Difficulty getting an ssl certificate

borkode · May 9, 2024, 7:16pm

1. The problem I’m having:

I’ve setup caddy and it looks like I am unable to get an SSL certificate and when checking logs it looks like its stuck on trying to solve challenge.

2. Error messages and/or full log output:

ubuntu@nimbus2000:~$ sudo caddy run
2024/05/09 19:03:34.691	INFO	using adjacent Caddyfile
2024/05/09 19:03:34.696	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/05/09 19:03:34.696	INFO	http.auto_https	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2024/05/09 19:03:34.696	INFO	http.auto_https	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2024/05/09 19:03:34.696	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0x400038bc00"}
2024/05/09 19:03:34.697	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2024/05/09 19:03:34.697	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/05/09 19:03:34.697	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/05/09 19:03:34.697	INFO	http	enabling automatic TLS certificate management	{"domains": ["cloud.mydomain.com"]}
2024/05/09 19:03:34.698	INFO	autosaved config (load with --resume flag)	{"file": "/root/.config/caddy/autosave.json"}
2024/05/09 19:03:34.698	INFO	serving initial configuration
2024/05/09 19:03:34.700	INFO	tls.obtain	acquiring lock	{"identifier": "cloud.mydomain.com"}
2024/05/09 19:03:34.700	WARN	tls	storage cleaning happened too recently; skipping for now	{"storage": "FileStorage:/root/.local/share/caddy", "instance": "db5da8d1-67d4-42b2-b8d7-55355c297bb1", "try_again": "2024/05/10 19:03:34.700", "try_again_in": 86399.99999972}
2024/05/09 19:03:34.700	INFO	tls	finished cleaning storage units
2024/05/09 19:03:34.704	INFO	tls.obtain	lock acquired	{"identifier": "cloud.mydomain.com"}
2024/05/09 19:03:34.704	INFO	tls.obtain	obtaining certificate	{"identifier": "cloud.mydomain.com"}
2024/05/09 19:03:36.093	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["cloud.mydomain.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "mail@mydomain.com"}
2024/05/09 19:03:36.093	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["cloud.mydomain.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "cloud.mydomain.com"}
2024/05/09 19:03:36.905	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "cloud.mydomain.com", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/05/09 19:03:37.778	ERROR	tls.issuance.acme.acme_client	challenge failed	{"identifier": "cloud.mydomain.com", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "myip: Error getting validation data", "instance": "", "subproblems": []}}
2024/05/09 19:03:37.778	ERROR	tls.issuance.acme.acme_client	validating authorization	{"identifier": "cloud.mydomain.com", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "myip: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1717921447/267992625867", "attempt": 1, "max_attempts": 3}
2024/05/09 19:03:39.503	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "cloud.mydomain.com", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/05/09 19:03:40.324	ERROR	tls.issuance.acme.acme_client	challenge failed	{"identifier": "cloud.mydomain.com", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "myip: Fetching http://cloud.mydomain.com/.well-known/acme-challenge/nGVdRQx2rZ1Y6CLc9OE5QIkBUX0iZLxtXGxwdae_OdI: Error getting validation data", "instance": "", "subproblems": []}}
2024/05/09 19:03:40.324	ERROR	tls.issuance.acme.acme_client	validating authorization	{"identifier": "cloud.mydomain.com", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "myip: Fetching http://cloud.mydomain.com/.well-known/acme-challenge/nGVdRQx2rZ1Y6CLc9OE5QIkBUX0iZLxtXGxwdae_OdI: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1717921447/267992634357", "attempt": 2, "max_attempts": 3}
2024/05/09 19:03:40.324	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "cloud.mydomain.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - myip: Fetching http://cloud.mydomain.com/.well-known/acme-challenge/nGVdRQx2rZ1Y6CLc9OE5QIkBUX0iZLxtXGxwdae_OdI: Error getting validation data"}
2024/05/09 19:03:41.726	INFO	tls.issuance.zerossl	generated EAB credentials	{"key_id": "xjRJW2knHfJz_xs0Aq29Vg"}
2024/05/09 19:03:43.430	INFO	tls.issuance.zerossl	waiting on internal rate limiter	{"identifiers": ["cloud.mydomain.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "mail@mydomain.com,"}
2024/05/09 19:03:43.430	INFO	tls.issuance.zerossl	done waiting on internal rate limiter	{"identifiers": ["cloud.mydomain.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "mail@mydomain.com"}
2024/05/09 19:03:44.754	INFO	tls.issuance.zerossl.acme_client	trying to solve challenge	{"identifier": "cloud.mydomain.com", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04, ARM, Docker installed with pi-hole and nextcloud running.

b. Command:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

d. My complete Caddy config:

{
        email myemail
}

cloud.domain.com {
        reverse_proxy localhost:11000
}

5. Links to relevant resources:

Bruce5051 · May 9, 2024, 7:24pm

Hello @borkode,

Using the online tool Let’s Debug yields these results for the HTTP-01 challenge

https://letsdebug.net/cloud.aaronrodrigues.com/1940576

ANotWorking
ERROR
cloud.aaronrodrigues.com has an A (IPv4) record (84.8.142.187) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://cloud.aaronrodrigues.com/.well-known/acme-challenge/letsdebug-test": dial tcp 84.8.142.187:80: connect: no route to host

Trace:
@0ms: Making a request to http://cloud.aaronrodrigues.com/.well-known/acme-challenge/letsdebug-test (using initial IP 84.8.142.187)
@0ms: Dialing 84.8.142.187
@195ms: Experienced error: dial tcp 84.8.142.187:80: connect: no route to host

IssueFromLetsEncrypt
ERROR
A test authorization for cloud.aaronrodrigues.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
84.8.142.187: Fetching http://cloud.aaronrodrigues.com/.well-known/acme-challenge/Ypyf7cgFi1pW-XA2tLtOkT0YL6tif8CiVFg7IbzMGA0: Error getting validation data

And with nmap I see Port 80 & 443 are filtered (i.e. blocked)

$ nmap -Pn -p80,443 cloud.aaronrodrigues.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-09 12:23 PDT
Nmap scan report for cloud.aaronrodrigues.com (84.8.142.187)
Host is up (0.33s latency).

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

The HTTP-01 challenge states “The HTTP-01 challenge can only be done on port 80.”

Best Practice - Keep Port 80 Open

borkode · May 9, 2024, 7:26pm

Hello @Bruce5051, thank you for your response. I made sure port 443 udp/tcp and 80 tcp are open right now in my cloud provider’s firewall, do you know what could cause this to not work?

Bruce5051 · May 9, 2024, 7:31pm

All most any router or firewall between the Internet and your server could be blocking. Does your Ubuntu have ufw enable and running, that too need to open those port.

Possibly check with your cloud provider.

Sorry, I presently don’t have more concrete suggestions.

borkode · May 9, 2024, 7:36pm

I GOT IT WORKING!

it was oracle cloud’s ubuntu instance needing me to change my ip tables, after that it works like a charm! Thank you for leading me in the right direction : ) @Bruce5051

Bruce5051 · May 9, 2024, 7:36pm

@borkode a side note:

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

as I presently see

Rate Limit	Current Status	Domain
50 Certificates per Registered Domain per week	OK (6 / 50 this week.)	aaronrodrigues.com
Summary generated at Let's Debug Toolkit .

Bruce5051 · May 9, 2024, 7:39pm

You are very welcome @borkode,
have a pleasant day.

system · June 8, 2024, 7:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.