Cloudflare Wildcard Subdomain issue (Docker)

1. Caddy version (caddy version):

v2.4.0-beta.1 h1:Ed/tIaN3p6z8M3pEiXWJL/T8JmCqV62FrSJCHKquW/I=

2. How I run Caddy:

a. System environment:

  • OS: Raspbian GNU/Linux 10 (buster)

  • Caddy running inside a docker container.

c. Service/unit/compose file:

Dockerfile:

FROM caddy:2.3.0-builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

FROM caddy:2.3.0

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Docker Compose file:

version: "3"
services:
  caddy:
    # The name and tag I provided my built image.
    image: caddy:cloudflare
    container_name: caddy
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./caddy_data:/data
      # Mount Caddyfile
      - ./Caddyfile:/etc/caddy/Caddyfile
    environment:
      CLOUDFLARE_API_TOKEN: "API token here."
      ACME_EMAIL: "Email here."
    restart: unless-stopped

d. My complete Caddyfile or JSON config:

{
    debug
    admin off
    email {env.ACME_EMAIL}
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
# Wildcard: https://github.com/caddyserver/caddy/issues/3200#issuecomment-638608401
*.net.dbren.uk, net.dbren.uk {
    tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    }
    @sub {
        host app.net.dbren.uk
    }
    handle @sub {
        reverse_proxy localhost:1080
    }
}

3. The problem I’m having:

I’m trying to use Caddy in a docker container to obtain a certificate for a wildcard subdomain (ie. *.net.dbren.uk) using the DNS-01 challenge type.

The domain is managed using Cloudflare.

Running the command caddy list modules inside the container shows that the module Cloudflare module is installed:

dns.providers.cloudflare

  Non-standard modules: 1

I’m providing my email address and Cloudflare API token using environment variables. Furthermore, I’m trying to get this working using the Let’s Encrypt staging environment before using the production endpoint.

I have checked and I’m definitely using a Cloudflare API token as instructed here with the permissions:

  • Zone / Zone / Read

  • Zone / DNS / Edit

With Zone Resources set to include the specific zone for my domain.

4. Error messages and/or full log output:

{"level":"info","ts":1615117765.0986633,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
[WARNING][caddyfile] /etc/caddy/Caddyfile:1: input is not formatted with 'caddy fmt'
{"level":"warn","ts":1615117765.1082976,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1615117765.109268,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x309aa00"}
{"level":"info","ts":1615117765.1100245,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1615117765.1101475,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1615117765.1119108,"logger":"tls","msg":"cleaned up storage units"}
{"level":"debug","ts":1615117765.1127994,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"debug","ts":1615117765.113149,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"info","ts":1615117765.1132264,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.net.dbren.uk","net.dbren.uk"]}
{"level":"info","ts":1615117765.1167908,"logger":"tls.obtain","msg":"acquiring lock","identifier":"net.dbren.uk"}
{"level":"info","ts":1615117765.1167905,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.net.dbren.uk"}
{"level":"info","ts":1615117765.118571,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1615117765.1186473,"msg":"serving initial configuration"}
{"level":"info","ts":1615117765.191888,"logger":"tls.obtain","msg":"lock acquired","identifier":"net.dbren.uk"}
{"level":"info","ts":1615117765.2382996,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.net.dbren.uk"}
{"level":"debug","ts":1615117766.057885,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["724"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:25 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117766.2023299,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 07 Mar 2021 11:49:26 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0004vib9oEd8eH22ooo-LcmjLgZrXFmpz55_ilrHp3vT8yQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117766.354741,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":201,"response_headers":{"Boulder-Requester":["18439568"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["323"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:26 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/acct/18439568"],"Replay-Nonce":["0003cHX9YWsLpgzaSSn1mdDlh39qA5xPC9CLTeuW7X1VzlY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117766.657894,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 07 Mar 2021 11:49:26 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0004gxDEPIixfxjFMm7Yasf2sHvuK9iubYaJ78JYy2Mbz-A"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117766.811533,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":201,"response_headers":{"Boulder-Requester":["18439569"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["323"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:26 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/acct/18439569"],"Replay-Nonce":["00040plzHUe-6x4C_ocoCoQ3-HYOqUNhHu-kjFvY9T5nl_Y"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"info","ts":1615117766.8466969,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["net.dbren.uk"]}
{"level":"info","ts":1615117766.8469384,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["net.dbren.uk"]}
{"level":"debug","ts":1615117767.024617,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":201,"response_headers":{"Boulder-Requester":["18439568"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["342"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:26 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/18439568/3847307"],"Replay-Nonce":["0004Xu0Mcm3nA9R6HxKLj3vY5ZDJfRidXldNcMyj9YKE4s0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117767.173732,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192508","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439568"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:27 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00044oHEQHwYrwvZO7V1fu7zXjVjizdN5eONeM4AuwYH1MI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117767.1755733,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"debug","ts":1615117767.1756752,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"http-01"}
{"level":"info","ts":1615117767.1757185,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"net.dbren.uk","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1615117767.43741,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.net.dbren.uk"]}
{"level":"info","ts":1615117767.4375975,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.net.dbren.uk"]}
{"level":"debug","ts":1615117767.5982428,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":201,"response_headers":{"Boulder-Requester":["18439569"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["344"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:27 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/18439569/3847310"],"Replay-Nonce":["0003LxG0XCJ_Rr1hKDSdP-_6J9Y7B8Hwqwa9R9oIr-suens"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117767.7458289,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192511","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439569"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["389"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:27 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0004NfyLDPLQ7KQ2g4pEtEtb9TAgtuWpzY3neBfu0ZN-_vk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"info","ts":1615117767.7466753,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.net.dbren.uk","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1615117769.6054442,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3192508/YpvLVw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439568"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["189"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192508>;rel=\"up\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3192508/YpvLVw"],"Replay-Nonce":["0004ehpjgF3odZBatagvV59_lAvBbwrh1sbmsiidlLPcj6I"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117769.6059616,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"net.dbren.uk","challenge_type":"dns-01"}
{"level":"debug","ts":1615117770.0064352,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192508","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439568"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["549"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0004Muq2xlRsDSk1IGbVdnFNLvj7htHVppNBSkS3hfHLcZE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"error","ts":1615117771.6162183,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"net.dbren.uk","challenge_type":"dns-01","status_code":403,"problem_type":"urn:ietf:params:acme:error:unauthorized","error":"No TXT record found at _acme-challenge.net.dbren.uk"}
{"level":"error","ts":1615117771.6163986,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"net.dbren.uk","error":"authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.net.dbren.uk","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18439568/3847307","attempt":1,"max_attempts":3}
{"level":"debug","ts":1615117772.7376325,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3192511/xdUB7Q","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439569"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["189"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192511>;rel=\"up\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3192511/xdUB7Q"],"Replay-Nonce":["0004SpWrMNcYd2_TBK-u5i5dhwZP9xtm2pzY5gDAqkRdc1M"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117772.738071,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"*.net.dbren.uk","challenge_type":"dns-01"}
{"level":"debug","ts":1615117772.7844148,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":201,"response_headers":{"Boulder-Requester":["18439568"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["342"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/18439568/3847376"],"Replay-Nonce":["0004i0yY-8OFzWvhQD-D5si3uGM5QCyMrB_jmdBJH5arrYI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117772.9355478,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192572","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439568"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0003EWDnt_SVORi44Dw_XF8eFd0YZ90f_6mmaOgoUn9qSZE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117772.9363232,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"debug","ts":1615117772.9363937,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"http-01"}
{"level":"debug","ts":1615117773.0875306,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192572","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439568"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["809"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:33 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0003So9ZJlgXBUL02e8MjkQ8NFpmCSGDCbqPGcjbG2EKat0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"info","ts":1615117773.0954053,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["net.dbren.uk"]}
{"level":"info","ts":1615117773.095549,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["net.dbren.uk"]}
{"level":"debug","ts":1615117773.1351142,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192511","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439569"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["569"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:33 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0003a9p8FDVJVLD5WnYX3H6EVhdpo5nkSIH9_GpzpsVhKOw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117773.6784244,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 07 Mar 2021 11:49:33 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0004UUJH3esoYg-ldc5KtraYVYGtrI4mSmNN83lXZbMQEf8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117773.8356457,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":201,"response_headers":{"Boulder-Requester":["18439569"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["342"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:33 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/18439569/3847390"],"Replay-Nonce":["00041fbUE0vlmN-mmNCOeF2iSXBIw5YoegS7f3J-SlCKHc4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117773.9695787,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3192583","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.0-beta.1 CertMagic acmez (linux; arm)"]},"status_code":200,"response_headers":{"Boulder-Requester":["18439569"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 07 Mar 2021 11:49:33 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0004pGmzChySCCQDUQj_lnIRIVJUmS-CrOEbTeLm6E6gvIk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1615117773.9701407,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"debug","ts":1615117773.9701996,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"http-01"}
{"level":"info","ts":1615117773.9702225,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"net.dbren.uk","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1615117774.1021292,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.net.dbren.uk","challenge_type":"dns-01","status_code":403,"problem_type":"urn:ietf:params:acme:error:unauthorized","error":"No TXT record found at _acme-challenge.net.dbren.uk"}
{"level":"error","ts":1615117774.1023877,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.net.dbren.uk","error":"authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.net.dbren.uk","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18439569/3847310","attempt":1,"max_attempts":3}

Cloudflare does say that the API token was used when placing my cursor over the status of the API token.

5. What I already tried:

  • Providing the Cloudflare API token and email without environment variables (placing directly into the Caddyfile). This also did not work.

  • Using the Let’s Encrypt production endpoint once. Same errors occurred. Not surprising but thought it was worth a try :frowning:

  • Increasing ACME timeout using:

tls {
    issuer acme {
        dns cloudflare token
        timeout 600s
    }
}

Is there something I have misconfigured here that somebody can spot?

One thing I did find interesting was even though I built the container image with 2.3.0 tags, the version is v2.4.0-beta.1 :thinking:

Something to do with using xcaddy?

Please let me know if any other information is needed.

Any help is greatly appreciated.

Unfortunately that’s because the latest version of the cloudflare plugin specifies v2.4.0-beta.1 as its minimum version. It was reported here:

So, for now, please try either of these solutions

  1. Use v2.4.0-beta.1, it should be pretty stable so you shouldn’t have any trouble - I think your build ends up with having a mix of both versions so some things don’t behave correctly, I think. It might just work to properly bump up the version.
  2. Specify the older commit for the cloudflare plugin, by adding @eda8e5aa22232e9c279b0df7531f20c331b331c6 to the end of the module path.
1 Like

Hi @francislavoie

Providing the old commit hash when building with the Cloudflare plugin worked!

Thanks so much! :grinning:

EDIT: Worth the 3 days of pain. Caddy is still awesome. :slightly_smiling_face:

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.