DNS-01 Challenge failing with Netcup DNS-Plugin

1. Caddy version (caddy version):

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

Virtual Machine in Proxmox PVE

a. System environment:

Operating System:
|Description:|Ubuntu 22.04 LTS|
|Release:|22.04|
|Codename:|jammy|

Caddy is not containerized.

b. Command:

sudo service caddy start

c. Service/unit/compose file:

none

d. My complete Caddyfile:

{
	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	email <mail>

	log {
		level DEBUG
		output file /var/log/caddy/acme3.log {
			roll_size 10MB
			roll_keep 10
		}
	}
}

bw.exampledomain:61060 {
	import /etc/caddy/caddy_security.conf

	tls {
		dns netcup {
			customer_number {env.NETCUP_CUSTOMER_NUMBER}
			api_key {env.NETCUP_API_KEY}
			api_password {env.NETCUP_API_PASSWORD}
		}
	}

	reverse_proxy * {
		to 172.30.0.199:443
		transport http {
			tls
			tls_insecure_skip_verify
			read_buffer 8192
		}
	}
}

nas1.exampledomain:61068 {
	import /etc/caddy/caddy_security.conf

	tls {
		dns netcup {
			customer_number {env.NETCUP_CUSTOMER_NUMBER}
			api_key {env.NETCUP_API_KEY}
			api_password {env.NETCUP_API_PASSWORD}
		}
	}

	log {
		level DEBUG
		output file /var/log/caddy/nas1.log {
			roll_size 10MB
			roll_keep 10
		}
	}

	reverse_proxy * {
		to 172.30.20.2:51328
		transport http {
			tls
			tls_insecure_skip_verify
			read_buffer 8192
		}
	}
}
#Below is Caddyserver's local IPv4 Address
172.30.22.2:UnusedPort {
	...
	reverse_proxy <toAnotherLocalIP>:<Port>
	...
}

#Below is Caddyserver's local IPv4 Address
172.30.22.2:UnusedPort {
	...
	reverse_proxy <toAnotherLocalIP>:<Port>
	...
}

3. The problem I’m having:

Im trying to get my first certificate for nas1.exampledomain, which is mentioned in my Caddyfile.
The certificate should be retrieved by solving the dns-01 Challenge (LetsEncrypt).
I already installed my Domain-Provider’s DNS-Plugin. My Domain-Provider is Netcup.
I already put my Netcup-API credentials in /etc/environment and these were applied correctly to the system, since “caddy environ” does list them.

I havent used Caddy a lot. Its been a week since I installed it on this VM. The initial certificates for “bw.exampledomain” were done through HTTP-Challenge (opening and forwarding Port 443). I dont want to use HTTP-01 in the long run though.

The process of receiving a new certificate through dns01-Challenge fails according to the above mentioned Debug-Log /var/log/caddy/acme3.log

When I remove the global option “acme_ca” and keep the “tls” and “dns” options in each site (“nas1.exampledomain” and “bw.exampledomain”) nothing happens in their Debug-Log (for example in /var/log/nas1.log). It doesnt even get created. This makes me think that the per-site dns-options dont do anything (?). The first time I got to see a Logfile regarding the dns0-challenge was when I enabled the global option “acme_ca”. But this failed, as you can see in the posted Logfile /var/log/caddy/acme3.log

4. Error messages and/or full log output:

This is the output of the Debug-Log /var/log/caddy/acme3.log:

cat /var/log/caddy/acme3.log
{"level":"info","ts":1658678461.45326,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1658678461.453756,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004e68c0"}
{"level":"info","ts":1658678461.4538345,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv7"}
{"level":"info","ts":1658678461.453848,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv8"}
{"level":"info","ts":1658678461.4538574,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv2"}
{"level":"info","ts":1658678461.4538658,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
{"level":"info","ts":1658678461.4538767,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv3"}
{"level":"info","ts":1658678461.453891,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv4"}
{"level":"info","ts":1658678461.4539042,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv5"}
{"level":"info","ts":1658678461.4539123,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv6"}
{"level":"info","ts":1658678461.4539227,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1658678461.455401,"logger":"http","msg":"starting server loop","address":"[::]:61062","http3":false,"tls":true}
{"level":"debug","ts":1658678461.455439,"logger":"http","msg":"starting server loop","address":"[::]:61067","http3":false,"tls":true}
{"level":"debug","ts":1658678461.455456,"logger":"http","msg":"starting server loop","address":"[::]:61068","http3":false,"tls":true}
{"level":"debug","ts":1658678461.4554677,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"debug","ts":1658678461.455542,"logger":"http","msg":"starting server loop","address":"[::]:61066","http3":false,"tls":true}
{"level":"debug","ts":1658678461.4555583,"logger":"http","msg":"starting server loop","address":"[::]:61060","http3":false,"tls":true}
{"level":"debug","ts":1658678461.455572,"logger":"http","msg":"starting server loop","address":"[::]:61061","http3":false,"tls":true}
{"level":"debug","ts":1658678461.455619,"logger":"http","msg":"starting server loop","address":"[::]:61063","http3":false,"tls":true}
{"level":"debug","ts":1658678461.4556334,"logger":"http","msg":"starting server loop","address":"[::]:61064","http3":false,"tls":true}
{"level":"debug","ts":1658678461.455645,"logger":"http","msg":"starting server loop","address":"[::]:61065","http3":false,"tls":true}
{"level":"info","ts":1658678461.4556496,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["172.30.22.2","nas1.exampledomain","bw.exampledomain"]}
{"level":"warn","ts":1658678461.4559293,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [172.30.22.2]: no OCSP server specified in certificate","identifiers":["172.30.22.2"]}
{"level":"debug","ts":1658678461.4559445,"logger":"tls.cache","msg":"added certificate to cache","subjects":["172.30.22.2"],"expiration":1658721000,"managed":true,"issuer_key":"local","hash":"43ee708ccf3d4c8a40e970bf2c6f6b5ce07562f836feab3ea5c42056e812e628","cache_size":1,"cache_capacity":10000}
{"level":"info","ts":1658678461.456218,"logger":"tls.obtain","msg":"acquiring lock","identifier":"nas1.exampledomain"}
{"level":"info","ts":1658678461.4567537,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/home/caddy/.local/share/caddy"}
{"level":"info","ts":1658678461.456875,"logger":"tls.obtain","msg":"acquiring lock","identifier":"bw.exampledomain"}
{"level":"info","ts":1658678461.4574347,"logger":"tls.obtain","msg":"lock acquired","identifier":"nas1.exampledomain"}
{"level":"info","ts":1658678461.460538,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1658678461.4608033,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"info","ts":1658678461.460979,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["nas1.exampledomain"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"mail@proton.me"}
{"level":"info","ts":1658678461.4609885,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["nas1.exampledomain"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"mail@proton.me"}
{"level":"info","ts":1658678461.4611585,"logger":"tls.obtain","msg":"lock acquired","identifier":"bw.exampledomain"}
{"level":"debug","ts":1658678461.4613795,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"info","ts":1658678461.4614732,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["bw.exampledomain"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"mail@proton.me"}
{"level":"info","ts":1658678461.4615788,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["bw.exampledomain"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"mail@proton.me"}
{"level":"warn","ts":1658678461.4683542,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
{"level":"error","ts":1658678461.472704,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1658678461.4728737,"msg":"autosaved config (load with --resume flag)","file":"/home/caddy/.config/caddy/autosave.json"}
{"level":"info","ts":1658678461.472949,"msg":"serving initial configuration"}
{"level":"debug","ts":1658678461.801857,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"bw.exampledomain"}
{"level":"debug","ts":1658678461.8018842,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exampledomain"}
{"level":"debug","ts":1658678461.8018875,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de"}
{"level":"debug","ts":1658678461.80189,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1658678461.8018935,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"bw.exampledomain"}
{"level":"debug","ts":1658678461.801898,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"bw.exampledomain","remote":"PublicIPv4Address:39660","identifier":"bw.exampledomain","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1658678461.8019404,"logger":"http.stdlib","msg":"http: TLS handshake error from PublicIPv4Address:39660: no certificate available for 'bw.exampledomain'"}
{"level":"debug","ts":1658678461.979279,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["822"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:01 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678462.1332712,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 24 Jul 2022 16:01:02 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002Ds407rmvqENqWM0TRK1XFXiT9hyWH6kTNw3yqM6ClZc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678462.1806855,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 24 Jul 2022 16:01:02 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001eP76rZstWKXKPmeCWWFzwPMqEIXw_CfXBRz764dhAX4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678462.3138912,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["349"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:02 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340291894"],"Replay-Nonce":["0001lq_63eVhq0N-NRbWJnTmHRvO5PBv_9L7Zj0q5lkrm0I"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658678462.3628232,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:02 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340291904"],"Replay-Nonce":["0002IRgv8kUeEjZniwEYelCjY-0dpjKlDCk9boP4zSkq-U0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658678462.4706204,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3115867734","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["815"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:02 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002k6wEnBXGaNiI90rL_80zxRbJDBcer9gsmWIketZ3C38"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678462.4708097,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658678462.4708211,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nas1.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1658678462.5219474,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3115867744","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["813"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:02 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002_fvG4Kwr7CuT0cLl4Zwp5vZj-j6_FEDFQcG_K3QLkQM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678462.52207,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658678462.5220778,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"bw.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1658678462.6699035,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"nas1.exampledomain","challenge_type":"dns-01","error":"no memory of presenting a DNS record for nas1.exampledomain (probably OK if presenting failed)"}
{"level":"error","ts":1658678462.7197459,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"bw.exampledomain","challenge_type":"dns-01","error":"no memory of presenting a DNS record for bw.exampledomain (probably OK if presenting failed)"}
{"level":"debug","ts":1658678462.83004,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3115867734","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:02 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002Ayr1l_zm1QR3SvSwtYIG8taeCbTjEL5NsWgGk8KXj7U"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658678462.830171,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: presenting for challenge: adding temporary record for zone exampledomain.: [netcup] Validation Error.: Invalid entry for field apikey (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340291894) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"debug","ts":1658678462.830184,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"info","ts":1658678462.8303726,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["nas1.exampledomain"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"mail@proton.me"}
{"level":"info","ts":1658678462.8303964,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["nas1.exampledomain"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"mail@proton.me"}
{"level":"debug","ts":1658678462.8829553,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3115867744","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["817"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:02 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002b2GwpqkQ1H7o4-lWq7r5xjabfKV9Abko6uGs8R0rYW8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658678462.8830817,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bw.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[bw.exampledomain] solving challenges: presenting for challenge: adding temporary record for zone exampledomain.: [netcup] Validation Error.: Invalid entry for field apikey (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340291904) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"debug","ts":1658678462.8830943,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"info","ts":1658678462.8832483,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["bw.exampledomain"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"mail@proton.me"}
{"level":"info","ts":1658678462.8832614,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["bw.exampledomain"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"mail@proton.me"}
{"level":"debug","ts":1658678463.2991533,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 24 Jul 2022 16:01:03 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00020p-UcQwtPQgrHU-9HfCA2mMc0ExSaQ6a3237MvoPLyg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678463.3478408,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 24 Jul 2022 16:01:03 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001c3GlVu4LoecJb35bnoIMqYW_aq7hfvhzSwaKx1bZaxw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678463.4742422,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:03 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340292154"],"Replay-Nonce":["0001178PtRBbXcnBVc62legvUCL1w4OA7Jicz5ENI6w3gOM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658678463.52441,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["349"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:03 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340292184"],"Replay-Nonce":["00027qhHb6cBKAu258IDU1rIXqR8sgxHlA_O9otTaFfSd6I"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658678463.630143,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3115867894","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["813"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:03 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00012sHfVt3GA87eYM5BbUEBUwIttCfs0mhnIUfrkPOwkE0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678463.6302366,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658678463.6302428,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"bw.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1658678463.6619968,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"bw.exampledomain","challenge_type":"dns-01","error":"no memory of presenting a DNS record for bw.exampledomain (probably OK if presenting failed)"}
{"level":"debug","ts":1658678463.6817498,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3115867904","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["815"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:03 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001R1bsVVrBFslMMJ9se3mVLKQJ4bMRxjPitouosqK4Q7U"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658678463.6818578,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658678463.6818793,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nas1.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1658678463.7106369,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"nas1.exampledomain","challenge_type":"dns-01","error":"no memory of presenting a DNS record for nas1.exampledomain (probably OK if presenting failed)"}
{"level":"debug","ts":1658678463.8219008,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3115867894","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["817"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:03 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002qjuQRye-dsEMKVE3gJwzZei_bRC7UFmFi7ArExiHVPk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658678463.8220704,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bw.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[bw.exampledomain] solving challenges: presenting for challenge: adding temporary record for zone exampledomain.: [netcup] Validation Error.: Invalid entry for field apikey (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340292154) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658678463.8220935,"logger":"tls.obtain","msg":"will retry","error":"[bw.exampledomain] Obtain: [bw.exampledomain] solving challenges: presenting for challenge: adding temporary record for zone exampledomain.: [netcup] Validation Error.: Invalid entry for field apikey (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340292154) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.360927729,"max_duration":2592000}
{"level":"debug","ts":1658678463.874204,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3115867904","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Sun, 24 Jul 2022 16:01:03 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00014uslDSZBL97jBU2p1H1e_vc1A3-sS3NqK9A-o41QyIY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658678463.874369,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: presenting for challenge: adding temporary record for zone exampledomain.: [netcup] Validation Error.: Invalid entry for field apikey (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340292184) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658678463.8743868,"logger":"tls.obtain","msg":"will retry","error":"[nas1.exampledomain] Obtain: [nas1.exampledomain] solving challenges: presenting for challenge: adding temporary record for zone exampledomain.: [netcup] Validation Error.: Invalid entry for field apikey (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3340292184) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.416823071,"max_duration":2592000}

5. What I already tried:

I recreated my Netcup-API credentials (API Key and API Password) and reapplied them to “/etc/environment”. It didnt fix the issue though.

How Netcup’s DNS-Plugin retrieves the API credentials through caddyfile:

customer_number {env.NETCUP_CUSTOMER_NUMBER}
api_key {env.NETCUP_API_KEY}
api_password {env.NETCUP_API_PASSWORD}

And this is what I put into /etc/environment:

cat /etc/environment
NETCUP_CUSTOMER_NUMBER=customernumber
NETCUP_API_KEY=apiKey
NETCUP_API_PASSWORD=apiPassword

Maybe I misconfigured the API credentials?

6. Links to relevant resources:

Follwed this guide to install Netcup’s DNS-Plugin for Caddy
Installed this Netcup DNS-Plugin with xcaddy

Thanks for your help and have a nice sunday :blush:

Seems like it’s either a bug with the plugin, or a misconfiguration. Please ask for help on the plugin’s github repo.

Are you certain that the environment variables are properly set and that Caddy is picking them up? I don’t know how Proxmox works, and whether /etc/environment will be used by the service.

You could try setting the environment variables as systemd service overrides:

Hi @francislavoie

We got a step further since I removed the variables regarding netcup-API from /etc/environment and put them into the Systemd Service Overrides! :slight_smile:

sudo systemctl edit caddy now looks like this:

### Editing /etc/systemd/system/caddy.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Service]
Environment="NETCUP_CUSTOMER_NUMBER=<customerNumber>"
Environment="NETCUP_API_KEY=<apiKey>"
Environment="NETCUP_API_PASSWORD=<apiPassword>"
Environment="env.NETCUP_CUSTOMER_NUMBER=<customerNumber>"
Environment="env.NETCUP_API_KEY=<apiKey>"
Environment="env.NETCUP_API_PASSWORD=<apiPassword>"
Environment="{env.NETCUP_CUSTOMER_NUMBER}=<customerNumber>"
Environment="{env.NETCUP_API_KEY}=<apiKey>"
Environment="{env.NETCUP_API_PASSWORD}=<apiPassword>"

### Lines below this comment will be discarded

After setting these variables into Systemd-Service-Overrides, I restarted the OS of the Caddy-Server.

When I now activate the global setting acme_ca in /etc/caddy/Caddyfile I get different errors. They seem to be not the same as in my original post. I guess the API authentications works now?

These are the new logs from /var/log/caddy/acme5.log

{"level":"debug","ts":1658761749.119843,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125605534","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["815"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:09:09 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002hXNVJEYKY-kKIO3cFib69Zn1b6tSDi9WjqLrsOIuDxo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761749.1199405,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658761749.1199465,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nas1.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1658761771.735557,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125605464","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["817"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:09:31 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002Ltbi5zOwwwJxyRhUXfQxfbl816g38duElBFRYncswTQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658761771.7356741,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bw.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.bw.exampledomain: dial tcp 37.221.199.199:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353950134) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658761771.735685,"logger":"tls.obtain","msg":"will retry","error":"[bw.exampledomain] Obtain: [bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.bw.exampledomain: dial tcp 37.221.199.199:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353950134) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":321.558952442,"max_duration":2592000}
{"level":"debug","ts":1658761772.0792131,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125605534","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:09:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002TqhO4wLdx-tahEpFbWpVm8XjxMIN_yL4wJi4qrZDmcE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658761772.0793118,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.nas1.exampledomain: dial tcp 188.68.63.68:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353950234) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658761772.0793235,"logger":"tls.obtain","msg":"will retry","error":"[nas1.exampledomain] Obtain: [nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.nas1.exampledomain: dial tcp 188.68.63.68:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353950234) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":321.899773509,"max_duration":2592000}
{"level":"debug","ts":1658761823.0361888,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"bw.exampledomain"}
{"level":"debug","ts":1658761823.0362213,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exampledomain"}
{"level":"debug","ts":1658761823.0362246,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de"}
{"level":"debug","ts":1658761823.036227,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1658761823.0362394,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"bw.exampledomain"}
{"level":"debug","ts":1658761823.036245,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"bw.exampledomain","remote":"SomePublicIPv4:48980","identifier":"bw.exampledomain","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1658761823.0362818,"logger":"http.stdlib","msg":"http: TLS handshake error from SomePublicIPv4:48980: no certificate available for 'bw.exampledomain'"}
{"level":"debug","ts":1658761830.496595,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"nas1.exampledomain"}
{"level":"debug","ts":1658761830.4966285,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exampledomain"}
{"level":"debug","ts":1658761830.4966319,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de"}
{"level":"debug","ts":1658761830.4966345,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1658761830.4966376,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"nas1.exampledomain"}
{"level":"debug","ts":1658761830.4966428,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"nas1.exampledomain","remote":"SomePublicIPv4:38258","identifier":"nas1.exampledomain","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1658761830.496682,"logger":"http.stdlib","msg":"http: TLS handshake error from SomePublicIPv4:38258: no certificate available for 'nas1.exampledomain'"}
{"level":"debug","ts":1658761891.736303,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1658761891.8907108,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 25 Jul 2022 15:11:31 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002fF5BYlxAT4Xl31lfIitzMkxTR-myKCkhH56t435QaoE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761892.0680144,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:31 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353977084"],"Replay-Nonce":["0001IBE9PRCCcR7WsSZPGFZsFp2CCSJ-_jUyepF43Vmb1jc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658761892.0804489,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1658761892.2239544,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125624054","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["813"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002iBOlB6rv_XFJbEzum0JApZ0rCdFmxn2iVSAhYwT5mB4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761892.2240703,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658761892.2240775,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"bw.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1658761892.274493,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 25 Jul 2022 15:11:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002578mCTfPxUn1BWpaAH1CJGuyC_N80QLO4deFOE1bOHc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761892.4479754,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["349"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353977164"],"Replay-Nonce":["0002u1CaFGzTZ-cEbbmjjcfE2EIIBmGMYYvV5ZrZ3f1AgBk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658761892.6051419,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125624114","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["815"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001AZu-CQGbLwTKEkTH1uGbH8JGN2K_BkpUmNnOWK4BUok"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761892.605244,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658761892.6052513,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nas1.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1658761915.232116,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125624054","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["817"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["000146vcXGTpPML3CtxphP6zAK9SF3KwZW4xb9n9ubelkVU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658761915.2322364,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bw.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.bw.exampledomain: dial tcp 188.68.63.68:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353977084) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"debug","ts":1658761915.2322478,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1658761915.3823495,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 25 Jul 2022 15:11:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002DqocvIKnT_JkaxBtOQbnrvDhtQsWYpwitZDeE5oy96s"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761915.5526395,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353983394"],"Replay-Nonce":["0002zJQY4rwBryGDk9VufQ5xVpuNluqZOv0TI0swBhhq5oY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658761915.6394248,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125624114","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001HS5N3wky9goSNfbMI-mrUXOQLxyydmETxGnKd6FKSkk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658761915.639539,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.nas1.exampledomain: dial tcp 46.38.225.225:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353977164) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"debug","ts":1658761915.6395535,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1658761915.7061956,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125629694","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["813"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002iVfvKK4sZlubj5azQeGPSrCY3Ew02-c2uvrB330_XZE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761915.706307,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658761915.7063134,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"bw.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1658761915.78921,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 25 Jul 2022 15:11:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002gtWDy2NTdvSs2MYQrleu1BAS9jL_OlqyVwQXgA9ZFAw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761915.957634,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["349"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353983524"],"Replay-Nonce":["0002Jn42xfdB8qc5GFox-F4wsoUHuRtEjMNSq4mUr8ZGqW4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658761916.1103077,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125629784","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["815"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:11:56 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002v6tSzcwJe3wXrJ_bhMizivGcExxUzTkallpPFuyIuxc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658761916.110404,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
{"level":"info","ts":1658761916.11041,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nas1.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1658761938.601568,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125629694","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["817"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:12:18 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001eImDkNPFZULFXD9UeZyeRiD0eiATck0FXP9i69sh7Gg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658761938.601693,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bw.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.bw.exampledomain: dial tcp 188.68.63.68:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353983394) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658761938.6017065,"logger":"tls.obtain","msg":"will retry","error":"[bw.exampledomain] Obtain: [bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.bw.exampledomain: dial tcp 188.68.63.68:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353983394) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":488.424974057,"max_duration":2592000}
{"level":"debug","ts":1658761938.9945204,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3125629784","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Mon, 25 Jul 2022 15:12:18 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00015T_tg17m31ZQLMFnmR7P04HIK5R6gBdRjFtvEogebwA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658761938.9946785,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.nas1.exampledomain: dial tcp 46.38.225.225:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353983524) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658761938.9946942,"logger":"tls.obtain","msg":"will retry","error":"[nas1.exampledomain] Obtain: [nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.nas1.exampledomain: dial tcp 46.38.225.225:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353983524) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":488.815143976,"max_duration":2592000}
{"level":"debug","ts":1658762100.7499285,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"bw.exampledomain"}
{"level":"debug","ts":1658762100.7499647,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exampledomain"}
{"level":"debug","ts":1658762100.749968,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de"}
{"level":"debug","ts":1658762100.7499707,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1658762100.749974,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"bw.exampledomain"}
{"level":"debug","ts":1658762100.7499788,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"bw.exampledomain","remote":"SomePublicIPv4:48982","identifier":"bw.exampledomain","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1658762100.7500303,"logger":"http.stdlib","msg":"http: TLS handshake error from SomePublicIPv4:48982: no certificate available for 'bw.exampledomain'"}
{"level":"info","ts":1658762137.2338636,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1658762137.2339132,"msg":"exiting; byeee!! đź‘‹","signal":"SIGTERM"}
{"level":"info","ts":1658762137.2452233,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00039ab60"}
{"level":"info","ts":1658762137.245399,"logger":"tls.obtain","msg":"releasing lock","identifier":"nas1.exampledomain"}
{"level":"error","ts":1658762137.2454145,"logger":"tls.obtain","msg":"unable to unlock","identifier":"nas1.exampledomain","lock_key":"issue_cert_nas1.exampledomain","error":"remove /home/caddy/.local/share/caddy/locks/issue_cert_nas1.exampledomain.lock: no such file or directory"}
{"level":"error","ts":1658762137.2454302,"logger":"tls","msg":"job failed","error":"nas1.exampledomain: obtaining certificate: context canceled"}
{"level":"info","ts":1658762137.245436,"logger":"tls.obtain","msg":"releasing lock","identifier":"bw.exampledomain"}
{"level":"error","ts":1658762137.2454438,"logger":"tls.obtain","msg":"unable to unlock","identifier":"bw.exampledomain","lock_key":"issue_cert_bw.exampledomain","error":"remove /home/caddy/.local/share/caddy/locks/issue_cert_bw.exampledomain.lock: no such file or directory"}
{"level":"error","ts":1658762137.2454476,"logger":"tls","msg":"job failed","error":"bw.exampledomain: obtaining certificate: context canceled"}
{"level":"info","ts":1658762137.2465472,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"info","ts":1658762137.246563,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}

Thank you for taking the time to solve this issue with me :blush:

Edit:
At this point I have to mention, that im using a network firewall which my Caddyserver is connected to.
This Firewall does not allow outbound connections to tcp/udp 53.
I set my Firewall to be the DNS-Resolver and other DNS-Servers are not reachable via tcp/udp 53 for my Caddyserver.

Is my Firewall-Setup related to those lines?

waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.bw.exampledomain: dial tcp 37.221.199.199:53: i/o timeout (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3353950134)

Edit 2:
I just found that in my Netcup DNS Zone-Management a TXT-Record got created. This means that the Netcup-DNS-Plugin for Caddy now works for me.

The issue that nas1.exampledomain doesnt retrieve a valid certificate through dns-01 Challenge remains though. See previously posted output of /var/log/caddy/acme5.log

checking DNS propagation of _acme-challenge.bw.exampledomain: dial tcp 188.68.63.68:53: i/o timeout 

That means your DNS resolver isn’t properly configured on your network, or something like that. Make sure that your local network configuration is correct. :slight_smile:

You only need these, the other sets don’t make sense. {env.*} is Caddy placeholder syntax, where * is the environment variable name.

1 Like

Hi Matt,

I played with my DNS Configuration around for a bit.
I got a step further I think.

Ive changed my Firewall Policys so that Caddy can reach ALL Public DNS Servers via Port 53.
Changed /etc/netplan/00-config(…) so that the DNS-Servers are now 8.8.8.8 and 8.8.4.4

Ive also changed my Caddyfile to have a line “resolvers 8.8.8.8” for “bw.exampledomain” and “nas1.exampledomain” in it:

	tls {
		dns netcup {
			customer_number {env.NETCUP_CUSTOMER_NUMBER}
			api_key {env.NETCUP_API_KEY}
			api_password {env.NETCUP_API_PASSWORD}
		}
        resolvers 8.8.8.8
	}

Now I get the follwowing errors from /var/log/caddy/acme-7.log

{"level":"debug","ts":1658820857.1749527,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3132776214","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:34:17 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002dUCWrpOMX7a5YP5elWxGwGMYFEpKgntfpHP7ZYQvW_Q"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658820857.175076,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364236034) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"debug","ts":1658820857.1750934,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1658820857.32894,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 26 Jul 2022 07:34:17 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001aPhx_-vzXAvFIQrTxMxf7afxCTiYPEnVFXGpbfTBfj0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658820857.4996245,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["349"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:34:17 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364260604"],"Replay-Nonce":["0001ICppbfKLQo9Jwzlgr28ebPcj6WeRGELc9LZc3MRx5xU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658820857.6555674,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3132794374","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["815"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:34:17 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002Jff7zCflLsJh5zVCDEzXWBk7iujnyXTl_Nbd0iownww"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"info","ts":1658820857.6556938,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nas1.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1658820895.0629697,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3132782224","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["817"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:34:54 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001--yRfMTWN8YKSCkgcUNTlAXK5d6OwaBIqdogwV3TrxM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658820895.06309,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bw.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364244104) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658820895.063111,"logger":"tls.obtain","msg":"will retry","error":"[bw.exampledomain] Obtain: [bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364244104) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":928.404023264,"max_duration":2592000}
{"level":"debug","ts":1658820979.2628758,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3132794374","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:36:19 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001eIrBnJ8MRePr0Z8H8E8EQqie9E9xpcVr-RgqdEbeeK8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658820979.2630055,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364260604) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658820979.2630174,"logger":"tls.obtain","msg":"will retry","error":"[nas1.exampledomain] Obtain: [nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364260604) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":1012.603963752,"max_duration":2592000}
{"level":"debug","ts":1658821029.3843632,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"bw.exampledomain"}
{"level":"debug","ts":1658821029.384399,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exampledomain"}
{"level":"debug","ts":1658821029.3844025,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de"}
{"level":"debug","ts":1658821029.3844047,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1658821029.384408,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"bw.exampledomain"}
{"level":"debug","ts":1658821029.384413,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"bw.exampledomain","remote":"PublicIPv4Address:55402","identifier":"bw.exampledomain","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1658821029.3844528,"logger":"http.stdlib","msg":"http: TLS handshake error from PublicIPv4Address:55402: no certificate available for 'bw.exampledomain'"}
{"level":"debug","ts":1658821149.7976165,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"bw.exampledomain"}
{"level":"debug","ts":1658821149.7976522,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exampledomain"}
{"level":"debug","ts":1658821149.7976558,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de"}
{"level":"debug","ts":1658821149.7976584,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1658821149.7976618,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"bw.exampledomain"}
{"level":"debug","ts":1658821149.7976668,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"bw.exampledomain","remote":"PublicIPv4Address:55408","identifier":"bw.exampledomain","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1658821149.7977154,"logger":"http.stdlib","msg":"http: TLS handshake error from PublicIPv4Address:55408: no certificate available for 'bw.exampledomain'"}

Following line got my attention:

waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/

I dont know how to fix this though.

@francislavoie I deleted the “env.”-Sets from System-Service-Overrides as youve suggested :slight_smile:

Fixed.

Will write down the solution here tomorrow.

Thanks for helping @matt @francislavoie

1 Like