Can't get certification renewal

1. The problem I’m having:

On Friday i had high CPU overload due to my own failture on my webserver.
Now i try to restore it. But Caddy cannot reniew the certificates via letsencrypt.

2. Error messages and/or full log output:


xcaddy   | {"level":"error","ts":1725197497.6123316,"logger":"http.acme_client","msg":"challenge failed","identifier":"naseweis.io","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"217.160.224.25: Error getting validation data","instance":"","subproblems":[]}}
xcaddy   | {"level":"error","ts":1725197497.612376,"logger":"http.acme_client","msg":"validating authorization","identifier":"naseweis.io","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"217.160.224.25: Error getting validation data","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/161610513/18796206673","attempt":2,"max_attempts":3}

3. Caddy version: 2.8.4

4. How I installed and ran Caddy:

with docker-compose

a. System environment:

Alma Linux 9.4 docker

b. Command:

docker-compose up 

c. Service/unit/compose file:

version: "3.8"

services:
  caddy:
    image: xcaddy:latest
    container_name: xcaddy
    restart: unless-stopped
    volumes:
      - /opt/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /opt/caddy/certs:/certs
      - /opt/caddy/config:/config
      - /opt/caddy/data:/data
      - /opt/caddy/sites:/srv

d. My complete Caddy config:

https://nextcloud.naseweis.io:443 {
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:11000

	log {
        output file /data/access.log {
            roll_size 1gb
            roll_keep 5
            roll_keep_for 720h
        }
        format transform "{common_log}"
    }
    }

https://naseweis.io:443 {
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:8000

	log {
        output file /data/access.log {
            roll_size 1gb
            roll_keep 5
            roll_keep_for 720h
        }
        format transform "{common_log}"
    }
}

https://www.naseweis.io:443 {
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:8000

	log {
        output file /data/access.log {
            roll_size 1gb
            roll_keep 5
            roll_keep_for 720h
        }
        format transform "{common_log}"
    }

}

https://checkmk.naseweis.io:443 {
	header Strict-Transport-Security max-age=31536000;
	reverse_proxy localhost:8888

        log {
        output file /data/access.log {
            roll_size 1gb
            roll_keep 5
            roll_keep_for 720h
        }
        format transform "{common_log}"
    }
}

So all services are down now and i don’t know how to refix it. Any idears would be nice!

Hmm, kinda looks like something might be in front of Caddy. I can’t say I’ve seen an ALPN challenge fail with this error when Caddy was listening directly at the resolved IP address. Is there a firewall or proxy at that IP address, perhaps?

1 Like

That looks like the Staging Environment; no production issued certificates from there.

Try Let’s Debug to assist in debugging.

Hey sry was out of office couple of day.

yea tried to debug but this is what i got:

Any idears?

Hi @naseweis,

It seem there is a Routing issue to the IPv4 address nextcloud.naseweis.io,
as shown here too Permanent link to this check report

I would check the local router’s routing and contact the ISP as to what the routing is and can they fix it or make suggestions.

1 Like

Supplemental information the Let’s Encrypt community thread is here:

1 Like