1. Caddy version (caddy version
):
2.4.5
2. How I run Caddy:
FROM caddy:builder AS builder
RUN xcaddy build --with github.com/caddy-dns/duckdns
FROM caddy
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
a. System environment:
Docker
b. Command:
docker-compose up -d
c. Service/unit/compose file:
web:
build: .
container_name: caddy
restart: always
ports:
- 4433:443
- 8080:80
depends_on:
- app
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./data/caddy:/data
- ./data/nextcloud:/var/www/html
d. My complete Caddyfile or JSON config:
https://cnamed.example.com {
root * /var/www/html
file_server
php_fastcgi app:9000
header {
# enable HSTS
Strict-Transport-Security max-age=31536000;
}
tls {
dns duckdns <token> {
override_domain target.duckdns.org
}
}
}
3. The problem I’m having:
DNS provider module duckdns
simply ignores override_domain
directive value and always tries to resolve DSN challenge for the cnamed.example.com
in order to obtain the certificate. You can even enter an invalid/inexistent domain in override_domain
.
4. Error messages and/or full log output:
{"level":"info","ts":1633315191.8570213,"logger":"tls.obtain","msg":"acquiring lock","identifier":"cnamed.example.com"}
{"level":"info","ts":1633315191.8588457,"logger":"tls.obtain","msg":"lock acquired","identifier":"cnamed.example.com"}
{"level":"info","ts":1633315191.8608518,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["cnamed.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1633315191.8608882,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["cnamed.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1633315193.3277087,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cnamed.example.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1633315226.706257,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cnamed.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[cnamed.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.cnamed.example.com: read tcp 172.30.0.6:36558->67.220.81.190:53: read: connection reset by peer (order=https://acme-v02.api.letsencrypt.org/acme/order/225224480/29273576080) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"warn","ts":1633315226.7092607,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"info","ts":1633315227.5924022,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"6bbiQELeoh_LlUMj-VuEqg"}
{"level":"info","ts":1633315228.7496998,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["cnamed.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1633315228.7497928,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["cnamed.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1633315229.1259007,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cnamed.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1633315350.3283684,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cnamed.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[cnamed.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme.zerossl.com/v2/DV90/order/fEzJ1uup98HzO5VsC__tWg) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1633315350.328522,"logger":"tls.obtain","msg":"will retry","error":"[cnamed.example.com] Obtain: [cnamed.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme.zerossl.com/v2/DV90/order/fEzJ1uup98HzO5VsC__tWg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":158.469637984,"max_duration":2592000}
{"level":"info","ts":1633315411.927088,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cnamed.example.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1633315533.0962706,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cnamed.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[cnamed.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/28734698/683976318) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
5. What I already tried:
Don’t know what to do… It works with duckdns.org subdomains but not with cname domains.
6. Links to relevant resources:
caddy-dns/duckdns: Caddy module: dns.providers.duckdns - https://github.com/