Cannot get Certificate

1. The problem I’m having:

2. Error messages and/or full log output:

Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.6444707,"logger":"events","msg":"event","name":"cert_obtaining","id":"6437245c-d77c-48e8-87d5-d92bdfabb3
f3","origin":"tls","data":{"identifier":"folky.me"}}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.6449792,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-v02.api.letsencrypt.org-directory
"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"info","ts":1719339787.6458468,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt
.org/acme/acct/153478463","account_contact":[]}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.6458805,"logger":"http.acme_client","msg":"creating order","account":"https://acme-staging-v02.api.letse
ncrypt.org/acme/acct/153478463","identifiers":["folky.me"]}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.7666464,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02
.api.letsencrypt.org/acme/authz-v3/12908577483","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_he
aders":{"Boulder-Requester":["153478463"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 25 Jun 2
024 18:23:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["TyHFzOMWHmL0DoRGzM23SJi-g9SYZf_HbnbxMOLH_qaonxgyjtk"],"
Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.7668216,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"info","ts":1719339787.7668467,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cache.mapcomplete.org
","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.767457,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"cache.mapc
omplete.org","challenge_type":"http-01"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.7674873,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"cache.mapcomplete.org"
,"challenge_type":"http-01"}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.8012164,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 25 Jun 2024 18:23:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["TyHFzOMWUKDz_CuPRDQ5f9LL_Q58sLVMOvJnooDnsIHBjFOhUNA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.9346392,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12908577483/z8WYZw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["153478463"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["194"],"Content-Type":["application/json"],"Date":["Tue, 25 Jun 2024 18:23:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12908577483>;rel=\"up\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12908577483/z8WYZw"],"Replay-Nonce":["TyHFzOMWVH8YOUVsC2hLbelvipZzX_C_gIq7bTcLvHGTvgr-pdk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jun 25 18:23:07 lain caddy[221430]: {"level":"debug","ts":1719339787.9347405,"logger":"http.acme_client","msg":"challenge accepted","identifier":"cache.mapcomplete.org","challenge_type":"http-01"}
Jun 25 18:23:08 lain caddy[221430]: {"level":"debug","ts":1719339788.0153015,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["153478463"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Tue, 25 Jun 2024 18:23:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/153478463/17419052013"],"Replay-Nonce":["324AHNKgKPxTQi3DDgDbO3sgT3vD3J2DYHIe3UkXvK1TErtmHSs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Jun 25 18:23:08 lain caddy[221430]: {"level":"debug","ts":1719339788.1781397,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12908577583","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["153478463"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["813"],"Content-Type":["application/json"],"Date":["Tue, 25 Jun 2024 18:23:08 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["TyHFzOMWDtj3vO53BYOXyDGFckrs8TZ-51tdqPJIBP3EqUwkDG8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

3. Caddy version:

2.8.4

4. How I installed and ran Caddy:

installation via apt,

a. System environment:

Ubuntu 22.04 behind ISP-router

b. Command:

systemctl reload caddy

d. My complete Caddy config:

{
debug
}

cache.mapcomplete.org {
    reverse_proxy /summary/* {
        to http://127.0.0.1:2345
    }
    
    reverse_proxy /* {
        to http://127.0.0.1:7800
    }

}

folky.me {
	reverse_proxy /* {
		to http://192.168.129.218
	}
}

social.nerdlab.be {
	reverse_proxy {
		to 192.168.129.218
	}
}

5. Links to relevant resources:

Hi @pietervdvn,

It looks to me like the HTTP-01 challenge is being used, and it states “The HTTP-01 challenge can only be done on port 80.”

Best Practice - Keep Port 80 Open

However Port 80 is being filtered (i.e. blocked) thus the ACME HTTP-01 Challenge cannot succeed.

Also show here https://letsdebug.net/cache.mapcomplete.org/2060607
by Let’s Debug.

$ nmap -Pn -p80,443 cache.mapcomplete.org
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-25 21:23 UTC
Nmap scan report for cache.mapcomplete.org (109.128.57.178)
Host is up.
rDNS record for 109.128.57.178: 178.57-128-109.adsl-dyn.isp.belgacom.be

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds

Also there are significant issue with the Domain’s Authoritative Name Servers presently Hardenize Report: mapcomplete.org

Yeah, something really weird is going up. I cannot reach this IP-address using some networks, but I can using others.

And some applications work, but others don’t. I guess that is what ‘filtered’ means?

Now the question ofc is: how to remedy this…

Adjust your firewall (and / or router).

I don’t see any errors in your logs. You also didn’t explain what’s not working, specifically. Please elaborate.

1 Like