Can't obtain certificate on custom port http-01

1. Caddy version (caddy version):

2.2

2. How I run Caddy:

a. System environment:

Docker

c. Service/unit/compose file:

services:  
  caddy:
    deploy:
      resources:
        limits:
          cpus: "1.5"
          memory: "2G"        
      placement:
        constraints:
        - node.hostname == stag-manager-1
    image: caddy:2.2.0
    ports:
      - 9080:9080
      - 9443:9443
    volumes:
      - ./monitor/caddy/data:/data
      - ./monitor/caddy/Caddyfile:/etc/caddy/Caddyfile  

d. My complete Caddyfile or JSON config:

{
  http_port   9080
  https_port  9443
}

stage-prom.rentu.ru {
  log {
    level WARN
  }
  
  reverse_proxy /metrics/* prometheus:9090 {
    header_up Connection {http.request.header.Connection}
    header_up Upgrade {http.request.header.Upgrade}
    header_up X-Forwarded-Proto {http.request.scheme}      
  }   
}

3. The problem I’m having:

Certificates doesn’t obtained

4. Error messages and/or full log output:

{“level”:“error”,“ts”:1601444161.4897149,“logger”:“tls.issuance.acme.acme_client”,“msg”:“challenge failed”,“identifier”:“stage-prom.rentu.ru”,“challenge_type”:“http-01”,“status_code”:400,“problem_type”:“urn:ietf:params:acme:error:tls”,“error”:“Fetching https://stage-prom.rentu.ru/.well-known/acme-challenge/IDJ9kbAhr42l4q59cgSKsTS0wlOwgcFM3cqrxmtVoMs: remote error: tls: internal error”}

Let’s Encrypt will only attempt to connect to your server on port 80 for the HTTP challenge, and port 443 for the ALPN challenge.

If you can’t make your server accessible on either of these ports, you’ll need to use the DNS challenge, which requires adding a plugin for your DNS provider (you can do this with the builder Docker image variant, see the docs on Docker Hub) and configure Caddy to use the that DNS plugin. There’s more instructions here:

This is all explained in the docs here:

FYI, all of these lines are redundant and unnecessary. Caddy already passes through the headers on its own.

    header_up Connection {http.request.header.Connection}
    header_up Upgrade {http.request.header.Upgrade}
    header_up X-Forwarded-Proto {http.request.scheme}    
1 Like

Thanks for your answer. Perviously I’ve successfully recieved certificate by http challenge on 8080 port :face_with_monocle: That works on caddy 2.1
But never mind… if this is a new rules it’s ok))

That works on caddy 2.1
But never mind… if this is a new rules it’s ok))

The rules aren’t new. The ACME spec has always required port 80. Make sure you’re forwarding it to 9080 properly.

This topic was automatically closed after 30 days. New replies are no longer allowed.