I’ve been using Caddy for a while now (and love it) on my Raspberry Pi at home that’s exposed to the internet. I just added a new subdomain for which I want to host a static file, but I can’t get the SSL to work.
1. The problem I’m having:
I added the domain iban.rienheuver.nl (see Caddyfile below) but it doesn’t get a valid SSL-cert. After some searching I found that adding my email address to the global config should help, so I’ve added that. But to no avail. It somehow fails to authenticate with letsencrypt it seems and then runs into the ratelimiter of letsencrypt. But no idea why it fails to authenticate.
2. Error messages and/or full log output:
Nov 07 09:57:17 raspberrypi systemd[1]: Starting caddy.service - Caddy...
Nov 07 09:57:17 raspberrypi caddy[1620166]: caddy.HomeDir=/var/lib/caddy
Nov 07 09:57:17 raspberrypi caddy[1620166]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Nov 07 09:57:17 raspberrypi caddy[1620166]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Nov 07 09:57:17 raspberrypi caddy[1620166]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Nov 07 09:57:17 raspberrypi caddy[1620166]: caddy.Version=2.6.2
Nov 07 09:57:17 raspberrypi caddy[1620166]: runtime.GOOS=linux
Nov 07 09:57:17 raspberrypi caddy[1620166]: runtime.GOARCH=arm64
Nov 07 09:57:17 raspberrypi caddy[1620166]: runtime.Compiler=gc
Nov 07 09:57:17 raspberrypi caddy[1620166]: runtime.NumCPU=4
Nov 07 09:57:17 raspberrypi caddy[1620166]: runtime.GOMAXPROCS=4
Nov 07 09:57:17 raspberrypi caddy[1620166]: runtime.Version=go1.19.8
Nov 07 09:57:17 raspberrypi caddy[1620166]: os.Getwd=/
Nov 07 09:57:17 raspberrypi caddy[1620166]: LANG=en_GB.UTF-8
Nov 07 09:57:17 raspberrypi caddy[1620166]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Nov 07 09:57:17 raspberrypi caddy[1620166]: NOTIFY_SOCKET=/run/systemd/notify
Nov 07 09:57:17 raspberrypi caddy[1620166]: HOME=/var/lib/caddy
Nov 07 09:57:17 raspberrypi caddy[1620166]: LOGNAME=caddy
Nov 07 09:57:17 raspberrypi caddy[1620166]: USER=caddy
Nov 07 09:57:17 raspberrypi caddy[1620166]: INVOCATION_ID=e0901c3fc0b043898334af5ec26d3e3c
Nov 07 09:57:17 raspberrypi caddy[1620166]: JOURNAL_STREAM=9:3876037
Nov 07 09:57:17 raspberrypi caddy[1620166]: SYSTEMD_EXEC_PID=1620166
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2503142,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2588024,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2595987,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x400040eb60"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2596374,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.25968,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"warn","ts":1762509437.2597005,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2610562,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.261136,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2613058,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2614715,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.261601,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2616239,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.rienheuver.nl","raspi.rienheuver.nl","iban.rienheuver.nl","vaultwarden.rienheuver.nl"]}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.262679,"logger":"tls","msg":"finished cleaning storage units"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"warn","ts":1762509437.262988,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [nextcloud.rienheuver.nl]: no OCSP server specified in certificate","identifiers":["nextcloud.rienheuver.nl"]}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"warn","ts":1762509437.264165,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [raspi.rienheuver.nl]: no OCSP server specified in certificate","identifiers":["raspi.rienheuver.nl"]}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2653694,"logger":"tls.obtain","msg":"acquiring lock","identifier":"iban.rienheuver.nl"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"warn","ts":1762509437.2656863,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [vaultwarden.rienheuver.nl]: no OCSP server specified in certificate","identifiers":["vaultwarden.rienheuver.nl"]}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2686052,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2687893,"msg":"serving initial configuration"}
Nov 07 09:57:17 raspberrypi systemd[1]: Started caddy.service - Caddy.
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2754102,"logger":"tls.obtain","msg":"lock acquired","identifier":"iban.rienheuver.nl"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2758105,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"iban.rienheuver.nl"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.2776299,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["iban.rienheuver.nl"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ik@rienheuver.nl"}
Nov 07 09:57:17 raspberrypi caddy[1620166]: {"level":"info","ts":1762509437.277697,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["iban.rienheuver.nl"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ik@rienheuver.nl"}
Nov 07 09:57:18 raspberrypi caddy[1620166]: {"level":"info","ts":1762509438.2323284,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"iban.rienheuver.nl","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Nov 07 09:57:19 raspberrypi caddy[1620166]: {"level":"error","ts":1762509439.5690725,"logger":"http.acme_client","msg":"challenge failed","identifier":"iban.rienheuver.nl","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:tls","error":"51.255.194.122: remote error: tls: internal error"}
Nov 07 09:57:19 raspberrypi caddy[1620166]: {"level":"error","ts":1762509439.569175,"logger":"http.acme_client","msg":"validating authorization","identifier":"iban.rienheuver.nl","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:tls - 51.255.194.122: remote error: tls: internal error","order":"https://acme-v02.api.letsencrypt.org/acme/order/2782384956/445962992456","attempt":1,"max_attempts":3}
Nov 07 09:57:20 raspberrypi caddy[1620166]: {"level":"error","ts":1762509440.7264135,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"iban.rienheuver.nl","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - too many failed authorizations (5) for \"iban.rienheuver.nl\" in the last 1h0m0s, retry after 2025-11-07 10:04:37 UTC: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account"}
Nov 07 09:57:20 raspberrypi caddy[1620166]: {"level":"info","ts":1762509440.7270281,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["iban.rienheuver.nl"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ik@rienheuver.nl"}
Nov 07 09:57:20 raspberrypi caddy[1620166]: {"level":"info","ts":1762509440.7270691,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["iban.rienheuver.nl"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ik@rienheuver.nl"}
Nov 07 09:57:21 raspberrypi caddy[1620166]: {"level":"info","ts":1762509441.8321414,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"iban.rienheuver.nl","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
3. Caddy version:
2.6.2
4. How I installed and ran Caddy:
It’s a while back, but I think I installed it through the debian apt repositories as outlined in the docs: Install — Caddy Documentation
a. System environment:
Debian 12
Raspberry Pi 4B
b. Command:
No specific command, just visiting iban.rienheuver.nl will show the cert is not working. The logs from before are from journalctl -u caddy.service –no-pager
d. My complete Caddy config:
{
email ik@rienheuver.nl
}
:80, raspi.rienheuver.nl {
root * /usr/share/caddy
file_server
}
nextcloud.rienheuver.nl:443 {
reverse_proxy localhost:11000
}
vaultwarden.rienheuver.nl {
encode zstd gzip
reverse_proxy localhost:8000 {
header_up X-Real-IP {remote_host}
}
}
iban.rienheuver.nl {
root * /home/rien/iban
file_server
}