Challenge failed on reverse proxy

1. The problem I’m having:

I’m trying to use a reverse proxy quick start with a website that’s using TLS. It’s a squarespace domain.

curl -v 192.168.1.210:5000
VERBOSE: GET http://192.168.1.210:5000/ with 0-byte payload
VERBOSE: received 20753-byte response of content type text/html


StatusCode        : 200
StatusDescription : OK
Content           : <!DOCTYPE html><html lang="en"><head><link rel="preconnect" href="https://fonts.gstatic.com"
                    crossorigin="">
                        <script type='text/javascript'>window["baseHref"] = '/ombi';</script>
                        <base href=...
RawContent        : HTTP/1.1 200 OK
                    Accept-Ranges: bytes
                    Content-Length: 20753
                    Content-Type: text/html
                    Date: Sat, 02 Dec 2023 02:27:20 GMT
                    ETag: "1da24be183ee491"
                    Last-Modified: Sat, 02 Dec 2023 01:23:03 GMT
                    Serve...
Forms             : {}
Headers           : {[Accept-Ranges, bytes], [Content-Length, 20753], [Content-Type, text/html], [Date, Sat, 02 Dec                         2023 02:27:20 GMT]...}                                                                              Images            : {}                                                                                                  InputFields       : {}                                                                                                  Links             : {}
ParsedHtml        : System.__ComObject
RawContentLength  : 20753

2. Error messages and/or full log output:

caddy run
2023/12/02 03:37:09.293 ←[34mINFO←[0m   using adjacent Caddyfile
2023/12/02 03:37:09.325 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/12/02 03:37:09.329 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00036bf80"}
2023/12/02 03:37:09.330 ←[34mINFO←[0m   http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/12/02 03:37:09.332 ←[34mINFO←[0m   http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/12/02 03:37:09.334 ←[34mINFO←[0m   tls     cleaning storage unit   {"description": "FileStorage:C:\\Users\\Living Room PC\\AppData\\Roaming\\Caddy"}
2023/12/02 03:37:09.336 ←[34mINFO←[0m   tls     finished cleaning storage units
2023/12/02 03:37:09.337 ←[34mINFO←[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/12/02 03:37:09.338 ←[34mINFO←[0m   http    enabling HTTP/3 listener        {"addr": ":443"}
2023/12/02 03:37:09.341 ←[34mINFO←[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/12/02 03:37:09.341 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["asgardrequest.net"]}
2023/12/02 03:37:09.343 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\Living Room PC\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/12/02 03:37:09.343 ←[34mINFO←[0m   serving initial configuration
2023/12/02 03:37:09.354 ←[34mINFO←[0m   tls.obtain      acquiring lock  {"identifier": "asgardrequest.net"}
2023/12/02 03:37:09.355 ←[34mINFO←[0m   [INFO][FileStorage:C:\Users\Living Room PC\AppData\Roaming\Caddy] Lock for 'issue_cert_asgardrequest.net' is stale (created: 2023-12-01 22:26:51.7554567 -0500 EST, last update: 2023-12-01 22:29:27.1304084 -0500 EST); removing then retrying: C:\Users\Living Room PC\AppData\Roaming\Caddy\locks\issue_cert_asgardrequest.net.lock
2023/12/02 03:37:09.362 ←[34mINFO←[0m   tls.obtain      lock acquired   {"identifier": "asgardrequest.net"}
2023/12/02 03:37:09.362 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "asgardrequest.net"}
2023/12/02 03:37:09.371 ←[34mINFO←[0m   http    waiting on internal rate limiter        {"identifiers": ["asgardrequest.net"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/12/02 03:37:09.371 ←[34mINFO←[0m   http    done waiting on internal rate limiter   {"identifiers": ["asgardrequest.net"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/12/02 03:37:09.914 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "asgardrequest.net", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/12/02 03:37:10.318 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "asgardrequest.net", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "instance": "", "subproblems": []}}
2023/12/02 03:37:10.318 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "asgardrequest.net", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1444013296/226263692176", "attempt": 1, "max_attempts": 3}
2023/12/02 03:37:11.660 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "asgardrequest.net", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/12/02 03:37:12.031 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "asgardrequest.net", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2606:4700:3036::6815:316b: Invalid response from http://asgardrequest.net/.well-known/acme-challenge/LWbipj2bBLmRpV-94uifhD87ok7gnFkfkJeYWV0hwYc: 404", "instance": "", "subproblems": []}}
2023/12/02 03:37:12.031 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "asgardrequest.net", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2606:4700:3036::6815:316b: Invalid response from http://asgardrequest.net/.well-known/acme-challenge/LWbipj2bBLmRpV-94uifhD87ok7gnFkfkJeYWV0hwYc: 404", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1444013296/226263697716", "attempt": 2, "max_attempts": 3}
2023/12/02 03:37:12.040 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "asgardrequest.net", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3036::6815:316b: Invalid response from http://asgardrequest.net/.well-known/acme-challenge/LWbipj2bBLmRpV-94uifhD87ok7gnFkfkJeYWV0hwYc: 404"}
2023/12/02 03:37:12.040 ←[33mWARN←[0m   http    missing email address for ZeroSSL; it is strongly recommended to set one for next time
2023/12/02 03:37:12.747 ←[34mINFO←[0m   http    generated EAB credentials       {"key_id": "Fn3GQnfE_tVMyd0HjU9czg"}
2023/12/02 03:37:12.872 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "asgardrequest.net", "issuer": "acme.zerossl.com-v2-DV90", "error": "registering account [mailto:caddy@zerossl.com] with server: fetching new nonce from server: HTTP 504: "}
2023/12/02 03:37:12.899 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[asgardrequest.net] Obtain: registering account [mailto:caddy@zerossl.com] with server: fetching new nonce from server: HTTP 504: ", "attempt": 1, "retrying_in": 60, "elapsed": 3.5365005, "max_duration": 2592000}
2023/12/02 03:38:12.907 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "asgardrequest.net"}
2023/12/02 03:38:13.487 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "asgardrequest.net", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/12/02 03:38:13.912 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "asgardrequest.net", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2606:4700:3031::ac43:bdc0: Invalid response from http://asgardrequest.net/.well-known/acme-challenge/kLHEZvxsliALEfPirGKhi3QVMb5ZyaMVi8Xi1uDkOPI: 404", "instance": "", "subproblems": []}}
2023/12/02 03:38:13.912 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "asgardrequest.net", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2606:4700:3031::ac43:bdc0: Invalid response from http://asgardrequest.net/.well-known/acme-challenge/kLHEZvxsliALEfPirGKhi3QVMb5ZyaMVi8Xi1uDkOPI: 404", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/127495914/12686374444", "attempt": 1, "max_attempts": 3}
2023/12/02 03:38:15.125 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "asgardrequest.net", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/12/02 03:38:15.553 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "asgardrequest.net", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "instance": "", "subproblems": []}}
2023/12/02 03:38:15.553 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "asgardrequest.net", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/127495914/12686375314", "attempt": 2, "max_attempts": 3}
2023/12/02 03:38:15.554 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "asgardrequest.net", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
2023/12/02 03:38:15.577 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "asgardrequest.net", "issuer": "acme.zerossl.com-v2-DV90", "error": "registering account [] with server: fetching new nonce from server: HTTP 504: "}
2023/12/02 03:38:15.578 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[asgardrequest.net] Obtain: registering account [] with server: fetching new nonce from server: HTTP 504: ", "attempt": 2, "retrying_in": 120, "elapsed": 66.2154689, "max_duration": 2592000}
2023/12/02 03:40:15.580 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "asgardrequest.net"}
2023/12/02 03:40:15.861 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "asgardrequest.net", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/12/02 03:40:16.295 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "asgardrequest.net", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2606:4700:3036::6815:316b: Invalid response from http://asgardrequest.net/.well-known/acme-challenge/huSVWkT2bTOle1FNDBmIcXT22b7Qb_wCwd9KfynEwgw: \"<!DOCTYPE html><html lang=\\\"en\\\"><head><link rel=\\\"preconnect\\\" href=\\\"https://fonts.gstatic.com\\\" crossorigin=\\\"\\\">  \\n    <script type=\"", "instance": "", "subproblems": []}}
2023/12/02 03:40:16.295 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "asgardrequest.net", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2606:4700:3036::6815:316b: Invalid response from http://asgardrequest.net/.well-known/acme-challenge/huSVWkT2bTOle1FNDBmIcXT22b7Qb_wCwd9KfynEwgw: \"<!DOCTYPE html><html lang=\\\"en\\\"><head><link rel=\\\"preconnect\\\" href=\\\"https://fonts.gstatic.com\\\" crossorigin=\\\"\\\">  \\n    <script type=\"", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/127495914/12686418704", "attempt": 1, "max_attempts": 3}
2023/12/02 03:40:17.491 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "asgardrequest.net", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/12/02 03:40:17.918 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "asgardrequest.net", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "instance": "", "subproblems": []}}
2023/12/02 03:40:17.918 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "asgardrequest.net", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/127495914/12686419304", "attempt": 2, "max_attempts": 3}
2023/12/02 03:40:17.925 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "asgardrequest.net", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
2023/12/02 03:41:35.508 ←[33mWARN←[0m   http.acme_client        HTTP request failed; retrying   {"url": "https://acme.zerossl.com/v2/DV90/newOrder", "error": "performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"}

3. Caddy version: caddy.Version=v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=

4. How I installed and ran Caddy: Installed it through chocolately choco install caddy

a. System environment:

Windows 10 (I know, I’m sorry)

b. Command:

caddy run

c. Service/unit/compose file:

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

https://asgardrequest.net {
	reverse_proxy localhost:5000
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

5. Links to relevant resources:

Is your domain’s DNS records pointing to your Caddy server? It must be if you want automatic TLS issuance, because ACME issuers will try to connect on port 80 and 443 to validate that you control the domain.

Making a request to https://asgardrequest.net, I’m seeing Server: Squarespace in the response headers, which tells me the domain is pointing to Squarespace servers, and not to your Caddy server.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.