Can't get certificates & DNS challenge refuses to work

treiden · December 27, 2023, 1:12am

1. The problem I’m having:

I’m trying to set up Caddy with my domain name that I have with DuckDns, which is all set up the way it should be. Since my modem won’t allow for open ports on 80 or 443 (ISP limitation), getting a certificate through Let’s Encrypt or ZeroSSL is not going to work. So I’m trying to set up a DNS challenge instead, but for some reason, Caddy just ignores this and insists on trying to get a certificate (and failing).

I’m an absolute newbie at this, and I’m just completely stumped as to what I’m doing wrong. Any help would be much obliged.

2. Error messages and/or full log output:


D:\Caddy>caddy_windows_amd64 run --config Caddyfile
2023/12/27 01:04:00.290 ←[34mINFO←[0m   using provided configuration    {"config_file": "Caddyfile", "config_adapter": ""}
2023/12/27 01:04:00.294 ←[33mWARN←[0m   Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2023/12/27 01:04:00.312 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/12/27 01:04:00.313 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000517a00"}
2023/12/27 01:04:00.313 ←[34mINFO←[0m   http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/12/27 01:04:00.313 ←[34mINFO←[0m   http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/12/27 01:04:00.313 ←[35mDEBUG←[0m  http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["wiroxmedia.duckdns.org"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:9876"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2023/12/27 01:04:00.314 ←[34mINFO←[0m   http    enabling HTTP/3 listener        {"addr": ":443"}
2023/12/27 01:04:00.315 ←[35mDEBUG←[0m  http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2023/12/27 01:04:00.318 ←[34mINFO←[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/12/27 01:04:00.319 ←[35mDEBUG←[0m  http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2023/12/27 01:04:00.320 ←[34mINFO←[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/12/27 01:04:00.320 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["wiroxmedia.duckdns.org"]}
2023/12/27 01:04:00.324 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\ellen\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/12/27 01:04:00.326 ←[34mINFO←[0m   serving initial configuration
2023/12/27 01:04:00.333 ←[33mWARN←[0m   tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\ellen\\AppData\\Roaming\\Caddy", "instance": "aecb92b6-8153-4c62-88ce-36ea2a6cdf79", "try_again": "2023/12/28 01:04:00.333", "try_again_in": 86400}
2023/12/27 01:04:00.354 ←[34mINFO←[0m   tls.obtain      acquiring lock  {"identifier": "wiroxmedia.duckdns.org"}
2023/12/27 01:04:00.356 ←[34mINFO←[0m   [INFO][FileStorage:C:\Users\ellen\AppData\Roaming\Caddy] Lock for 'issue_cert_wiroxmedia.duckdns.org' is stale (created: 2023-12-27 02:01:38.6957431 +0100 CET, last update: 2023-12-27 02:03:44.1510076 +0100 CET); removing then retrying: C:\Users\ellen\AppData\Roaming\Caddy\locks\issue_cert_wiroxmedia.duckdns.org.lock
2023/12/27 01:04:00.369 ←[34mINFO←[0m   tls.obtain      lock acquired   {"identifier": "wiroxmedia.duckdns.org"}
2023/12/27 01:04:00.370 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "wiroxmedia.duckdns.org"}
2023/12/27 01:04:00.370 ←[35mDEBUG←[0m  events  event   {"name": "cert_obtaining", "id": "691c8b08-7bb7-4a46-86ea-0b8e6e5ad6b4", "origin": "tls", "data": {"identifier":"wiroxmedia.duckdns.org"}}
2023/12/27 01:04:00.372 ←[35mDEBUG←[0m  tls.obtain      trying issuer 1/2       {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2023/12/27 01:04:00.374 ←[34mINFO←[0m   tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["wiroxmedia.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/12/27 01:04:00.375 ←[34mINFO←[0m   tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["wiroxmedia.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/12/27 01:04:00.386 ←[34mINFO←[0m   tls     finished cleaning storage units
2023/12/27 01:04:00.866 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["752"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:04:00 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/12/27 01:04:01.010 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 27 Dec 2023 01:04:00 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["T8gQgmcoE0t2_mS-3wEyFIDHLgqNHDYuaGaUdZleOG86hzeOo8U"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/12/27 01:04:01.347 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1485556586"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["348"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:04:01 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1485556586/232132844686"],"Replay-Nonce":["xavOoKHvgQXFSEJEy69WBHhqLlZhSUmZkalrkKra7mubqnkzmD8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/12/27 01:04:01.489 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/297768303956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1485556586"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:04:01 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["xavOoKHvc2GoKu9wEZl4q0JilnYMOlq0Qpvh0USQFKamFzw-ql0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/12/27 01:04:01.491 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   no solver configured    {"challenge_type": "tls-alpn-01"}
2023/12/27 01:04:01.497 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   no solver configured    {"challenge_type": "http-01"}
2023/12/27 01:04:01.497 ←[34mINFO←[0m   tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/12/27 01:04:02.483 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   waiting for solver before continuing    {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01"}
2023/12/27 01:04:25.033 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   done waiting for solver {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01"}
2023/12/27 01:04:25.339 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/297768303956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1485556586"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["810"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:04:25 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["T8gQgmcolOaxjHEpsv7PzdkO_i2RVjvBZ6sXvrg0ob2lQo_8ArU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/12/27 01:04:25.339 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "wiroxmedia.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[wiroxmedia.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.wiroxmedia.duckdns.org\": dial tcp 99.79.16.64:53: i/o timeout (order=https://acme-v02.api.letsencrypt.org/acme/order/1485556586/232132844686) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2023/12/27 01:04:25.341 ←[35mDEBUG←[0m  tls.obtain      trying issuer 2/2       {"issuer": "acme.zerossl.com-v2-DV90"}
2023/12/27 01:04:25.344 ←[34mINFO←[0m   tls.issuance.zerossl    waiting on internal rate limiter        {"identifiers": ["wiroxmedia.duckdns.org"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/12/27 01:04:25.344 ←[34mINFO←[0m   tls.issuance.zerossl    done waiting on internal rate limiter   {"identifiers": ["wiroxmedia.duckdns.org"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/12/27 01:04:25.838 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        http request    {"method": "GET", "url": "https://acme.zerossl.com/v2/DV90", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:04:25 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/12/27 01:04:26.643 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        http request    {"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Wed, 27 Dec 2023 01:04:26 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["BNuXGnK0xqPJMHpIldnU10xfJBCpnBIe9kfqvDQh5NA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/12/27 01:04:27.558 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["284"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:04:27 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/zGmbi4HkaEhpMQuljFfNZQ"],"Replay-Nonce":["LpWYZ3SlQqpgvvoMB53LZOzj8PnQljbQpyGbMg1vmOc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/12/27 01:04:28.475 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/w4V8NXynSGozRYlYyNvRww", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:04:28 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["fHDMOrpauc_o593e6xUaXObUIyIc98NB3bmA7aX9jXc"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/12/27 01:04:28.475 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        no solver configured    {"challenge_type": "http-01"}
2023/12/27 01:04:28.479 ←[34mINFO←[0m   tls.issuance.zerossl.acme_client        trying to solve challenge       {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/12/27 01:04:28.620 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        waiting for solver before continuing
        {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01"}
2023/12/27 01:04:51.849 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        done waiting for solver {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01"}
2023/12/27 01:04:53.076 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/w4V8NXynSGozRYlYyNvRww", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["134"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:04:53 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["9f7WWB0WKD_11JZEe3m93PIi4-HFcrHZGO1NnynxZLg"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/12/27 01:04:53.077 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "wiroxmedia.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[wiroxmedia.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.wiroxmedia.duckdns.org\": dial tcp 99.79.16.64:53: i/o timeout (order=https://acme.zerossl.com/v2/DV90/order/zGmbi4HkaEhpMQuljFfNZQ) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/12/27 01:04:53.082 ←[35mDEBUG←[0m  events  event   {"name": "cert_failed", "id": "15ab889d-34bf-446d-9e53-d0ce8f1dff6c", "origin": "tls", "data": {"error":{},"identifier":"wiroxmedia.duckdns.org","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
2023/12/27 01:04:53.083 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[wiroxmedia.duckdns.org] Obtain: [wiroxmedia.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.wiroxmedia.duckdns.org\": dial tcp 99.79.16.64:53: i/o timeout (order=https://acme.zerossl.com/v2/DV90/order/zGmbi4HkaEhpMQuljFfNZQ) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 52.7138924, "max_duration": 2592000}
2023/12/27 01:05:53.099 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "wiroxmedia.duckdns.org"}
2023/12/27 01:05:53.099 ←[35mDEBUG←[0m  events  event   {"name": "cert_obtaining", "id": "16624ba9-cb73-4a62-a0da-48629c7c84bc", "origin": "tls", "data": {"identifier":"wiroxmedia.duckdns.org"}}
2023/12/27 01:05:53.105 ←[35mDEBUG←[0m  tls.obtain      trying issuer 1/2       {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2023/12/27 01:05:53.961 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "GET", "url": "https://acme-staging-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:05:53 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/12/27 01:05:54.135 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 27 Dec 2023 01:05:54 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["rk02RH96-h4P26gkODw5fZkSpNAhkzemCcOpeQltdHZxAHlLdiY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/12/27 01:05:54.352 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["130266264"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["361"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:05:54 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/130266264/13232569554"],"Replay-Nonce":["rk02RH96euBX8Ys-cC3oQl2_1ER-hdRvlYKhcJAlq9WynR_qLvs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/12/27 01:05:54.525 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10270392784", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["130266264"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:05:54 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["mMpbWOlL7nPK-pVV1n5GzRtQ8GGV_Gu8Ny82UvYLWskxr5ZX9AQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/12/27 01:05:54.526 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   no solver configured    {"challenge_type": "tls-alpn-01"}
2023/12/27 01:05:54.531 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   no solver configured    {"challenge_type": "http-01"}
2023/12/27 01:05:54.532 ←[34mINFO←[0m   tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/12/27 01:05:54.661 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   waiting for solver before continuing    {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01"}
2023/12/27 01:06:18.307 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   done waiting for solver {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01"}
2023/12/27 01:06:18.622 ←[35mDEBUG←[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10270392784", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["130266264"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:06:18 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["mMpbWOlLH3J74pdnuiFMIJ8c6v82Q-t8E4nZgLICPiYGLiE9lwA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/12/27 01:06:18.623 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "wiroxmedia.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[wiroxmedia.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.wiroxmedia.duckdns.org\": dial tcp 99.79.16.64:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/130266264/13232569554) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2023/12/27 01:06:18.628 ←[35mDEBUG←[0m  tls.obtain      trying issuer 2/2       {"issuer": "acme.zerossl.com-v2-DV90"}
2023/12/27 01:06:19.451 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        http request    {"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Wed, 27 Dec 2023 01:06:19 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["klx2-REOEopcLj_PSMteYKxv-mF22e6bvdfEFvrJKmo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/12/27 01:06:19.937 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["284"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:06:19 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/N9gThVP0t8BhD7g6PdjSSQ"],"Replay-Nonce":["4Wva_Br2AxYK0Rj-NDJyPR7ifseQSWsYbG1YtFXQp1M"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/12/27 01:06:20.291 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/qSOoC8Ec-dxASTaAWZhw9w", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Wed, 27 Dec 2023 01:06:20 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["9yV3FLby78zA-ZoCcMxBwlglYR3OfFpjuAhz80vcF2o"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/12/27 01:06:20.291 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        no solver configured    {"challenge_type": "http-01"}
2023/12/27 01:06:20.294 ←[34mINFO←[0m   tls.issuance.zerossl.acme_client        trying to solve challenge       {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/12/27 01:06:20.423 ←[35mDEBUG←[0m  tls.issuance.zerossl.acme_client        waiting for solver before continuing
        {"identifier": "wiroxmedia.duckdns.org", "challenge_type": "dns-01"}

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

a. System environment:

Windows 10, installer from Caddy website with duckdns package added, running through a command prompt with a caddyfile. Caddy installed as a service.

b. Command:

caddy_windows_amd64 run --config Caddyfile

c. Service/unit/compose file:

d. My complete Caddy config:

wiroxmedia.duckdns.org {
	tls {
		dns duckdns REDACTED
	}
	reverse_proxy localhost:9876

5. Links to relevant resources:

Mohammed90 · December 27, 2023, 11:18pm

This tells me the DNS on your system is misconfigured. It says Caddy isn’t able to contact the DNS server to validate the DNS record of the challenge.

There’s a workaround, which I don’t like much because it just hides the issue of your system instead of fixing it. The workaround is to use the propagation_timeout and propagation_delay to skip Caddy’s own DNS checks and delaying the confirmation to the CA to initiate their own checks.

treiden · December 28, 2023, 6:40pm

So I managed to make it get a certificate through a DNS challenge, and this is what it throws up now:

2023/12/28 18:51:00.066 ←[34mINFO←[0m   using provided configuration    {"config_file": "Caddyfile", "config_adapter": ""}
2023/12/28 18:51:00.068 ←[33mWARN←[0m   Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2023/12/28 18:51:00.084 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/12/28 18:51:00.084 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00009bc00"}
2023/12/28 18:51:00.084 ←[34mINFO←[0m   http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/12/28 18:51:00.085 ←[34mINFO←[0m   http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/12/28 18:51:00.085 ←[35mDEBUG←[0m  http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["wiroxmedia.duckdns.org"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:9876"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2023/12/28 18:51:00.086 ←[34mINFO←[0m   http    enabling HTTP/3 listener        {"addr": ":443"}
2023/12/28 18:51:00.087 ←[35mDEBUG←[0m  http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2023/12/28 18:51:00.088 ←[34mINFO←[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/12/28 18:51:00.088 ←[35mDEBUG←[0m  http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2023/12/28 18:51:00.092 ←[34mINFO←[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/12/28 18:51:00.093 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["wiroxmedia.duckdns.org"]}
2023/12/28 18:51:00.098 ←[35mDEBUG←[0m  tls     loading managed certificate     {"domain": "wiroxmedia.duckdns.org", "expiration": "2024/03/27 17:26:24.000", "issuer_key": "acme-v02.api.letsencrypt.org-directory", "storage": "FileStorage:C:\\Users\\ellen\\AppData\\Roaming\\Caddy"}
2023/12/28 18:51:00.098 ←[33mWARN←[0m   tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\ellen\\AppData\\Roaming\\Caddy", "instance": "aecb92b6-8153-4c62-88ce-36ea2a6cdf79", "try_again": "2023/12/29 18:51:00.098", "try_again_in": 86400}
2023/12/28 18:51:00.101 ←[34mINFO←[0m   tls     finished cleaning storage units
2023/12/28 18:51:00.100 ←[35mDEBUG←[0m  tls.cache       added certificate to cache      {"subjects": ["wiroxmedia.duckdns.org"], "expiration": "2024/03/27 17:26:24.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "2a6d0e473053ea1e790d1d7a54190ff82fa9adae7532329e4361b7f92dbbce76", "cache_size": 1, "cache_capacity": 10000}
2023/12/28 18:51:00.110 ←[35mDEBUG←[0m  events  event   {"name": "cached_managed_cert", "id": "080b2c42-5979-4354-bf64-1af14b0f5b75", "origin": "tls", "data": {"sans":["wiroxmedia.duckdns.org"]}}
2023/12/28 18:51:00.112 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\ellen\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/12/28 18:51:00.112 ←[34mINFO←[0m   serving initial configuration

The caddyfile I used is mostly the same:

wiroxmedia.duckdns.org {
	tls {
		dns duckdns REDACTED
        propagation_timeout -1
	}
	reverse_proxy localhost:9876

But if I navigate to wiroxmedia.duckdns.org in my browser, nothing happens. The interface I’m trying to get to, DOES open when I add the port number 9876 at the back of the domain, albeit as an insecure connection. I’m not sure if caddy is supposed to be doing anything else in the log I posted above.

Mohammed90 · December 28, 2023, 7:07pm

Can you be more specific? Enable debug logs by adding this at the top

{
    debug
}

And enable access logs by adding log in the website definition body, then share the logs. Also, ensure your DNS configuration on DuckDNS is correct.

treiden · December 28, 2023, 7:25pm

The log I posted above is with the debug mode already enabled. I removed it from the caddyfile I posted here because it only served to create the troubleshooting and nothing else. That is literally everything caddy does for me now.

By “nothing happens”, I mean I navigate in Chrome to wiroxmedia.duckdns.org and my browser just throws back this after a while:

This site can’t be reached wiroxmedia.duckdns.org took too long to respond.
Try:

Checking the connection
Checking the proxy and the firewall
Running Windows Network Diagnostics
ERR_CONNECTION_TIMED_OUT

Caddy doesn’t output any extra information after I try to navigate to this domain, what I posted in my previous reply is all it does.

I’ll try the other things you said (and I really should read your entire post before replying )

treiden · December 28, 2023, 7:46pm

I’m assuming my DNS configuration on DuckDNS is correct, because I can reach my server just fine if I specify the port number after the domain name in my browser.

As for the log… yeah, I might be a total idiot at this, but I can’t get it to work either. To the best of my knowledge, I’m using the correct syntax, but caddy apparently doesn’t even know it’s there.

D:\Caddy>caddy_windows_amd64 run --config Caddyfile
2023/12/28 19:41:46.264 ←[34mINFO←[0m   using provided configuration    {"config_file": "Caddyfile", "config_adapter": ""}
2023/12/28 19:41:46.266 ←[33mWARN←[0m   Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2023/12/28 19:41:46.280 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/12/28 19:41:46.281 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000371c00"}
2023/12/28 19:41:46.281 ←[34mINFO←[0m   http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/12/28 19:41:46.281 ←[34mINFO←[0m   http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/12/28 19:41:46.282 ←[35mDEBUG←[0m  http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["wiroxmedia.duckdns.org"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}],"logs":{"logger_names":{"wiroxmedia.duckdns.org":"log0"}}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:9876"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"logs":{"logger_names":{"wiroxmedia.duckdns.org":"log0"}}}}}}
2023/12/28 19:41:46.282 ←[34mINFO←[0m   http    enabling HTTP/3 listener        {"addr": ":443"}
2023/12/28 19:41:46.288 ←[35mDEBUG←[0m  http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2023/12/28 19:41:46.289 ←[34mINFO←[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/12/28 19:41:46.290 ←[35mDEBUG←[0m  http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2023/12/28 19:41:46.290 ←[34mINFO←[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/12/28 19:41:46.290 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["wiroxmedia.duckdns.org"]}
2023/12/28 19:41:46.293 ←[33mWARN←[0m   tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\ellen\\AppData\\Roaming\\Caddy", "instance": "aecb92b6-8153-4c62-88ce-36ea2a6cdf79", "try_again": "2023/12/29 19:41:46.293", "try_again_in": 86400}
2023/12/28 19:41:46.293 ←[35mDEBUG←[0m  tls     loading managed certificate     {"domain": "wiroxmedia.duckdns.org", "expiration": "2024/03/27 17:26:24.000", "issuer_key": "acme-v02.api.letsencrypt.org-directory", "storage": "FileStorage:C:\\Users\\ellen\\AppData\\Roaming\\Caddy"}
2023/12/28 19:41:46.293 ←[34mINFO←[0m   tls     finished cleaning storage units
2023/12/28 19:41:46.298 ←[35mDEBUG←[0m  tls.cache       added certificate to cache      {"subjects": ["wiroxmedia.duckdns.org"], "expiration": "2024/03/27 17:26:24.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "2a6d0e473053ea1e790d1d7a54190ff82fa9adae7532329e4361b7f92dbbce76", "cache_size": 1, "cache_capacity": 10000}
2023/12/28 19:41:46.302 ←[35mDEBUG←[0m  events  event   {"name": "cached_managed_cert", "id": "f046a449-9bf4-4307-ac95-5d5fc0773885", "origin": "tls", "data": {"sans":["wiroxmedia.duckdns.org"]}}
2023/12/28 19:41:46.303 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\ellen\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/12/28 19:41:46.304 ←[34mINFO←[0m   serving initial configuration

The caddyfile (full version this time)

{
debug
}
wiroxmedia.duckdns.org {
	tls {
		dns duckdns REDACTED
        propagation_timeout -1
	}
        log {
                output file D:/Caddy/wiroxmedia.log
        }
	reverse_proxy http://127.0.0.1:9876
}

I tried all possible variations on the file path for the log I could think of (/ or , with or without quotation marks, …)

Mohammed90 · December 28, 2023, 9:33pm

Did you try to view the website on the browser after running Caddy? The check both , the debug logs on the console and at D:/Caddy/wiroxmedia.log.

treiden · December 28, 2023, 10:06pm

Caddy outputs the exact same thing I’ve already posted, whether I include the log command in the caddyfile or not. It also creates no log file at the specified location to check.

Whether I try visiting my domain with or without caddy running, the end result’s the same, which is the timed out error I posted before. Only if I specify the port (wiroxmedia.duckdns.org:9876) will it load correctly. Also with or without caddy.

Mohammed90 · December 28, 2023, 10:28pm

This means the request is not reaching Caddy at all. There must be a network issue (e.g. firewall) blocking the request. You mentioned that your modem does not allow the ports 80/443. This limitation might be contributing to what you’re experiencing.

treiden · December 28, 2023, 10:46pm

Yeah, I’m thinking that might be it. It’s not that my modem doesn’t allow it, but I have to use my ISP’s customer portal to change its settings. And that hasn’t worked for any of their customers since they changed the interface, which was in January. I actually called them again today to get an update, but it’s still not fixed.

So I guess I’m stuck until I either switch providers or until they get their act together. Good times.

Thank you for your help, though!

system · January 27, 2024, 10:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.