1. The problem I’m having:
Unable to auto-retrieve TLS certificates and thus unable to serve content with TLS enabled. If I disable TLS explicitly (:80), the content is served just fine, so the router and dynu config themselves do not appear to the be the problem. It might howevert be a problem with the ACME challenge / dns provider plugin, maybe? I have a hard time understanding what exactly is going wrong from the error log alone.
This issue has persisted for several weeks now, I tried rebuilding caddy and minimizing the config, nothing changed or improved the issue.
2. Error messages and/or full log output:
Jan 31 19:49:51 Baikonur systemd[1]: Started Caddy web server.
░░ Subject: A start job for unit caddy.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit caddy.service has finished successfully.
░░
░░ The job identifier is 2591.
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"info","ts":1738349392.0109763,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy","instance":"dcbf530e-0bdf-4a2f-9f5a-966731344eb3","try_again":1738435792.010972,"try_again_in":86399.999999018}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"info","ts":1738349392.0111396,"logger":"tls","msg":"finished cleaning storage units"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"info","ts":1738349392.025736,"logger":"tls.obtain","msg":"acquiring lock","identifier":"senshi.dynu.net"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"info","ts":1738349392.049646,"logger":"tls.obtain","msg":"lock acquired","identifier":"senshi.dynu.net"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"info","ts":1738349392.0497854,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"senshi.dynu.net"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.0498283,"logger":"events","msg":"event","name":"cert_obtaining","id":"07d4bf4c-86db-458c-a76a-075d40577975","origin":"tls","data":{"identifier":"senshi.dynu.net"}}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.0500631,"logger":"tls","msg":"created CSR","identifiers":["senshi.dynu.net"],"san_dns_names":["senshi.dynu.net"],"san_emails":[],"common_name":"","extra_extensions":0}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.0508893,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-v02.api.letsencrypt.org-directory"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.051555,"logger":"tls.issuance.acme","msg":"using existing ACME account because key found in storage associated with email","email":"caddy@zerossl.com","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.051888,"logger":"tls.issuance.acme","msg":"using existing ACME account because key found in storage associated with email","email":"caddy@zerossl.com","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"info","ts":1738349392.0519385,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["senshi.dynu.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"info","ts":1738349392.0519621,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["senshi.dynu.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"info","ts":1738349392.051994,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/729702067","account_contact":["mailto:caddy@zerossl.com"]}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.5568404,"msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["828"],"Content-Type":["application/json"],"Date":["Fri, 31 Jan 2025 18:49:52 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.5570908,"msg":"creating order","account":"https://acme-v02.api.letsencrypt.org/acme/acct/729702067","identifiers":["senshi.dynu.net"]}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.702651,"msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 31 Jan 2025 18:49:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["hXNDuA8iB_9t_EPbqHZsLqE07vRFcDc-NLRXKPjs_TTsqUBatIA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.849179,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["729702067"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["107"],"Content-Type":["application/problem+json"],"Date":["Fri, 31 Jan 2025 18:49:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["hXNDuA8iO1nFgRtxeuRdtz0dYjS-A9cPgw4MkcgcJk03tldoNEM"],"Server":["nginx"]},"status_code":400}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"error","ts":1738349392.8493168,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"senshi.dynu.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error"}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349392.8493607,"logger":"events","msg":"event","name":"cert_failed","id":"0189102a-de80-4366-8e42-313da2b6956f","origin":"tls","data":{"error":{},"identifier":"senshi.dynu.net","issuers":["acme-v02.api.letsencrypt.org-directory"],"renewal":false}}
Jan 31 19:49:52 Baikonur caddy[96180]: {"level":"error","ts":1738349392.8494127,"logger":"tls.obtain","msg":"will retry","error":"[senshi.dynu.net] Obtain: [senshi.dynu.net] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":0.799747113,"max_duration":2592000}
Jan 31 19:50:52 Baikonur caddy[96180]: {"level":"info","ts":1738349452.8506606,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"senshi.dynu.net"}
Jan 31 19:50:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349452.8507266,"logger":"events","msg":"event","name":"cert_obtaining","id":"26094dae-0879-46bd-b07f-a302f36bcc9d","origin":"tls","data":{"identifier":"senshi.dynu.net"}}
Jan 31 19:50:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349452.8509262,"logger":"tls","msg":"created CSR","identifiers":["senshi.dynu.net"],"san_dns_names":["senshi.dynu.net"],"san_emails":[],"common_name":"","extra_extensions":0}
Jan 31 19:50:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349452.8517165,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-v02.api.letsencrypt.org-directory"}
Jan 31 19:50:52 Baikonur caddy[96180]: {"level":"debug","ts":1738349452.8521183,"logger":"tls.issuance.acme","msg":"using existing ACME account because key found in storage associated with email","email":"caddy@zerossl.com","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jan 31 19:50:52 Baikonur caddy[96180]: {"level":"info","ts":1738349452.8521516,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/64387964","account_contact":["mailto:caddy@zerossl.com"]}
Jan 31 19:50:53 Baikonur caddy[96180]: {"level":"debug","ts":1738349453.517121,"msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["974"],"Content-Type":["application/json"],"Date":["Fri, 31 Jan 2025 18:50:53 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:53 Baikonur caddy[96180]: {"level":"debug","ts":1738349453.517288,"msg":"creating order","account":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/64387964","identifiers":["senshi.dynu.net"]}
Jan 31 19:50:53 Baikonur caddy[96180]: {"level":"debug","ts":1738349453.6688187,"msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 31 Jan 2025 18:50:53 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["xMYr_xatcWGGVRDr_Cs9Xi2YFZoH_HYbGp9to0HJ6oZBkhRJxUo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:53 Baikonur caddy[96180]: {"level":"debug","ts":1738349453.8520005,"msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["64387964"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["357"],"Content-Type":["application/json"],"Date":["Fri, 31 Jan 2025 18:50:53 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/64387964/22331289564"],"Replay-Nonce":["xMYr_xatSKEWbHrfH_jUilkITVWgeIRteOZg48CD3VdyK0onJiw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Jan 31 19:50:54 Baikonur caddy[96180]: {"level":"debug","ts":1738349454.0107203,"msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz/64387964/15681669274","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["64387964"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["666"],"Content-Type":["application/json"],"Date":["Fri, 31 Jan 2025 18:50:53 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["N9Ep_yiTZ_XvgJ-OzqwT6fsQid24NOjS7leT3k7XTzHSIJR0eT8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:54 Baikonur caddy[96180]: {"level":"debug","ts":1738349454.0110302,"msg":"skipping challenge initiation because authorization is not pending","identifier":"senshi.dynu.net","authz_status":"valid"}
Jan 31 19:50:54 Baikonur caddy[96180]: {"level":"info","ts":1738349454.0110567,"msg":"authorization finalized","identifier":"senshi.dynu.net","authz_status":"valid"}
Jan 31 19:50:54 Baikonur caddy[96180]: {"level":"info","ts":1738349454.0110786,"msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/64387964/22331289564"}
Jan 31 19:50:54 Baikonur caddy[96180]: {"level":"debug","ts":1738349454.659099,"msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/finalize/64387964/22331289564","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["64387964"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["362"],"Content-Type":["application/json"],"Date":["Fri, 31 Jan 2025 18:50:54 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/64387964/22331289564"],"Replay-Nonce":["N9Ep_yiTeu9ixVmylQTJCH4tXnJkTkfrYlIkHVnvDMOSmgezRHY"],"Retry-After":["3"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:57 Baikonur caddy[96180]: {"level":"debug","ts":1738349457.8207188,"msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/order/64387964/22331289564","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["469"],"Content-Type":["application/json"],"Date":["Fri, 31 Jan 2025 18:50:57 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["xMYr_xatubHzFbpPwniY8S9kAVfnwuWxS-5i7Fwhi5vCue9K2RU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:57 Baikonur caddy[96180]: {"level":"debug","ts":1738349457.9806201,"msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b1fa79e5e5c0ecb26f07f51c6625a7399de","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2978"],"Content-Type":["application/pem-certificate-chain"],"Date":["Fri, 31 Jan 2025 18:50:57 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b1fa79e5e5c0ecb26f07f51c6625a7399de/1>;rel=\"alternate\""],"Replay-Nonce":["N9Ep_yiT-jijGjywegQVEaFR_UmHwwHH7bguzppKAt25hUfmQZk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:57 Baikonur caddy[96180]: {"level":"debug","ts":1738349457.9808307,"msg":"getting renewal info","names":["senshi.dynu.net"]}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.138653,"msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo/oXQaBm1Qt4YtSizBfrSNiElszRY.Kx-nnl5cDssm8H9RxmJac5ne","headers":{"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Fri, 31 Jan 2025 18:50:58 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"info","ts":1738349458.1388505,"msg":"got renewal info","names":["senshi.dynu.net"],"window_start":1743444713,"window_end":1743617513,"selected_time":1743522089,"recheck_after":1738371058.138839,"explanation_url":""}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.298328,"msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b1fa79e5e5c0ecb26f07f51c6625a7399de/1","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2421"],"Content-Type":["application/pem-certificate-chain"],"Date":["Fri, 31 Jan 2025 18:50:58 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b1fa79e5e5c0ecb26f07f51c6625a7399de/0>;rel=\"alternate\""],"Replay-Nonce":["xMYr_xatUJNLuWqrLPqYqCLZq5oghQ13RiN0CsJfV8803bP5wt8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.298471,"msg":"getting renewal info","names":["senshi.dynu.net"]}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.4535458,"msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo/oXQaBm1Qt4YtSizBfrSNiElszRY.Kx-nnl5cDssm8H9RxmJac5ne","headers":{"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Fri, 31 Jan 2025 18:50:58 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"info","ts":1738349458.4536326,"msg":"got renewal info","names":["senshi.dynu.net"],"window_start":1743444713,"window_end":1743617513,"selected_time":1743537363,"recheck_after":1738371058.4536235,"explanation_url":""}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"info","ts":1738349458.4536903,"msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b1fa79e5e5c0ecb26f07f51c6625a7399de"}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.4537091,"logger":"tls.issuance.acme","msg":"selected certificate chain","url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b1fa79e5e5c0ecb26f07f51c6625a7399de"}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.4541473,"logger":"tls.issuance.acme","msg":"using existing ACME account because key found in storage associated with email","email":"caddy@zerossl.com","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"info","ts":1738349458.4541707,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["senshi.dynu.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"info","ts":1738349458.454194,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["senshi.dynu.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"info","ts":1738349458.4542248,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/729702067","account_contact":["mailto:caddy@zerossl.com"]}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.4542491,"msg":"creating order","account":"https://acme-v02.api.letsencrypt.org/acme/acct/729702067","identifiers":["senshi.dynu.net"]}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.601714,"msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 31 Jan 2025 18:50:58 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["aTttXYyy6hGDXqrD7nTwtwH4ObzlDgRxDFNrj_0X5rtzpc-HCtg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.7497706,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.9.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["729702067"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["107"],"Content-Type":["application/problem+json"],"Date":["Fri, 31 Jan 2025 18:50:58 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["hXNDuA8i9eERESdZ6P6U9hRI5vFQsaNao79G-nYgMY2Q-uMd7oQ"],"Server":["nginx"]},"status_code":400}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"error","ts":1738349458.749921,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"senshi.dynu.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error"}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"debug","ts":1738349458.7499635,"logger":"events","msg":"event","name":"cert_failed","id":"5eb9a41e-0e12-4929-86cd-a937fbea510f","origin":"tls","data":{"error":{"Err":{}},"identifier":"senshi.dynu.net","issuers":["acme-v02.api.letsencrypt.org-directory"],"renewal":false}}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"info","ts":1738349458.7500281,"logger":"tls.obtain","msg":"releasing lock","identifier":"senshi.dynu.net"}
Jan 31 19:50:58 Baikonur caddy[96180]: {"level":"error","ts":1738349458.7502027,"logger":"tls","msg":"job failed","error":"senshi.dynu.net: obtaining certificate: [senshi.dynu.net] Obtain: [senshi.dynu.net] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error (ca=https://acme-v02.api.letsencrypt.org/directory)"}
3. Caddy version:
v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=
4. How I installed and ran Caddy:
Downloaded custom binary for linux-amd64 including the dynu dns provider plugin.
a. System environment:
Archlinux, bare metal homeserver
b. Command:
c. Service/unit/compose file:
Unchanged from default:
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy web server
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=14400
StartLimitBurst=10
[Service]
Type=notify
User=caddy
Group=caddy
Environment=XDG_DATA_HOME=/var/lib
Environment=XDG_CONFIG_HOME=/etc
ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket
# Do not allow the process to be restarted in a tight loop. If the
# process fails to start, something critical needs to be fixed.
Restart=on-abnormal
# Use graceful shutdown with a reasonable timeout
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
# Hardening options
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
d. My complete Caddy config:
{
admin "unix//run/caddy/admin.socket"
acme_dns dynu {
api_token <token>
own_domain senshi.dynu.net
}
}
# Import additional caddy config files in /etc/caddy/conf.d/
import /etc/caddy/conf.d/fileserver
conf.d/fileserver :
senshi.dynu.net {
root * /srv/ftp
file_server browse
basic_auth * {
<name> <pwd>
}
}