DNS Challenge with IONOS not working

anta · November 24, 2021, 3:28pm

1. Caddy version (`caddy version`):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

installed on a new vm

start caddy in etc/caddy (location of caddyfile)

Installed caddy with ubuntu apt get → like in the documentation
Installed go
installed xcaddy
build caddy with:

xcaddy build --with github.com/caddy-dns/ionos

copied builded version to /usr/bin and replaced the version from apt get

a. System environment:

Ubuntu 20.04 on esxi 7

b. Command:

caddy run

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

{
	email admin@tld.biz
	http_port 80
	https_port 443
	admin localhost:2019
	log
	debug
	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	storage file_system {
		root etc/caddy
	}
}

(default) {
	}

(acl) {
	@acl {
		remote_ip 192.168.76.0/24
		remote_ip 192.168.77.0/24
	}
}
*tld.biz {
	tls {
		dns ionos prefix.secret
	}
	@archiv host archiv.tld.biz
	handle @archiv {
		import default
		reverse_proxy http://192.168.76.204:8462
	}

	@iss host iis.tld.biz
	handle @iss {
		import default
		reverse_proxy 192.168.76.200
	}

	@pf host pf.tld.biz
	handle @ppf {
		import default
		reverse_proxy 192.168.76.201
	}

	@post host post.tld.biz
	handle @post {
		import default
		reverse_proxy 192.168.76.204
	}

	@cloud host cloud.tld.biz
	handle @cloud {
		reverse_proxy https://192.168.76.207:8080 {
			transport http {
				tls
				tls_insecure_skip_verify
			}
		}
	}
}

3. The problem I’m having:

I try to setup caddy as reverseproxa mostly for internal services. Maybe if everything is up and running i’ll forward 443 to caddy to serve as reverseproxy for mailserver and access to nextcloud

It seems the certificates aren’t created.
requests give SSL_ERROR_INTERNAL_ERROR_ALERT

4. Error messages and/or full log output:

root@reverseproxy:/etc/caddy# caddy run
2021/11/24 14:51:11.518 INFO    using adjacent Caddyfile
2021/11/24 14:51:11.521 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/11/24 14:51:11.521 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2021/11/24 14:51:11.522 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/11/24 14:51:11.522 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000304070"}
2021/11/24 14:51:11.523 DEBUG   http    starting server loop    {"address": "[::]:443", "http3": false, "tls": true}
2021/11/24 14:51:11.523 DEBUG   http    starting server loop    {"address": "[::]:80", "http3": false, "tls": false}
2021/11/24 14:51:11.523 INFO    tls     cleaning storage unit   {"description": "FileStorage:etc/caddy"}
2021/11/24 14:51:11.523 INFO    tls     finished cleaning storage units
2021/11/24 14:51:11.523 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2021/11/24 14:51:11.524 INFO    serving initial configuration
2021/11/24 14:53:06.384 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "archiv.tld.biz"}
2021/11/24 14:53:06.384 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.tld.biz"}
2021/11/24 14:53:06.384 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.biz"}
2021/11/24 14:53:06.384 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.*"}
2021/11/24 14:53:06.384 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"server_name": "archiv.tld.biz", "remote": "192.168.76.2:2466", "identifier": "archiv.tld.biz", "cipher_suites": [4865, 4867, 4866, 49195, 49199, 52393, 52392, 49196, 49200, 49162, 49161, 49171, 49172, 156, 157, 47, 53, 10], "cert_cache_fill": 0, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2021/11/24 14:53:06.384 DEBUG   http.stdlib     http: TLS handshake error from 192.168.76.2:2466: no certificate available for 'archiv.tld.biz'

Thats it if i reload the site in browser it will give out the same debug again.

5. What I already tried:

As its my first atempt with caddy, i only tried a fresh install in a newly created vm, and tried to get a log of certifcation process working, with not much succes.

Let it sit over night and hoped it was a time issue…

6. Links to relevant resources:

francislavoie · November 24, 2021, 4:13pm

Hmm. You should run Caddy using the built-in systemd service instead. See the docs about that here:

This doesn’t look right. The * for a wildcard should be its own label, like *.example.com (note the . in between).

anta · November 25, 2021, 8:59am

I disabled it for testing purposes, once it runs smoothly it starts as service.

This! Forgot the dot. Need to hide now. Thanks for Pointing me to it.

changing it starts the DNS Challenge. Succes.

However it prompts an error:

root@reverseproxy:/# cd etc/caddy
root@reverseproxy:/etc/caddy# caddy fmt --overwrite
root@reverseproxy:/etc/caddy# caddy run
2021/11/25 08:14:12.801 INFO    using adjacent Caddyfile
2021/11/25 08:14:12.804 INFO    admin   admin endpoint started  {"address": "tcp                                /localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:                                2019", "127.0.0.1:2019"]}
2021/11/25 08:14:12.806 INFO    http    server is listening only on the HTTPS po                                rt but has no TLS connection policies; adding one to enable TLS {"server_name":                                 "srv0", "https_port": 443}
2021/11/25 08:14:12.806 INFO    http    enabling automatic HTTP->HTTPS redirects                                {"server_name": "srv0"}
2021/11/25 08:14:12.806 INFO    tls.cache.maintenance   started background certi                                ficate maintenance      {"cache": "0xc0002b1650"}
2021/11/25 08:14:12.808 DEBUG   http    starting server loop    {"address": "[::                                ]:443", "http3": false, "tls": true}
2021/11/25 08:14:12.808 DEBUG   http    starting server loop    {"address": "[::                                ]:80", "http3": false, "tls": false}
2021/11/25 08:14:12.809 INFO    http    enabling automatic TLS certificate manag                                ement   {"domains": ["*.tld.biz"]}
2021/11/25 08:14:12.809 INFO    autosaved config (load with --resume flag)     {                                "file": "/root/.config/caddy/autosave.json"}
2021/11/25 08:14:12.809 INFO    serving initial configuration
2021/11/25 08:14:12.810 INFO    tls.obtain      acquiring lock  {"identifier": "                                *.tld.biz"}
2021/11/25 08:14:12.809 INFO    tls     cleaning storage unit   {"description":                                 "FileStorage:/etc/caddy"}
2021/11/25 08:14:12.813 INFO    tls     finished cleaning storage units
2021/11/25 08:14:12.813 INFO    tls.obtain      lock acquired   {"identifier": "                                *.tld.biz"}
2021/11/25 08:14:12.813 DEBUG   tls.obtain      trying issuer 1/2       {"issuer                                ": "acme-staging-v02.api.letsencrypt.org-directory"}
2021/11/25 08:14:13.506 DEBUG   tls.issuance.acme.acme_client   http request   {                                "method": "GET", "url": "https://acme-staging-v02.api.letsencrypt.org/directory"                                , "headers": {"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "res                                ponse_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length                                ":["822"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:14:13                                 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Fram                                e-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:14:13.675 DEBUG   tls.issuance.acme.acme_client   http request   {                                "method": "HEAD", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-                                nonce", "headers": {"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}                                , "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["                                Thu, 25 Nov 2021 08:14:13 GMT"],"Link":["<https://acme-staging-v02.api.letsencry                                pt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002s_w785HOPF0r1YwqgA9mzLF0d                                pfaWa18YLH3J10NWyw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=60                                4800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:14:13.854 DEBUG   tls.issuance.acme.acme_client   http request   {                                "method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-                                acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy                                /2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requeste                                r":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length"                                :["321"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:14:13                                 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"in                                dex\"","<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel=                                \"terms-of-service\""],"Location":["https://acme-staging-v02.api.letsencrypt.org                                /acme/acct/34869978"],"Replay-Nonce":["0002nibhCBw5FF5eYNP6sjT1oItqPtE_8L17GRFbg                                eD4F8E"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Fr                                ame-Options":["DENY"]}, "status_code": 201}
2021/11/25 08:14:13.855 INFO    tls.issuance.acme       waiting on internal rate                                 limiter        {"identifiers": ["*.tld.biz"], "ca": "https://acme-staging-                                v02.api.letsencrypt.org/directory", "account": "admin@tld.biz"}
2021/11/25 08:14:13.855 INFO    tls.issuance.acme       done waiting on internal                                 rate limiter   {"identifiers": ["*.tld.biz"], "ca": "https://acme-staging-                                v02.api.letsencrypt.org/directory", "account": "admin@tld.biz"}
2021/11/25 08:14:14.044 DEBUG   tls.issuance.acme.acme_client   http request   {                                "method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-                                order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Cadd                                y/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Request                                er":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length                                ":["350"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:14:13                                 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"i                                ndex\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/34                                869978/1109818838"],"Replay-Nonce":["00029vK5S1QhZ_Ik8P5mtLPsV5lxRi6zCgFWyIr7iza                                KadQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Fram                                e-Options":["DENY"]}, "status_code": 201}
2021/11/25 08:14:14.218 DEBUG   tls.issuance.acme.acme_client   http request   {                                "method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/auth                                z-v3/1023718478", "headers": {"Content-Type":["application/jose+json"],"User-Age                                nt":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Bould                                er-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Cont                                ent-Length":["392"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 202                                1 08:14:14 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/director                                y>;rel=\"index\""],"Replay-Nonce":["0001P8SL0nA82U7qrkn2LLPCc4Qin7baAx7TcEI0NhxJ                                ApU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame                                -Options":["DENY"]}, "status_code": 200}
2021/11/25 08:14:14.218 INFO    tls.issuance.acme.acme_client   trying to solve                                 challenge       {"identifier": "*.tld.biz", "challenge_type": "dns-01", "ca                                ": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/11/25 08:16:18.672 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1023718478", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["396"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:16:18 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001kAN8KFJEEFJscoJW1qzCZupBlgkHBcTbDA5w5S57tzg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:16:18.672 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "*.tld.biz", "issuer": "acme-staging-v02.api.letsencrypt.org-directory", "error": "[*.tld.biz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109818838) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2021/11/25 08:16:18.672 DEBUG   tls.obtain      trying issuer 2/2       {"issuer": "acme-staging-v02.api.letsencrypt.org-directory"}
2021/11/25 08:16:18.673 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["*.tld.biz"], "ca": "https://acme-staging-v02.api.letsencrypt.org/directory", "account": "admin@tld.biz"}
2021/11/25 08:16:18.673 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["*.tld.biz"], "ca": "https://acme-staging-v02.api.letsencrypt.org/directory", "account": "admin@tld.biz"}
2021/11/25 08:16:19.186 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 25 Nov 2021 08:16:19 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002qCMGgOluCt7TsMbY9d60k6NJJdg115eFwBCH81OD6hM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:16:19.375 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["350"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:16:19 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109831828"],"Replay-Nonce":["00024fGMgbfCkyihFfb_wn38sGEiqWRhe0GKnHrrjaW4fHk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2021/11/25 08:16:19.548 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1023730208", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["392"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:16:19 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002QfODborn9Q3_EWxIHK-ec8XOMJMtlxSptIzD6lLe8l4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:16:19.549 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "*.tld.biz", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
O    http    enabling automatic TLS certificate manag                                ement   {"domains": ["*.tld.biz"]}
2021/11/25 08:14:12.809 INFO    autosaved config (load with --resume flag)     {                                "file": "/root/.config/caddy/autosave.json"}
2021/11/25 08:14:12.809 INFO    serving initial configuration
2021/11/25 08:14:12.810 INFO    tls.obtain      acquiring lock  {"identifier": "                                *.tld.biz"}
2021/11/25 08:14:12.809 INFO    tls     cleaning storage unit   {"description":                                 "FileStorage:/etc/caddy"}
2021/11/25 08:14:12.813 INFO    tls     finished cleaning storage units
2021/11/25 08:14:12.813 INFO    tls.obtain      lock2021/11/25 08:18:23.533     DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1023730208", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["396"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:18:23 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001kk0aOq3JwHZAit_bsHXhIeHsE-Da9Ww4Cv37OMAajJM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:18:23.533 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "*.tld.biz", "issuer": "acme-staging-v02.api.letsencrypt.org-directory", "error": "[*.tld.biz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109831828) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2021/11/25 08:18:23.534 ERROR   tls.obtain      will retry      {"error": "[*.tld.biz] Obtain: [*.tld.biz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109831828) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 250.720904489, "max_duration": 2592000}
2021/11/25 08:19:23.535 DEBUG   tls.obtain      trying issuer 1/2       {"issuer": "acme-staging-v02.api.letsencrypt.org-directory"}
2021/11/25 08:19:24.131 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 25 Nov 2021 08:19:24 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002dDNNIj2I8Eu88VpS1Vix231pEJDCXtsIZTctNFpWg6s"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:19:24.318 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["350"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:19:24 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109850518"],"Replay-Nonce":["000265GCNaYqHrPuCr91kBe71_psAMAxpX6nSs8QiSqRTjI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2021/11/25 08:19:24.490 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1023745808", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["392"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:19:24 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001iHZSjZypM-5stYltGHP-vp1LT4-T0rliKpDeM78geoc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:19:24.490 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "*.tld.biz", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/11/25 08:21:28.353 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1023745808", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["396"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:21:28 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00029fQgezkxIOaPEiBHEWXTYv9KXPmthZa0DBkuomG8swg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:21:28.353 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "*.tld.biz", "issuer": "acme-staging-v02.api.letsencrypt.org-directory", "error": "[*.tld.biz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109850518) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2021/11/25 08:21:28.354 DEBUG   tls.obtain      trying issuer 2/2       {"issuer": "acme-staging-v02.api.letsencrypt.org-directory"}
2021/11/25 08:21:28.868 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 25 Nov 2021 08:21:28 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002qKx6R82kgMyzttoxGUYgGY6tXhRxy50JXB8u0nX2KsU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:21:29.056 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["350"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:21:28 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109861918"],"Replay-Nonce":["0002TxX8MoG0l1S1uX2p1bfCFsQf6JeddqikWpPMvrk9a0c"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2021/11/25 08:21:29.229 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1023756648", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["392"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:21:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002mUy-wHQ5wfCwR8HMlb3vuhlEMvAMee3dXnH31Xg6pDc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:21:29.229 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "*.tld.biz", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/11/25 08:23:33.023 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1023756648", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["34869978"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["396"],"Content-Type":["application/json"],"Date":["Thu, 25 Nov 2021 08:23:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["000114xAFrUGCAuU2STeoGXOVQbcca1KLuiwd3NKe7bLeXE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2021/11/25 08:23:33.023 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "*.tld.biz", "issuer": "acme-staging-v02.api.letsencrypt.org-directory", "error": "[*.tld.biz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109861918) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2021/11/25 08:23:33.023 ERROR   tls.obtain      will retry      {"error": "[*.tld.biz] Obtain: [*.tld.biz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/34869978/1109861918) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 2, "retrying_in": 120, "elapsed": 560.210200757, "max_duration": 2592000}
^C2021/11/25 08:24:02.955       INFO    shutting down   {"signal": "SIGINT"}
2021/11/25 08:24:02.955 WARN    exiting; byeee!! 👋     {"signal": "SIGINT"}
2021/11/25 08:24:02.957 INFO    tls.cache.maintenance   stopped background certificate maintenance      {"cache": "0xc0002b1650"}
2021/11/25 08:24:02.957 INFO    tls.obtain      releasing lock  {"identifier": "*.tld.biz"}
2021/11/25 08:24:02.958 ERROR   tls     job failed      {"error": "*.tld.biz: obtaining certificate: context canceled"}
2021/11/25 08:24:02.959 INFO    admin   stopped previous server {"address": "tcp/localhost:2019"}
2021/11/25 08:24:02.959 INFO    shutdown complete       {"signal": "SIGINT", "exit_code": 0}
root@reverseproxy:/etc/caddy#

The script succesfully generates the TXT record at Inos under the tld.biz:

It also deltes the records after the script fails.

I am not sure how to tackel this error.

Do i need to have the tld.biz in the caddyfile lie *.tld.biz, tld.biz{ …?
Can it be the statging node from Let Encrypt?

Any pointer where to start is much appreciated.

francislavoie · November 25, 2021, 3:50pm

This usually means that Caddy wasn’t able to make a DNS query to check that it was able to set the TXT record for itself. You could try changing the resolvers config in the tls directive to something like 8.8.8.8 or 1.1.1.1 to use Google or CloudFlare’s DNS servers instead.

anta · November 26, 2021, 9:57am

Thanks a lot that worked!

system · December 24, 2021, 3:29pm

This topic was automatically closed after 30 days. New replies are no longer allowed.