Cannot get SSL/HTTPS certificate for my homelab

1. The problem I’m having:

I’m trying to setup a reverse proxy for my RasPi homelab, I bought a domain name on Njalla, and I keep getting too many requests errors.

Here’s the cURL output:

* Could not resolve host: portainer.rubuslabeu
* Closing connection 0
curl: (6) Could not resolve host: portainer.rubuslab.eu

2. Error messages and/or full log output:

Aug 25 21:18:49 DietPi caddy[54355]: {"level":"error","ts":1724617129.7772267,"logger":"http.acme_client","msg":"validating authorization","identifier":"pihole.rubuslab.eu","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for pihole.rubuslab.eu - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for pihole.rubuslab.eu - check that a DNS record exists for this domain","order":"https://acme-v02.api.letsencrypt.org/acme/order/1910427286/299430815036","attempt":1,"max_attempts":3}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"debug","ts":1724617131.1499095,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"info","ts":1724617131.149934,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"pihole.rubuslab.eu","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"debug","ts":1724617131.1621313,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"info","ts":1724617131.1621513,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"portainer.rubuslab.eu","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"debug","ts":1724617131.3122153,"logger":"http.acme_client","msg":"challenge accepted","identifier":"pihole.rubuslab.eu","challenge_type":"http-01"}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"debug","ts":1724617131.321979,"logger":"http.acme_client","msg":"challenge accepted","identifier":"portainer.rubuslab.eu","challenge_type":"http-01"}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"error","ts":1724617131.7240512,"logger":"http.acme_client","msg":"challenge failed","identifier":"pihole.rubuslab.eu","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"DNS problem: NXDOMAIN looking up A for pihole.rubuslab.eu - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for pihole.rubuslab.eu - check that a DNS record exists for this domain"}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"error","ts":1724617131.7240858,"logger":"http.acme_client","msg":"validating authorization","identifier":"pihole.rubuslab.eu","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for pihole.rubuslab.eu - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for pihole.rubuslab.eu - check that a DNS record exists for this domain","order":"https://acme-v02.api.letsencrypt.org/acme/order/1910427286/299430819976","attempt":2,"max_attempts":3}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"error","ts":1724617131.7297356,"logger":"http.acme_client","msg":"challenge failed","identifier":"portainer.rubuslab.eu","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"DNS problem: NXDOMAIN looking up A for portainer.rubuslab.eu - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for portainer.rubuslab.eu - check that a DNS record exists for this domain"}
Aug 25 21:18:51 DietPi caddy[54355]: {"level":"error","ts":1724617131.7297592,"logger":"http.acme_client","msg":"validating authorization","identifier":"portainer.rubuslab.eu","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for portainer.rubuslab.eu - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for portainer.rubuslab.eu - check that a DNS record exists for this domain","order":"https://acme-v02.api.letsencrypt.org/acme/order/1910427286/299430820006","attempt":2,"max_attempts":3}

3. Caddy version:

Caddy version: 2.6.2

4. How I installed and ran Caddy:

Through apt and managed it with systemctl

a. System environment:

Dietpi, ARM64, systemd.

b. Command:

N/A

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

My caddyfile

{
	debug
	http_port 32768
	https_port 32769
	email redacted@mailbox.org
}

pihole.rubuslab.eu { 	
	reverse_proxy :80
}

portainer.rubuslab.eu { 	
	reverse_proxy portainer:9000
}

Hi @ThoriumTextile,

The domain name doesn’t appear to exist.
https://unboundtest.com/m/A/portainer.rubuslab.eu/L2IUHFJW

Query results for A portainer.rubuslab.eu

Response:
;; opcode: QUERY, status: NXDOMAIN, id: 33254
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;portainer.rubuslab.eu.	IN	 A

;; AUTHORITY SECTION:
eu.	0	IN	SOA	si.dns.eu. tech.eurid.eu. 1104192726 3600 1800 3600000 600
eu.	0	IN	RRSIG	SOA 8 1 86400 20240901211047 20240825201047 24981 eu. RU/80YqnPTucZtvtfSPSCGDqP3GkKlzNyp4ymovsdxE2gyzxHPDKnbSdxDeYp9HIPnx+bHaMkMRO13ab+I4hfV90UQBuYUt24ZZC1IIKON2Nde6kzEDtc+fbAqbb/WdA6YR6TXL3QyLYe+XMuyx4vVIGBb8FieNfhls+sIfjCdg=
CS7NL1V9TGTKJ2D4IPJVDFM81OHCDD0C.eu.	0	IN	NSEC3	1 1 0 - CS7Q101TN2S4E5PLVNAG6ERMGTCM8MQF NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
CS7NL1V9TGTKJ2D4IPJVDFM81OHCDD0C.eu.	0	IN	RRSIG	NSEC3 8 2 600 20240828133041 20240821124958 24981 eu. GyFA21uAqmqOZPO7KAqTATBnWm8RVEpqA4DLx4NKCAnGrUo0fY5xd3eXz7FqOqsTja4Fc3nppSeQAlBRP5wW2XTsYP6XRPhNfAK2l6n3Zo5HXDfq9H4pMejEwdotze+B9oCjzmqVbBXuGDbXxtPsvMMufSOXhW3iIHQ4CHc7awo=
MSH5P9CHD6KMRTIORNJL47QD033HUG7N.eu.	0	IN	NSEC3	1 1 0 - MSHAAO1CJH30OSHT6S5TH19VD61RRFOR NS DS RRSIG
MSH5P9CHD6KMRTIORNJL47QD033HUG7N.eu.	0	IN	RRSIG	NSEC3 8 2 600 20240901182659 20240825172659 24981 eu. oDHaUWbfozHFVLt/3SrLfATK33HMBynW3lma+G9j44pHFahGwb6wNas1PpR28LdkIH9MBjirBy7Hu3m+BdpaHu6n0heDEEapD0xewQjkW6u0eSLYAv1Ke80KO7fE07vdNbGctN5SyzhNFk5fVIDNYO5ikiHH1OkHlH7xMZ4J6Dw=
MM2CCO24RNV426LLFLIVI1QT8GJDUFJ7.eu.	0	IN	NSEC3	1 1 0 - MM2FQ2UARTBM6LS2SKTOIMTEND0PPS0A NS DS RRSIG
MM2CCO24RNV426LLFLIVI1QT8GJDUFJ7.eu.	0	IN	RRSIG	NSEC3 8 2 600 20240829195353 20240822190747 24981 eu. oCKkKx0hQCf7CV4rrP/6HVDL1QGDXmva7YwdpozumBtmJfoo+Y1QM2n2JFyJnEalGE4W94bCszw7BfbD0YvJJpWRm1HVz5GorbT2eUfRIKu9Fo+/7YS2rzsI0N6XY44wTHp3OS7Kqc5HnlvP9ZlWIZvL28suH25jxBgyFFG03D0=

----- Unbound logs -----

Hi @Bruce5051 and thanks for replying.
This is my current setup on Njalla’s side.

capture1288×247 12.3 KB

Hi @ThoriumTextile,

Is that the domain name’s Authoritative Name Severs from the perspective of the Internet?

Sorry, i don’t quite understand what you mean with “authoritative name server”.
Regardless, rubuslab.eu is the TLD i bought.

The Authoritative Name Severs for rubuslab.eu

image2746×1908 228 KB

Presently all 3 authoritative name servers are returning the same (valid) responses.

$ nslookup portainer.rubuslab.eu 1-you.njalla.no.
Server:         1-you.njalla.no.
Address:        185.193.124.2#53

Name:   portainer.rubuslab.eu
Address: 192.168.1.3

$ nslookup portainer.rubuslab.eu 3-get.njalla.fo.
Server:         3-get.njalla.fo.
Address:        95.215.19.5#53

Name:   portainer.rubuslab.eu
Address: 192.168.1.3

$ nslookup portainer.rubuslab.eu 2-can.njalla.in.
Server:         2-can.njalla.in.
Address:        185.193.124.34#53

Name:   portainer.rubuslab.eu
Address: 192.168.1.3

The IPv4 Address you are using 192.168.1.3
is part of the IPv4 Private Address Space and Filtering - American Registry for Internet Numbers
Also see Reserved IP addresses - Wikipedia
And also this IANA IPv4 Special-Purpose Address Registry

with an IP Address in the range listed above only devices on that local network will be able to accesss the machine.

Thus if you wanted to use Let’s Encrypt you would not be able to use the HTTP-01 challenge, only the DNS-01 challenge would be only choice to get a certificate issued.

Does the machine you are running curl on have its DNS Resolver getting the same answers as I showed above?
Also isthe IPv4 Address 192.168.1.3 the correct address?

Heck even try curl -k 192.168.1.3.

Please check the Status field

image1365×1600 167 KB

Right, so, I think i might see what you’re onto.
That’s the local ip, but if i use the raspi’s public ip, which i got through curl icanhazip.com, and use that instead, it doesn’t work and on chromium i get a DNS_PROBE_POSSIBLE error.

So does that mean i should change the registrar?

That wouldn’t be my first step, I would research what that status means and why it has that status. Might need to communicate with the registrar about it.

Does the router port forward correctly from the public ip address to the local ip address for Port 80 and Port 443?

Unfortunately my router (the one my ISP gave me) is kind of crappy, and i’m considering getting a new one, because it locks all ports below 32768, so i can’t port forward anything below that value.

Ouch!
Then if you are using Let’s Encrypt you only choice with that router is

Please check the Status field

image1365×1600 167 KB

Another thing i found through ICANN’s WHOIS…
Weird.

Sorry, not to be spoonfed, but could you link me to a resource on how to setup this on Caddy?

Kindly wait for a more knowledgeable Caddy community member to assist you with that.
(I’m just trying learn Caddy myself)

No worries! We do have a handy link for this. (Just note that you’ll need to be using a compatible DNS provider.)

So this was a headache. I ended up asking ChatGPT, got myself a bit more technical and through firewalls and port forwarding hoops, i ended up using NGINX Proxy Manager and bound the EXIT port on my router to docker’s custom ones (remember, i don’t have access to 80 and 443)
Also i had to switch the DNS registrar to IONOS because njalla is terrible and so is their support, they simply replied with a ¯\_(ツ)_/¯ on the domain on hold thing.

Sorry for bothering! This wasn’t a Caddy issue, but thanks for your insights nonetheless.

I know you said you’re on ionos now, but I’ve set up caddy on njalla just fine, I had to use xcaddy module: xcaddy build --with github.com/caddy-dns/njalla

Building xcaddy I think could be through repo manager, or with golang, but it is better to get golang directly from downloads, because it’s more up to date than repos.
I think the latest golang is from here: https://go.dev/dl/
git clone https://github.com/caddyserver/xcaddy.git
cd xcaddy
go install

Then put this in caddyfile (I included your domain name, and I assume you replaced “portainer” with the portainer servers ip address?):

{
        acme_dns njalla (YOUR_API_TOKEN)
}

portainer.rubuslab.eu {
        reverse_proxy portainer:9000
        (Whatever configs needed)
}

To find njalla token: Click account (top right corner of homepage) > settings > On “API Access”, click manage > Click Add token > scroll ALL the way down, click Add > click on manage next to new api token name > api token is right there

Make sure on njalla that dns pings server’s ip address that is running caddy

Type      Name (2)          Content                           TTL
-----------------------------------------------------------------
CNAME   *.rubuslab.eu  rubuslab.eu                             1m
  A     rubuslab.eu    (your caddy server's LOCAL ip address)  1m

I haven’t read on the conversation but dns challenge shouldn’t need open ports at all