Could not get certificate from both letsencrypt and zerossl

1. The problem I’m having:

Based on my previous post (Dockerize Caddy with existing SSL certificate), I’ve let caddy handle all the necessary steps to issue the certificate for my staging environment. Now, I want to apply it to production as well (it has a different domain name).

Currently, we’re using a TLS configuration that is using email for the production. As you can see in the config, we use on_demand_tls with a specific endpoint there. The issuer of our wildcard subdomain is AWS with the auto-renewal enabled. So, the endpoint is working as expected even if I put an https on on_demand_tls.

With the current configuration that I attached (not the currently working one), we got an issue when getting the certificate, both from letsencrypt or zerossl. If both failed, what else can I do to make automatic-https work as expected? Especially without breaking the current setup (the current one is running on a different server, the new one is being tested as an ECS service).

2. Error messages and/or full log output:

The log is in cloudwatch format.

{"level": "info","ts": 1707713402.5923235,"msg": "using provided configuration","config_file": "/etc/caddy/Caddyfile","config_adapter": ""}
{"level": "info","ts": 1707713402.612486,"logger": "admin","msg": "admin endpoint started","address": "0.0.0.0:2020","enforce_origin": false,"origins": ["//0.0.0.0:2020"]}
{"level": "warn","ts": 1707713402.6125135,"logger": "admin","msg": "admin endpoint on open interface; host checking disabled","address": "0.0.0.0:2020"}
{"level": "info","ts": 1707713402.6157515,"logger": "caddy.storage.redis","msg": "Provision Redis simple storage using address [127.0.0.1:6379]"}
{"level": "info","ts": 1707713402.6163588,"logger": "tls.cache.maintenance","msg": "started background certificate maintenance","cache": "0xc000240080"}
{"level": "info","ts": 1707713402.6166704,"logger": "http.auto_https","msg": "server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name": "srv0","https_port": 443}
{"level": "info","ts": 1707713402.6166928,"logger": "http.auto_https","msg": "enabling automatic HTTP->HTTPS redirects","server_name": "srv0"}
{"level": "info","ts": 1707713402.6190116,"logger": "http","msg": "enabling HTTP/3 listener","addr": ":443"}
{"level": "info","ts": 1707713402.6191123,"msg": "failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level": "info","ts": 1707713402.6196246,"logger": "http.log","msg": "server running","name": "srv0","protocols": ["h1","h2","h3"]}
{"level": "info","ts": 1707713402.6196887,"logger": "http.log","msg": "server running","name": "remaining_auto_https_redirects","protocols": ["h1","h2","h3"]}
{"level": "info","ts": 1707713402.619697,"logger": "http","msg": "enabling automatic TLS certificate management","domains": ["*.company-domain.id","*.ordivo.id"]}
{"level": "info","ts": 1707713402.6308644,"msg": "autosaved config (load with --resume flag)","file": "/config/caddy/autosave.json"}
{"level": "info","ts": 1707713402.6308906,"msg": "serving initial configuration"}
{"level": "warn","ts": 1707713402.6321352,"logger": "tls","msg": "storage cleaning happened too recently; skipping for now","storage": "{\"client_type\":\"simple\",\"address\":[\"127.0.0.1:6379\"],\"host\":[],\"port\":[],\"db\":0,\"timeout\":\"5\",\"username\":\"\",\"password\":\"REDACTED\",\"master_name\":\"\",\"key_prefix\":\"caddy\",\"encryption_key\":\"\",\"compression\":false,\"tls_enabled\":false,\"tls_insecure\":true,\"tls_server_certs_pem\":\"\",\"tls_server_certs_path\":\"\",\"route_by_latency\":false,\"route_randomly\":false}","instance": "ef441035-bdfb-4312-8459-d29bffa0d529","try_again": 1707799802.6321328,"try_again_in": 86399.999999488}
{"level": "info","ts": 1707713402.6326098,"logger": "tls","msg": "finished cleaning storage units"}
{"level": "info","ts": 1707713402.6363957,"logger": "tls.obtain","msg": "acquiring lock","identifier": "*.company-domain.id"}
{"level": "info","ts": 1707713402.6370473,"logger": "tls.obtain","msg": "lock acquired","identifier": "*.company-domain.id"}
{"level": "info","ts": 1707713402.6381674,"logger": "tls.obtain","msg": "obtaining certificate","identifier": "*.company-domain.id"}
{"level": "info","ts": 1707713402.6422555,"logger": "tls","msg": "waiting on internal rate limiter","identifiers": ["*.company-domain.id"],"ca": "https://acme-v02.api.letsencrypt.org/directory","account": ""}
{"level": "info","ts": 1707713402.6422963,"logger": "tls","msg": "done waiting on internal rate limiter","identifiers": ["*.company-domain.id"],"ca": "https://acme-v02.api.letsencrypt.org/directory","account": ""}
{"level": "error","ts": 1707713404.3228283,"logger": "tls.obtain","msg": "could not get certificate from issuer","identifier": "*.company-domain.id","issuer": "acme-v02.api.letsencrypt.org-directory","error": "[*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[tls-alpn-01 http-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/1561474067/243795882457) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level": "info","ts": 1707713404.3278944,"logger": "tls","msg": "waiting on internal rate limiter","identifiers": ["*.company-domain.id"],"ca": "https://acme.zerossl.com/v2/DV90","account": "caddy@zerossl.com"}
{"level": "info","ts": 1707713404.3279233,"logger": "tls","msg": "done waiting on internal rate limiter","identifiers": ["*.company-domain.id"],"ca": "https://acme.zerossl.com/v2/DV90","account": "caddy@zerossl.com"}
{"level": "error","ts": 1707713433.9811187,"logger": "tls.obtain","msg": "could not get certificate from issuer","identifier": "*.company-domain.id","issuer": "acme.zerossl.com-v2-DV90","error": "[*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/U3vw-dFMXAr0mddxjQP5VQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level": "error","ts": 1707713433.9812117,"logger": "tls.obtain","msg": "will retry","error": "[*.company-domain.id] Obtain: [*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/U3vw-dFMXAr0mddxjQP5VQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt": 1,"retrying_in": 60,"elapsed": 31.344116349,"max_duration": 2592000}
{"level": "info","ts": 1707713493.982795,"logger": "tls.obtain","msg": "obtaining certificate","identifier": "*.company-domain.id"}
{"level": "error","ts": 1707713495.4197855,"logger": "tls.obtain","msg": "could not get certificate from issuer","identifier": "*.company-domain.id","issuer": "acme-v02.api.letsencrypt.org-directory","error": "[*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/135734103/14443443283) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level": "error","ts": 1707713514.7285583,"logger": "tls.obtain","msg": "could not get certificate from issuer","identifier": "*.company-domain.id","issuer": "acme.zerossl.com-v2-DV90","error": "[*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/sdyuYIPWhjCUR01SokucKw) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level": "error","ts": 1707713514.7286437,"logger": "tls.obtain","msg": "will retry","error": "[*.company-domain.id] Obtain: [*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/sdyuYIPWhjCUR01SokucKw) (ca=https://acme.zerossl.com/v2/DV90)","attempt": 2,"retrying_in": 120,"elapsed": 112.091548146,"max_duration": 2592000}

3. Caddy version:

Caddy 2.7.6

4. How I installed and ran Caddy:

a. System environment:

b. Command:

CMD ["/usr/bin/caddy", "run", "--config", "/etc/caddy/Caddyfile"]

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
	admin 0.0.0.0:2020

	on_demand_tls {
		ask https://api.company-domain.id/domain-checker
	}

	storage redis {
		host 127.0.0.1
		port 6379
		# username
		password somerandompassword
		db 0
		timeout 5
		key_prefix "caddy"
		tls_enabled false
		tls_insecure true
	}
}

*.company-domain.id {
	encode gzip

	reverse_proxy /* {
		to 127.0.0.1:2015 # localhost is just a placeholder

		lb_policy least_conn
		fail_duration 30s

		header_up Host {host}
		header_up X-Real-IP {header.X-Forwarded-For}
		header_up Access-Control-Allow-Origin *
		header_up Access-Control-Allow-Methods "GET, POST, PUT, PATCH, OPTIONS, DELETE"
		header_down Access-Control-Allow-Origin *
		header_down Access-Control-Allow-Methods "GET, POST, PUT, PATCH, OPTIONS, DELETE"
	}

	@assets path /js* /css* /favicon.ico
	header @assets Cache-Control "public, max-age=31536000;"

	log {
		output file /var/log/caddy/access.log
		format console
	}
}

:443 {
	encode gzip

	tls company.email@gmail.com {
		on_demand
	}

	reverse_proxy /* {
		to 127.0.0.1:2015 # localhost is just a placeholder

		lb_policy least_conn
		fail_duration 30s

		header_up Host {host}
		header_up X-Real-IP {header.X-Forwarded-For}
	}

	@assets path /js* /css* /favicon.ico
	header @assets Cache-Control "public, max-age=31536000;"

	log {
		output file /var/log/caddy/access.log
		format console
	}
}

5. Links to relevant resources:

So, I found out that I haven’t add the acme_dns section. After I added it:

acme_dns route53 {
  max_retries 10
  access_key_id some_random_access_key_id
  secret_access_key some_random_secret_access_key
}

This is what I got next:

2024/02/12 07:45:58.324 INFO    using provided configuration    {"config_file": "./Caddyfile", "config_adapter": ""}
2024/02/12 07:45:58.331 INFO    admin   admin endpoint started  {"address": "0.0.0.0:2020", "enforce_origin": false, "origins": ["//0.0.0.0:2020"]}
2024/02/12 07:45:58.331 WARN    admin   admin endpoint on open interface; host checking disabled    {"address": "0.0.0.0:2020"}
{"level":"info","ts":1707723958.332782,"caller":"caddy-tlsredis@v0.3.1/storageredis.go:277","msg":"TLS Storage are using Redis, on 127.0.0.1:6379"}
2024/02/12 07:45:58.626 INFO    tls.cache.maintenance   started background certificate maintenance  {"cache": "0x140004a8000"}
2024/02/12 07:45:58.627 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/02/12 07:45:58.627 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects    {"server_name": "srv0"}
2024/02/12 07:45:58.631 INFO    http    enabling HTTP/3 listener    {"addr": ":443"}
2024/02/12 07:45:58.633 INFO    http.log    server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/02/12 07:45:58.633 INFO    http.log    server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/02/12 07:45:58.633 INFO    http    enabling automatic TLS certificate management   {"domains": ["*.company-domain.id", "*.staging-company-domain.id"]}
2024/02/12 07:45:58.963 ERROR   tls could not clean default/global storage  {"error": "loading last clean timestamp: unable to decrypt data for last_clean.json: invalid data format"}
2024/02/12 07:45:58.963 INFO    tls finished cleaning storage units
2024/02/12 07:45:59.263 INFO    tls.cache.maintenance   stopped background certificate maintenance  {"cache": "0x140004a8000"}
Error: loading initial config: loading new config: http app module: start: finalizing automatic HTTPS: managing certificates for [*.company-domain.id *.staging-company-domain.id]: automate: manage [*.company-domain.id *.staging-company-domain.id]: *.staging-company-domain.id: caching certificate: unable to decrypt data for certificates/acme.zerossl.com-v2-dv90/wildcard_.staging-company-domain.id/wildcard_.staging-company-domain.id.key: invalid data format

That error is coming from the Redis storage plugin:

It seems like the data in storage is encrypted but can’t be decrypted. Are you using the same storage config as when the storage was written?

You might need to manually wipe out the keys from your Redis storage if you don’t have a way to recover it.

Or, I’d recommend using GitHub - pberkel/caddy-storage-redis instead which is a newer library with lot of improvements (storage efficiency etc).

I do use GitHub - pberkel/caddy-storage-redis. Maybe I need to wipe the redis first to make sure it starts with a fresh environment.

I don’t think you are, because the error messages don’t match that library’s. It matches the older gamalan one.

For example, uppercase U in the error message doesn’t appear in your logs:

Weird, maybe the ECS still using the old image from the ECR. Let me check this again.

Anyway, I tried wiping the redis but the production still having issue getting the certificate. These are the logs:

2024/02/12 10:04:07.402 INFO    using provided configuration    {"config_file": "./Caddyfile", "config_adapter": ""}
2024/02/12 10:04:07.407 INFO    admin   admin endpoint started  {"address": "0.0.0.0:2020", "enforce_origin": false, "origins": ["//0.0.0.0:2020"]}
2024/02/12 10:04:07.407 WARN    admin   admin endpoint on open interface; host checking disabled    {"address": "0.0.0.0:2020"}
{"level":"info","ts":1707732247.409871,"caller":"caddy-tlsredis@v0.3.1/storageredis.go:277","msg":"TLS Storage are using Redis, on 127.0.0.1:6379"}
2024/02/12 10:04:07.591 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/02/12 10:04:07.591 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects    {"server_name": "srv0"}
2024/02/12 10:04:07.591 INFO    tls.cache.maintenance   started background certificate maintenance  {"cache": "0x140001e2000"}
2024/02/12 10:04:07.594 INFO    http    enabling HTTP/3 listener    {"addr": ":443"}
2024/02/12 10:04:07.596 INFO    http.log    server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/02/12 10:04:07.596 INFO    http.log    server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/02/12 10:04:07.596 INFO    http    enabling automatic TLS certificate management   {"domains": ["*.company-domain.id", "*.staging-company-domain.id"]}
2024/02/12 10:04:07.853 INFO    tls cleaning storage unit   {"storage": "{\"address\":\"127.0.0.1:6379\",\"host\":\"127.0.0.1\",\"port\":\"6379\",\"db\":0,\"username\":\"\",\"password\":\"REDACTED\",\"timeout\":5,\"key_prefix\":\"caddy\",\"value_prefix\":\"caddy-storage-redis\",\"aes_key\":\"\",\"tls_enabled\":false,\"tls_insecure\":true}"}
2024/02/12 10:04:07.857 INFO    autosaved config (load with --resume flag)  {"file": "/Users/bosan/Library/Application Support/Caddy/autosave.json"}
2024/02/12 10:04:07.857 INFO    serving initial configuration
2024/02/12 10:04:08.271 INFO    tls finished cleaning storage units
2024/02/12 10:04:08.756 INFO    tls.obtain  acquiring lock  {"identifier": "*.staging-company-domain.id"}
2024/02/12 10:04:08.756 INFO    tls.obtain  acquiring lock  {"identifier": "*.company-domain.id"}
2024/02/12 10:04:08.838 INFO    tls.obtain  lock acquired   {"identifier": "*.company-domain.id"}
2024/02/12 10:04:08.838 INFO    tls.obtain  lock acquired   {"identifier": "*.staging-company-domain.id"}
2024/02/12 10:04:09.014 INFO    tls.obtain  obtaining certificate   {"identifier": "*.company-domain.id"}
2024/02/12 10:04:09.014 INFO    tls.obtain  obtaining certificate   {"identifier": "*.staging-company-domain.id"}
2024/02/12 10:04:10.826 INFO    tls waiting on internal rate limiter    {"identifiers": ["*.company-domain.id"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/12 10:04:10.826 INFO    tls done waiting on internal rate limiter   {"identifiers": ["*.company-domain.id"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/12 10:04:11.325 INFO    http    waiting on internal rate limiter    {"identifiers": ["*.staging-company-domain.id"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/12 10:04:11.325 INFO    http    done waiting on internal rate limiter   {"identifiers": ["*.staging-company-domain.id"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/12 10:04:11.646 ERROR   tls.obtain  could not get certificate from issuer   {"identifier": "*.staging-company-domain.id", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many certificates already issued for \"staging-company-domain.id\". Retry after 2024-02-12T13:00:00Z: see https://letsencrypt.org/docs/rate-limits/"}
2024/02/12 10:04:11.674 ERROR   tls.obtain  could not get certificate from issuer   {"identifier": "*.company-domain.id", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/1566114037/243852774697) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2024/02/12 10:04:11.797 WARN    tls.issuance.zerossl    missing email address for ZeroSSL; it is strongly recommended to set one for next time
2024/02/12 10:04:11.802 WARN    tls missing email address for ZeroSSL; it is strongly recommended to set one for next time
2024/02/12 10:04:14.190 INFO    tls.issuance.zerossl    generated EAB credentials   {"key_id": "C8nncmwY41y5kUYE_UJ2aQ"}
2024/02/12 10:04:14.231 INFO    tls generated EAB credentials   {"key_id": "WUDKbC4BimH2jgmoed9NzA"}
2024/02/12 10:04:17.623 INFO    http    waiting on internal rate limiter    {"identifiers": ["*.staging-company-domain.id"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2024/02/12 10:04:17.624 INFO    http    done waiting on internal rate limiter   {"identifiers": ["*.staging-company-domain.id"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2024/02/12 10:04:18.570 INFO    tls waiting on internal rate limiter    {"identifiers": ["*.company-domain.id"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2024/02/12 10:04:18.570 INFO    tls done waiting on internal rate limiter   {"identifiers": ["*.company-domain.id"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2024/02/12 10:04:19.634 INFO    http.acme_client    trying to solve challenge   {"identifier": "*.staging-company-domain.id", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2024/02/12 10:04:21.675 ERROR   tls.obtain  could not get certificate from issuer   {"identifier": "*.company-domain.id", "issuer": "acme.zerossl.com-v2-DV90", "error": "[*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/MCt8eUYTm1rPiOz8wIhCGQ) (ca=https://acme.zerossl.com/v2/DV90)"}
2024/02/12 10:04:21.675 ERROR   tls.obtain  will retry  {"error": "[*.company-domain.id] Obtain: [*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/MCt8eUYTm1rPiOz8wIhCGQ) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 12.837266708, "max_duration": 2592000}
2024/02/12 10:04:46.209 INFO    http.acme_client    authorization finalized {"identifier": "*.staging-company-domain.id", "authz_status": "valid"}
2024/02/12 10:04:46.209 INFO    http.acme_client    validations succeeded; finalizing order {"order": "https://acme.zerossl.com/v2/DV90/order/fPSqI_2gDJDen1HsMShJqA"}
2024/02/12 10:05:06.953 INFO    http.acme_client    successfully downloaded available certificate chains    {"count": 1, "first_url": "https://acme.zerossl.com/v2/DV90/cert/PkdgNWPcCGaEmPWpvWi8xg"}
2024/02/12 10:05:07.254 INFO    tls.obtain  certificate obtained successfully   {"identifier": "*.staging-company-domain.id"}
2024/02/12 10:05:07.254 INFO    tls.obtain  releasing lock  {"identifier": "*.staging-company-domain.id"}
2024/02/12 10:05:21.827 INFO    tls.obtain  obtaining certificate   {"identifier": "*.company-domain.id"}
2024/02/12 10:05:24.682 ERROR   tls.obtain  could not get certificate from issuer   {"identifier": "*.company-domain.id", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/136080183/14450542013) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2024/02/12 10:05:35.587 ERROR   tls.obtain  could not get certificate from issuer   {"identifier": "*.company-domain.id", "issuer": "acme.zerossl.com-v2-DV90", "error": "[*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[tls-alpn-01 http-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/mPiidJn9_6evTRiFTuak1A) (ca=https://acme.zerossl.com/v2/DV90)"}
2024/02/12 10:05:35.587 ERROR   tls.obtain  will retry  {"error": "[*.company-domain.id] Obtain: [*.company-domain.id] solving challenges: *.company-domain.id: no solvers available for remaining challenges (configured=[tls-alpn-01 http-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/mPiidJn9_6evTRiFTuak1A) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 86.749228958, "max_duration": 2592000}

Is it possible it won’t work because the domain already has a valid certificate from AWS? I’m not sure how it works behind the scenes.

No, that’s unrelated.

This is basically saying “you didn’t configure the DNS challenge, so I can only try the HTTP and TLS-ALPN challenges, but those aren’t allowed for wildcard certs”.

You said in your previous post that you added acme_dns config. Did you remove it after? :thinking:

You should probably configure dns inside of tls for that one site, not use the acme_dns global option, because you only need the DNS challenge for your wildcard domain and not your https:// site with on-demand – it doesn’t make sense to use DNS challenge for on-demand because you probably don’t control your customer’s DNS, and therefore can’t write TXT records to their domains.