1. The problem I’m having:
Certificates are not renewing. DNS is correct and opnsense port fowarding is working as it should. This is a separate server, not caddy through opnsense plugin. This started sometime after december 1 2025. I can’t find that I changed anything. none of the certificates handled by caddy are working though.
2. Error messages and/or full log output:
{“level”:“error”,“ts”:1772473992.7207577,“msg”:“validating authorization”,“identifier”:“sub.domain.com”,“problem”:{“type”:“urn:ietf:params:acme:error:connection”,“title”:“”,“detail”:“During secondary validation: xxx.xxx.xxx.xxxx: Connection refused”,“instance”:“”,“subproblems”:null},“order”:“https://acme-staging-v02.api.letsencrypt.org/acme/order/127331964/33643712463",“attempt”:2,“max_attempts”:3,“stacktrace”:"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.2/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).renewCert.func2\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:906\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).renewCert\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:982\ngithub.com/caddyserver/certmagic.(*Config).RenewCertAsync\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:768\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func2\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:469\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:73”}
{“level”:“error”,“ts”:1772473992.7208936,“logger”:“tls.renew”,“msg”:“could not get certificate from issuer”,“identifier”:“sub.domain.com”,“issuer”:“acme-v02.api.letsencrypt.org-directory”,“error”:“HTTP 400 urn:ietf:params:acme:error:connection - During secondary validation: xxx.xxx.xxx.xxxx: Connection refused”}
{“level”:“debug”,“ts”:1772473992.720947,“logger”:“events”,“msg”:“event”,“name”:“cert_failed”,“id”:“cfe3c7bf-2bcc-494e-809b-2553c33d7d71”,“origin”:“tls”,“data”:{“error”:{},“identifier”:“sub.domain.com”,“issuers”:\[“acme-v02.api.letsencrypt.org-directory”\],“remaining”:-102230125211555,“renewal”:true}}
{“level”:“error”,“ts”:1772473992.7210386,“logger”:“tls.renew”,“msg”:“will retry”,“error”:“\[sub.domain.com\] Renew: \[sub.domain.com\] solving challenge: sub.domain.com: \[sub.domain.com\] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - During secondary validation: xxx.xxx.xxx.xxxx: Connection refused (ca=https://acme-staging-v02.api.letsencrypt.org/directory)”,“attempt”:4,“retrying_in”:300,“elapsed”:313.304828025,“max_duration”:2592000}
{“level”:“debug”,“ts”:1772474000.6247568,“logger”:“events”,“msg”:“event”,“name”:“tls_get_certificate”,“id”:“a19a97fd-c34d-49ec-bef8-b749cf344f2d”,“origin”:“tls”,“data”:{“client_hello”:{“CipherSuites”:\[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53\],“ServerName”:“sub.domain.com”,“SupportedCurves”:\[29,23,24\],“SupportedPoints”:“AA==”,“SignatureSchemes”:\[1027,2052,1025,1283,2053,1281,2054,1537\],“SupportedProtos”:\[“h2”,“http/1.1”\],“SupportedVersions”:\[772,771\],“RemoteAddr”:{“IP”:“50.4.40.70”,“Port”:56874,“Zone”:“”},“LocalAddr”:{“IP”:“192.168.3.37”,“Port”:443,“Zone”:“”}}}}
{“level”:“debug”,“ts”:1772474000.6249456,“logger”:“tls.handshake”,“msg”:“choosing certificate”,“identifier”:“sub.domain.com”,“num_choices”:1}
{“level”:“debug”,“ts”:1772474000.6249743,“logger”:“tls.handshake”,“msg”:“default certificate selection results”,“identifier”:“sub.domain.com”,“subjects”:\[“sub.domain.com”\],“managed”:true,“issuer_key”:“acme-v02.api.letsencrypt.org-directory”,“hash”:“caa92ad923190a93545e1bc42b7f36367b6fed706b67afb6af1ba7a323d1cc91”}
3. Caddy version:
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=
4. How I installed and ran Caddy:
apt install caddy
a. System environment:
ubuntu 22.04 lts
b. Command:
systemd enabled
c. Service/unit/compose file:
d. My complete Caddy config:
{
debug
log {
output file /var/log/caddy/caddy.log
}
}
prox.domain.com {
# Set this path to your site's directory.
root * /usr/share/caddy
# Enable the static file server.
file_server
# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080
# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000
}
docs.domain.com {
reverse_proxy localhost:8080
}
files.domain.com {
header Strict-Transport-Security max-age=31536000
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
reverse_proxy files.shafertech.site:8080
log {
output file /var/log/caddy/nextcloud.log
}
}
:8801 {
reverse_proxy localhost:8000
}
n8n.domain.com {
reverse_proxy localhost:5678 {
flush_interval -1
}
}
server1.domain.com {
reverse_proxy 192.168.3.29:8080
log {
output file /var/log/caddy/galyon.log
}
}