Could not get certificate from issuer: http.acme_client HTTP request failed

1. Caddy version:

2.6.2

2. How I installed, and run Caddy:

a. System environment:

Ubuntu Server 22.04
Docker version 20.10.12, build 20.10.12-0ubuntu4

b. Command:

sudo docker run -d -p 80:80 -p 443:443 --name caddy -v /containers/caddy/config:/config -v /containers/caddy/etc:/etc -v /containers/caddy/data:/data -v /containers/caddy/var:/var caddy:2.6.2

c. Service/unit/compose file:

No docker compose, just running things manually via commands

d. My complete Caddy config:

{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [":443"],
                    "routes": [{
                        "handle": [{
                            "handler": "subroute",
                            "routes": [{
                                "handle": [{
                                    "body": "Hello, World!",
                                    "handler": "static_response"
                                }]
                            }]
                        }],
                        "match": [{
                            "host": ["teaguemillette.com"]
                        }],
                        "terminal": true
                    }]
                }
            }
        }
    }
}

3. The problem I’m having:

Certicates are not being automatically created.

4. Error messages and/or full log output:

{"level":"info","ts":1674683042.8103337,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1674683042.8127081,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1674683042.8131962,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1674683042.813281,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1674683042.81367,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00046d260"}
{"level":"info","ts":1674683042.8138368,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1674683042.8139107,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1674683042.814018,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1674683042.8142104,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1674683042.8144138,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1674683042.8145175,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1674683042.8145523,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["teaguemillette.com"]}
{"level":"info","ts":1674683042.8148646,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1674683042.814902,"msg":"serving initial configuration"}
{"level":"info","ts":1674683042.815238,"logger":"tls.obtain","msg":"acquiring lock","identifier":"teaguemillette.com"}
{"level":"info","ts":1674683042.8191254,"logger":"tls.obtain","msg":"lock acquired","identifier":"teaguemillette.com"}
{"level":"info","ts":1674683042.819423,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"teaguemillette.com"}
{"level":"warn","ts":1674683042.9019394,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
{"level":"warn","ts":1674683043.234751,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
{"level":"warn","ts":1674683043.5652618,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
{"level":"error","ts":1674683043.5653849,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"teaguemillette.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"registering account [] with server: provisioning client: performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
{"level":"warn","ts":1674683043.565789,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"error","ts":1674683043.6511488,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"teaguemillette.com","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority"}
{"level":"error","ts":1674683043.6512434,"logger":"tls.obtain","msg":"will retry","error":"[teaguemillette.com] Obtain: account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority","attempt":1,"retrying_in":60,"elapsed":0.832078596,"max_duration":2592000}

5. What I already tried:

  • Rebooting server
  • DNS is pointed to proper IP
  • Setup worked fine with HTTPS disabled
  • curl https://acme-v02.api.letsencrypt.org/directory from server console did not have certificate issues

6. Links to relevant resources:

N/A

You are overwriting (or rather over-mounting?) the whole /etc/ directory inside the container.
This includes directories like /etc/ssl/, which contains a list of all trusted CAs.

If you run

from inside the container using docker exec -it caddy ash, you will encounter an error.
Though, in case of the caddy:2.6.2 docker image, you would have to install curl using apk add curl first. Which you can’t, because that would require /etc/ssl/ as well :eyes:

So instead, use a different docker run command, mounting /etc/caddy, not the whole /etc/ directory.
And while you are at it, also add -p 443:443/udp for http/3, as recommended in the official Caddy docker image docs.

docker run -d -p 80:80 -p 443:443 -p 443:443/udp --name caddy -v /containers/caddy/config:/config -v /containers/caddy/etc-caddy:/etc/caddy -v /containers/caddy/data:/data -v /containers/caddy/var:/var caddy:2.6.2

Or even better, use docker compose.

You should probably make -v /containers/caddy/var:/var something more specific like -v /containers/caddy/var-www:/var-www as well.

And finally, why are you using a JSON config, instead of the Caddyfile?
JSON configs are only really intended for really advanced users.

3 Likes

Looks like I completely misunderstood how -v works, that was the issue.

Thanks for the tip.

I am just using Docker to spin up my own personal instance that isn’t going to be shared anywhere. My understanding of compose is that it is for public projects or spinning up en masse, is that not true?

I am, just wasn’t sure which to include so I went with the generated JSON.