Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge

1. The problem I’m having:

I am trying to renew my certificate with Caddy but getting an error

Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge

The current state is the following:

curl -vL alesprzedawca.pl
* processing: alesprzedawca.pl
*   Trying 51.83.132.248:80...
* Connected to alesprzedawca.pl (51.83.132.248) port 80
> GET / HTTP/1.1
> Host: alesprzedawca.pl
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://alesprzedawca.pl/
< Server: Caddy
< Date: Tue, 13 Feb 2024 15:54:47 GMT
< Content-Length: 0
< 
* Closing connection
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://alesprzedawca.pl/'
*   Trying 51.83.132.248:443...
* Connected to alesprzedawca.pl (51.83.132.248) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

2. Error messages and/or full log output:

I am using caddy in dokcer and see the following logs

caddy_1       | {"level":"info","ts":1707832343.6732237,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy_1       | {"level":"info","ts":1707832343.680546,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy_1       | {"level":"info","ts":1707832343.6812649,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002cc400"}
caddy_1       | {"level":"info","ts":1707832343.6813195,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy_1       | {"level":"info","ts":1707832343.6813648,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy_1       | {"level":"info","ts":1707832343.6827374,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy_1       | {"level":"info","ts":1707832343.6829636,"msg":"failed to sufficiently increase send buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy_1       | {"level":"info","ts":1707832343.6834657,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy_1       | {"level":"info","ts":1707832343.6835628,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy_1       | {"level":"info","ts":1707832343.6835759,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["alesprzedawca.pl"]}
caddy_1       | {"level":"warn","ts":1707832343.6849577,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"404a8506-cef6-48fa-a527-186c769250e3","try_again":1707918743.6849554,"try_again_in":86399.999999381}
caddy_1       | {"level":"info","ts":1707832343.685039,"logger":"tls","msg":"finished cleaning storage units"}
caddy_1       | {"level":"warn","ts":1707832343.695352,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [alesprzedawca.pl]: parsing OCSP response: ocsp: error from server: unauthorized","identifiers":["alesprzedawca.pl"]}
caddy_1       | {"level":"info","ts":1707832343.695786,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy_1       | {"level":"info","ts":1707832343.6958039,"msg":"serving initial configuration"}
caddy_1       | {"level":"info","ts":1707832343.6961095,"logger":"tls.renew","msg":"acquiring lock","identifier":"alesprzedawca.pl"}
caddy_1       | {"level":"info","ts":1707832343.697356,"logger":"tls.renew","msg":"lock acquired","identifier":"alesprzedawca.pl"}
caddy_1       | {"level":"info","ts":1707832343.6982775,"logger":"tls.renew","msg":"renewing certificate","identifier":"alesprzedawca.pl","remaining":-154695.698274998}
caddy_1       | {"level":"info","ts":1707832343.699505,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["alesprzedawca.pl"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"gustaw.daniel@gmail.com"}
caddy_1       | {"level":"info","ts":1707832343.69953,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["alesprzedawca.pl"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"gustaw.daniel@gmail.com"}
caddy_1       | {"level":"info","ts":1707832344.80966,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy_1       | {"level":"error","ts":1707832344.991494,"logger":"http.log.error","msg":"dial tcp 172.27.0.7:5000: connect: connection refused","request":{"remote_ip":"83.28.93.228","remote_port":"51317","client_ip":"83.28.93.228","proto":"HTTP/2.0","method":"GET","host":"alesprzedawca.pl","uri":"/api/GrupaL_spzoo/counts","headers":{"Sec-Fetch-Dest":["empty"],"Accept":["*/*"],"Sec-Fetch-Mode":["cors"],"Sec-Gpc":["1"],"Accept-Language":["pl-PL,pl;q=0.5"],"Sec-Fetch-Site":["same-origin"],"Referer":["https://alesprzedawca.pl/GrupaL_spzoo/zamowienia/?p=2"],"Sec-Ch-Ua":["\"Not A(Brand\";v=\"99\", \"Brave\";v=\"121\", \"Chromium\";v=\"121\""],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Cookie":[]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"alesprzedawca.pl"}},"duration":0.001092472,"status":502,"err_id":"768s40ty8","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
caddy_1       | {"level":"error","ts":1707832346.1967802,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
caddy_1       | {"level":"error","ts":1707832346.1968412,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1568130007/244155501777","attempt":1,"max_attempts":3}
caddy_1       | {"level":"info","ts":1707832347.7487764,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}

3. Caddy version:

I installed the latest caddy by typing docker-compose pull.

4. How I installed and ran Caddy:

by docker-compose

a. System environment:

docker-compose --version
docker-compose version 1.29.2, build 5becea4c
docker --version
Docker version 20.10.12, build e91ed57

b. Command:

default command from caddy docker image

c. Service/unit/compose file:

  caddy:
    image: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    depends_on:
      - api
      - admin

d. My complete Caddy config:

My Caddyfile

{
    email gustaw.daniel@gmail.com
}

alesprzedawca.pl {
	handle /admin* {
		reverse_proxy admin:3000
	}

	handle {
        reverse_proxy api:5000
	}
}

5. Links to relevant resources:

Initially, I was thinking that it was related to Implemented the zerossl API to issue ssl certificates by armadi1809 · Pull Request #6068 · caddyserver/caddy · GitHub

I am using OVH to register a domain and maintain DNS.

Are you using a CDN or a proxy of some sort? Like Cloudflare? Anything that would terminate TLS from the outside?

No, I am using OVH DNS: DNS Checker - DNS Check Propagation Tool

ns14.ovh.net.
dns14.ovh.net.

And there is my DNS zone

$TTL 3600
@	IN SOA dns14.ovh.net. tech.ovh.net. (2024012903 86400 3600 3600000 300)
        IN NS     dns14.ovh.net.
        IN NS     ns14.ovh.net.
        IN MX     1 mx1.mail.ovh.net.
        IN MX     5 mx2.mail.ovh.net.
        IN MX     100 mx3.mail.ovh.net.
     60 IN A     51.83.132.248
        IN AAAA     2001:41d0:301:5::29
        IN TXT     "1|www.alesprzedawca.pl"
    600 IN TXT     "v=spf1 include:mx.ovh.com a mx ip4:51.38.135.165 ip4:51.83.132.248 include:mailgun.org ~all"
*.sm        IN A     152.67.75.201
_autodiscover._tcp        IN SRV     0 0 443 mailconfig.ovh.net.
_imaps._tcp        IN SRV     0 0 993 ssl0.ovh.net.
_submission._tcp        IN SRV     0 0 465 ssl0.ovh.net.
allegro-staging        IN A     152.67.78.166
api.sm        IN A     140.238.170.228
app        IN A     51.83.132.248
autoconfig        IN CNAME     mailconfig.ovh.net.
autodiscover        IN CNAME     mailconfig.ovh.net.
demo.allegro-staging        IN A     152.67.78.166
email.mg        IN CNAME     mailgun.org.
ftp        IN CNAME     alesprzedawca.pl.
imap        IN CNAME     ssl0.ovh.net.
k1._domainkey.mg        IN TXT     "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEit8i+P/uR/PaKMQKkfbjEExNwGJFeg2ubmx6b+XEspJ6RWc6sAnBfrniC362plcoLsFkrq0oVDP+FFADCN0XD5MDZgFa6XxmH/0Mf5kzADH6l6pSPS/Rc0ZTzKOuGAKIgnAdO+n3CxQO5fSMVLuZ4QGxe/7g9Hz3qNIvkUtXpwIDAQAB"
mail        IN CNAME     ssl0.ovh.net.
mg        IN TXT     "v=spf1 include:mailgun.org ~all"
pa     60 IN A     51.83.132.248
pop3        IN CNAME     ssl0.ovh.net.
sks        IN A     51.254.253.147
sm        IN A     152.67.75.201
smtp        IN CNAME     ssl0.ovh.net.
staging.sm        IN A     140.238.170.228
wm     60 IN A     51.38.135.165
www        IN MX     1 mx1.mail.ovh.net.
www        IN MX     100 mx3.mail.ovh.net.
www        IN MX     5 mx2.mail.ovh.net.
www        IN AAAA     2001:41d0:301:5::29
www        IN A     51.83.132.248
www        IN TXT     "3|welcome"
www        IN TXT     "l|pl"
www.sks        IN A     51.254.253.147

From my server, I can reach a website by

curl localhost:5000

From server, I see my IP

curl ipinfo.io
{
  "ip": "51.83.132.248",
  "hostname": "mail.sellmanager.org",
  "city": "Warsaw",
  "region": "Mazovia",
  "country": "PL",
  "loc": "52.2284,21.0522",
  "org": "AS16276 OVH SAS",
  "postal": "03-942",
  "timezone": "Europe/Warsaw",
  "readme": "https://ipinfo.io/missingauth"
}

I can reach this website from my computer by

curl 51.83.132.248:5000

I had ufw enabled. I disabled it now, but still see errors

docker-compose logs --tail 2000 caddy | grep error
caddy_1       | {"level":"warn","ts":1707898658.6809776,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [alesprzedawca.pl]: parsing OCSP response: ocsp: error from server: unauthorized","identifiers":["alesprzedawca.pl"]}
caddy_1       | {"level":"error","ts":1707898661.6185954,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
caddy_1       | {"level":"error","ts":1707898661.6190376,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1568130007/244357802517","attempt":1,"max_attempts":3}
caddy_1       | {"level":"error","ts":1707898664.6672745,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"The key authorization file from the server did not match this challenge. Expected \"XwN50huBfmtF6On72KWc9in4tjfOdquLTwbLn3o1q9I.aYI1j84_Hq7GUiQE1vfeKsHIXxqM8XF66T58cMrvTB4\" (got \"XwN50huBfmtF6On72KWc9in4tjfOdquLTwbLn3o1q9I.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")","instance":"","subproblems":[]}}
caddy_1       | {"level":"error","ts":1707898664.667343,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"The key authorization file from the server did not match this challenge. Expected \"XwN50huBfmtF6On72KWc9in4tjfOdquLTwbLn3o1q9I.aYI1j84_Hq7GUiQE1vfeKsHIXxqM8XF66T58cMrvTB4\" (got \"XwN50huBfmtF6On72KWc9in4tjfOdquLTwbLn3o1q9I.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1568130007/244357810197","attempt":2,"max_attempts":3}
caddy_1       | {"level":"error","ts":1707898664.667414,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"alesprzedawca.pl","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - The key authorization file from the server did not match this challenge. Expected \"XwN50huBfmtF6On72KWc9in4tjfOdquLTwbLn3o1q9I.aYI1j84_Hq7GUiQE1vfeKsHIXxqM8XF66T58cMrvTB4\" (got \"XwN50huBfmtF6On72KWc9in4tjfOdquLTwbLn3o1q9I.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")"}
caddy_1       | {"level":"error","ts":1707898665.1557565,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"alesprzedawca.pl","issuer":"acme.zerossl.com-v2-DV90","error":"[alesprzedawca.pl] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/Syjt797gagCfhEqIBRRy8A has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/JqZ3s6h82M8B_yOlWAuLig) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy_1       | {"level":"error","ts":1707898665.1562176,"logger":"tls.renew","msg":"will retry","error":"[alesprzedawca.pl] Renew: [alesprzedawca.pl] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/Syjt797gagCfhEqIBRRy8A has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/JqZ3s6h82M8B_yOlWAuLig) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":6.471892198,"max_duration":2592000}

alesprzedawca.pl doesn’t have a valid DNS A record.

Because of this time 60?

Wait no I’m a big dummy and misread the dig output :joy: sorry

1 Like

Okay, so this is saying that Caddy served the wrong challenge value.

That’s pretty weird. I think you should wipe out Caddy’s storage (i.e. /data volume) and restart it. I think it got into a bad state somehow.

I executed

docker-compose down
docker volume rm allemanager_caddy_config
docker volume rm allemanager_caddy_data 
docker-compose up -d

but

docker-compose logs --tail 2000 caddy

still show errors

caddy_1       | {"level":"info","ts":1707900905.5982866,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy_1       | {"level":"info","ts":1707900905.60303,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy_1       | {"level":"info","ts":1707900905.6035597,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy_1       | {"level":"info","ts":1707900905.603704,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy_1       | {"level":"info","ts":1707900905.6056378,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00045e300"}
caddy_1       | {"level":"info","ts":1707900905.6113293,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy_1       | {"level":"info","ts":1707900905.6119938,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy_1       | {"level":"info","ts":1707900905.6144135,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy_1       | {"level":"info","ts":1707900905.6144884,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["alesprzedawca.pl"]}
caddy_1       | {"level":"info","ts":1707900905.6181486,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/data/caddy"}
caddy_1       | {"level":"info","ts":1707900905.6186535,"logger":"tls","msg":"finished cleaning storage units"}
caddy_1       | {"level":"info","ts":1707900905.6191492,"logger":"tls.obtain","msg":"acquiring lock","identifier":"alesprzedawca.pl"}
caddy_1       | {"level":"info","ts":1707900905.6205142,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy_1       | {"level":"info","ts":1707900905.6205435,"msg":"serving initial configuration"}
caddy_1       | {"level":"info","ts":1707900905.6215374,"logger":"tls.obtain","msg":"lock acquired","identifier":"alesprzedawca.pl"}
caddy_1       | {"level":"info","ts":1707900905.6217937,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"alesprzedawca.pl"}
caddy_1       | {"level":"info","ts":1707900906.5503664,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["alesprzedawca.pl"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"gustaw.daniel@gmail.com"}
caddy_1       | {"level":"info","ts":1707900906.5504532,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["alesprzedawca.pl"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"gustaw.daniel@gmail.com"}
caddy_1       | {"level":"info","ts":1707900906.9465854,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy_1       | {"level":"error","ts":1707900908.4152188,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
caddy_1       | {"level":"error","ts":1707900908.4152691,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1569441547/244364638127","attempt":1,"max_attempts":3}
caddy_1       | {"level":"info","ts":1707900909.7799685,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy_1       | {"level":"error","ts":1707900911.2340786,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"The key authorization file from the server did not match this challenge. Expected \"QeSlxeWKhAiRf1bJxbvklVp1sv8TIsyw95LEZYFRQCI.vGw98nqtQAnc5U0inihm3FfOc73QRmY41hyJD-_v0QU\" (got \"QeSlxeWKhAiRf1bJxbvklVp1sv8TIsyw95LEZYFRQCI.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")","instance":"","subproblems":[]}}
caddy_1       | {"level":"error","ts":1707900911.2342362,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"The key authorization file from the server did not match this challenge. Expected \"QeSlxeWKhAiRf1bJxbvklVp1sv8TIsyw95LEZYFRQCI.vGw98nqtQAnc5U0inihm3FfOc73QRmY41hyJD-_v0QU\" (got \"QeSlxeWKhAiRf1bJxbvklVp1sv8TIsyw95LEZYFRQCI.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1569441547/244364648647","attempt":2,"max_attempts":3}
caddy_1       | {"level":"error","ts":1707900911.2343898,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"alesprzedawca.pl","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - The key authorization file from the server did not match this challenge. Expected \"QeSlxeWKhAiRf1bJxbvklVp1sv8TIsyw95LEZYFRQCI.vGw98nqtQAnc5U0inihm3FfOc73QRmY41hyJD-_v0QU\" (got \"QeSlxeWKhAiRf1bJxbvklVp1sv8TIsyw95LEZYFRQCI.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")"}
caddy_1       | {"level":"info","ts":1707900912.4102256,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"axI3N8_jLQslgdKJcQk94A"}
caddy_1       | {"level":"info","ts":1707900913.1037202,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["alesprzedawca.pl"],"ca":"https://acme.zerossl.com/v2/DV90","account":"gustaw.daniel@gmail.com"}
caddy_1       | {"level":"info","ts":1707900913.1037652,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["alesprzedawca.pl"],"ca":"https://acme.zerossl.com/v2/DV90","account":"gustaw.daniel@gmail.com"}
caddy_1       | {"level":"info","ts":1707900913.5158694,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddy_1       | {"level":"error","ts":1707900919.1554646,"logger":"tls.issuance.zerossl.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}}
caddy_1       | {"level":"error","ts":1707900919.1557024,"logger":"tls.issuance.zerossl.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/YTt1M0uhsgavwYPxCQOFcw","attempt":1,"max_attempts":3}
caddy_1       | {"level":"error","ts":1707900919.1558998,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"alesprzedawca.pl","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0  - "}
caddy_1       | {"level":"error","ts":1707900919.1562078,"logger":"tls.obtain","msg":"will retry","error":"[alesprzedawca.pl] Obtain: [alesprzedawca.pl] solving challenge: alesprzedawca.pl: [alesprzedawca.pl] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":13.534644577,"max_duration":2592000}
caddy_1       | {"level":"info","ts":1707900979.1604,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"alesprzedawca.pl"}
caddy_1       | {"level":"info","ts":1707900980.8122346,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy_1       | {"level":"error","ts":1707900982.945687,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"The key authorization file from the server did not match this challenge. Expected \"6hisn6dn9I_iCFIezicxAFfllMsJ57Cs9qcaVFF7b6k.aJn8HiTMDnjBxeuIvY9sZ2GlOAB77DnGwFyNZ76VslU\" (got \"6hisn6dn9I_iCFIezicxAFfllMsJ57Cs9qcaVFF7b6k.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")","instance":"","subproblems":[]}}
caddy_1       | {"level":"error","ts":1707900982.9460316,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"The key authorization file from the server did not match this challenge. Expected \"6hisn6dn9I_iCFIezicxAFfllMsJ57Cs9qcaVFF7b6k.aJn8HiTMDnjBxeuIvY9sZ2GlOAB77DnGwFyNZ76VslU\" (got \"6hisn6dn9I_iCFIezicxAFfllMsJ57Cs9qcaVFF7b6k.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/136367193/14512599573","attempt":1,"max_attempts":3}
caddy_1       | {"level":"info","ts":1707900984.4328663,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy_1       | {"level":"error","ts":1707900985.6143582,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
caddy_1       | {"level":"error","ts":1707900985.6144466,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/136367193/14512601053","attempt":2,"max_attempts":3}
caddy_1       | {"level":"error","ts":1707900985.6145368,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"alesprzedawca.pl","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
caddy_1       | {"level":"error","ts":1707900989.3370209,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"alesprzedawca.pl","issuer":"acme.zerossl.com-v2-DV90","error":"[alesprzedawca.pl] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/GBPePlX4kvHaunPmY_oPSw has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/YTt1M0uhsgavwYPxCQOFcw) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy_1       | {"level":"error","ts":1707900989.337109,"logger":"tls.obtain","msg":"will retry","error":"[alesprzedawca.pl] Obtain: [alesprzedawca.pl] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/GBPePlX4kvHaunPmY_oPSw has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/YTt1M0uhsgavwYPxCQOFcw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":83.715546027,"max_duration":2592000}

If this is still happening, then you definitely have something in front of Caddy intercepting the traffic on port 443 (like a TCP proxy of somekind) which isn’t keeping the TLS handshake as-is.

2 Likes

I am doing backup, and will reinstall everything from scratch.

In the meantime, I temporarily disabled

  • Protection against domain name transfer
  • Secured Delegation - DNSSEC

and uninstalled some packages from the host like:

  • nginx
  • certbot
  • ssl-cert

It will take 3-4 hours to finish the backup and investigate this server.

Will let you know how it will go.

1 Like

Hmm, I don’t think disabling domain lock is a good idea. (But DNSSEC, might as well. It’s controversial anyway.)

Removing nginx, if it was running on the host, might be your best bet. If it was catching the TLS connections then it’s almost certainly the problem.

Finally I connected app.alesprzedawca.pl instead of alesprzedawca.pl and will contact OVH to solve this problem.

I will update you about the progress before closing this topic.

It works now. Thanks for your support.

I bought hosting with SSL generated by OVH for the domain www.alesprzedawca.pl in the multisite settings. This topic was not conceded with caddy.

Steps to fix:

  • I disabled SSL in multisite settings.
  • I bought a new server and redirected A record of alesprzedawca.pl to a new IP
  • I set up service on this server, then disabled and removed this server
  • Finally, I redirected record A to the old server IP
  • Reloaded caddy and I started working

For local debugging, It was useful to use:

sudo systemd-resolve --flush-caches
getent hosts alesprzedawca.pl
dig alesprzedawca.pl

and connect by VPN to skip DNS caches.

2 Likes