1. The problem I’m having:
I am trying to renew my certificate with Caddy but getting an error
Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge
The current state is the following:
curl -vL alesprzedawca.pl
* processing: alesprzedawca.pl
* Trying 51.83.132.248:80...
* Connected to alesprzedawca.pl (51.83.132.248) port 80
> GET / HTTP/1.1
> Host: alesprzedawca.pl
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://alesprzedawca.pl/
< Server: Caddy
< Date: Tue, 13 Feb 2024 15:54:47 GMT
< Content-Length: 0
<
* Closing connection
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://alesprzedawca.pl/'
* Trying 51.83.132.248:443...
* Connected to alesprzedawca.pl (51.83.132.248) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
2. Error messages and/or full log output:
I am using caddy in dokcer and see the following logs
caddy_1 | {"level":"info","ts":1707832343.6732237,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy_1 | {"level":"info","ts":1707832343.680546,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy_1 | {"level":"info","ts":1707832343.6812649,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002cc400"}
caddy_1 | {"level":"info","ts":1707832343.6813195,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy_1 | {"level":"info","ts":1707832343.6813648,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy_1 | {"level":"info","ts":1707832343.6827374,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy_1 | {"level":"info","ts":1707832343.6829636,"msg":"failed to sufficiently increase send buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy_1 | {"level":"info","ts":1707832343.6834657,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy_1 | {"level":"info","ts":1707832343.6835628,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy_1 | {"level":"info","ts":1707832343.6835759,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["alesprzedawca.pl"]}
caddy_1 | {"level":"warn","ts":1707832343.6849577,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"404a8506-cef6-48fa-a527-186c769250e3","try_again":1707918743.6849554,"try_again_in":86399.999999381}
caddy_1 | {"level":"info","ts":1707832343.685039,"logger":"tls","msg":"finished cleaning storage units"}
caddy_1 | {"level":"warn","ts":1707832343.695352,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [alesprzedawca.pl]: parsing OCSP response: ocsp: error from server: unauthorized","identifiers":["alesprzedawca.pl"]}
caddy_1 | {"level":"info","ts":1707832343.695786,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy_1 | {"level":"info","ts":1707832343.6958039,"msg":"serving initial configuration"}
caddy_1 | {"level":"info","ts":1707832343.6961095,"logger":"tls.renew","msg":"acquiring lock","identifier":"alesprzedawca.pl"}
caddy_1 | {"level":"info","ts":1707832343.697356,"logger":"tls.renew","msg":"lock acquired","identifier":"alesprzedawca.pl"}
caddy_1 | {"level":"info","ts":1707832343.6982775,"logger":"tls.renew","msg":"renewing certificate","identifier":"alesprzedawca.pl","remaining":-154695.698274998}
caddy_1 | {"level":"info","ts":1707832343.699505,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["alesprzedawca.pl"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"gustaw.daniel@gmail.com"}
caddy_1 | {"level":"info","ts":1707832343.69953,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["alesprzedawca.pl"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"gustaw.daniel@gmail.com"}
caddy_1 | {"level":"info","ts":1707832344.80966,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy_1 | {"level":"error","ts":1707832344.991494,"logger":"http.log.error","msg":"dial tcp 172.27.0.7:5000: connect: connection refused","request":{"remote_ip":"83.28.93.228","remote_port":"51317","client_ip":"83.28.93.228","proto":"HTTP/2.0","method":"GET","host":"alesprzedawca.pl","uri":"/api/GrupaL_spzoo/counts","headers":{"Sec-Fetch-Dest":["empty"],"Accept":["*/*"],"Sec-Fetch-Mode":["cors"],"Sec-Gpc":["1"],"Accept-Language":["pl-PL,pl;q=0.5"],"Sec-Fetch-Site":["same-origin"],"Referer":["https://alesprzedawca.pl/GrupaL_spzoo/zamowienia/?p=2"],"Sec-Ch-Ua":["\"Not A(Brand\";v=\"99\", \"Brave\";v=\"121\", \"Chromium\";v=\"121\""],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Cookie":[]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"alesprzedawca.pl"}},"duration":0.001092472,"status":502,"err_id":"768s40ty8","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
caddy_1 | {"level":"error","ts":1707832346.1967802,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"alesprzedawca.pl","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
caddy_1 | {"level":"error","ts":1707832346.1968412,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"alesprzedawca.pl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1568130007/244155501777","attempt":1,"max_attempts":3}
caddy_1 | {"level":"info","ts":1707832347.7487764,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"alesprzedawca.pl","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
3. Caddy version:
I installed the latest caddy by typing docker-compose pull
.
4. How I installed and ran Caddy:
by docker-compose
a. System environment:
docker-compose --version
docker-compose version 1.29.2, build 5becea4c
docker --version
Docker version 20.10.12, build e91ed57
b. Command:
default command from caddy
docker image
c. Service/unit/compose file:
caddy:
image: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
depends_on:
- api
- admin
d. My complete Caddy config:
My Caddyfile
{
email gustaw.daniel@gmail.com
}
alesprzedawca.pl {
handle /admin* {
reverse_proxy admin:3000
}
handle {
reverse_proxy api:5000
}
}
5. Links to relevant resources:
Initially, I was thinking that it was related to Implemented the zerossl API to issue ssl certificates by armadi1809 · Pull Request #6068 · caddyserver/caddy · GitHub
I am using OVH
to register a domain and maintain DNS.