1. The problem I’m having:
I am trying to issue a wildcard certificate using porkbun’s DNS acme plugin for the domain *.in.rschanz.org
, but I am having issues getting Let’s Encrypt to actually verify my TXT record (sorry if this is more of a Let’s Encrypt forum issue rather than here). Everything seems to be working like I would expect, but Caddy times out every time it tries to issue the certificate. I am attempting to do it with dns_challenge_override_domain
since using *.in.rschanz.org
causes the porkbun plugin to fail since that domain specifically “doesn’t exist”
Something else to note, in the logs it points out the staging URL for Let’s Encrypt, don’t exactly know why that is since a grep -R "staging"
within /etc/caddy
shows no results, as well as grepping caddy adapt /etc/caddy/Caddyfile
.
I believe my setup is correct, but please let me know if I messed something basic up . I have also been messing around with the
propagation_timeout
to no avail as well, especially since I see most nameservers (1.1.1.1
, 8.8.8.8
, etc. update within 30s).
_acme-challenge.in.rschanz.org -> CNAME pointing to _acme-challenge.rschanz.org
_acme-challenge.rschanz.org -> Created by caddy with proper token during attempts, as verified by dig, 3rd-party sites, etc. Does not exist otherwise.
2. Error messages and/or full log output:
{"level":"info","ts":1743339359.576337,"msg":"trying to solve challenge","identifier":"*.in.rschanz.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1743339484.5553412,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.in.rschanz.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.in.rschanz.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/186748404/23572711644) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1743339484.5560472,"logger":"tls.obtain","msg":"will retry","error":"[*.in.rschanz.org] Obtain: [*.in.rschanz.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/186748404/23572711644) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":27,"retrying_in":21600,"elapsed":111346.29866896,"max_duration":2592000}
3. Caddy version:
v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=
4. How I installed and ran Caddy:
Alpine APK package manager from edge
a. System environment:
x86_64 Alpine edge running on Hetzner VM
b. Command:
caddy run --config /etc/caddy/Caddyfile
d. My complete Caddy config:
(Note: This is not my complete caddy config, just the relevant parts (domain with issue, global settings, as my complete config is tens of files with unrelated domains that work fine. I am attempting to do this wildcard cert to get rid of the on_demand_tls
hack I’ve had set up prior that you can see.)
{
email *****
log {
output file /var/log/caddy/log
}
on_demand_tls {
ask http://127.0.0.1:8080
}
}
*.in.rschanz.org {
tls {
dns_challenge_override_domain _acme-challenge.rschanz.org.
propagation_timeout 120s
dns porkbun {
api_key *****
api_secret_key *****
}
}
root * /srv/in_rschanz_landing/
rewrite * index.html
file_server
}