUwkDG8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

3. Caddy version:

2.8.4

4. How I installed and ran Caddy:

installation via apt,

a. System environment:

Ubuntu 22.04 behind ISP-router

b. Command:

systemctl reload caddy

d. My complete Caddy config:

{
debug
}

cache.mapcomplete.org {
    reverse_proxy /summary/* {
        to http://127.0.0.1:2345
    }
    
    reverse_proxy /* {
        to http://127.0.0.1:7800
    }

}

folky.me {
	reverse_proxy /* {
		to http://192.168.129.218
	}
}

social.nerdlab.be {
	reverse_proxy {
		to 192.168.129.218
	}
}

5. Links to relevant resources:

Hi @pietervdvn,

It looks to me like the HTTP-01 challenge is being used, and it states “The HTTP-01 challenge can only be done on port 80.”

Best Practice - Keep Port 80 Open

However Port 80 is being filtered (i.e. blocked) thus the ACME HTTP-01 Challenge cannot succeed.

Also show here https://letsdebug.net/cache.mapcomplete.org/2060607
by Let’s Debug.

$ nmap -Pn -p80,443 cache.mapcomplete.org
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-25 21:23 UTC
Nmap scan report for cache.mapcomplete.org (109.128.57.178)
Host is up.
rDNS record for 109.128.57.178: 178.57-128-109.adsl-dyn.isp.belgacom.be

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds

Also there are significant issue with the Domain’s Authoritative Name Servers presently Hardenize Report: mapcomplete.org

image1635×868 53.2 KB

Yeah, something really weird is going up. I cannot reach this IP-address using some networks, but I can using others.

And some applications work, but others don’t. I guess that is what ‘filtered’ means?

Now the question ofc is: how to remedy this…

Adjust your firewall (and / or router).

I don’t see any errors in your logs. You also didn’t explain what’s not working, specifically. Please elaborate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.