You could test that quickly by running Caddy with the site on HTTP only and trying to connect. Change the site labels to http://X.duckdns.org and http://a.X.duckdns.org, then direct either your browser or cURL to that address.
The error in your log is Caddy trying to connect outwards to LetsEncrypt. It might even be a rogue hop on the way between your Caddy host and LetsEncrypt dropping your traffic.
Lets remove LetsEncrypt from the question to test your ports are working as expected and try to rule out an issue with your network hardware.
Remove the http:// scheme from the site labels again, but add tls self_signed in each site definition. This will bring Caddy up with an invalid certificate, but you can test with curl -kIL X.duckdns.org and see if you get the expected redirection and then HTTPS response.
I can elaborate on this a little. In some setups where DNS can regularly change or has recently changed (common with DDNS services like Duck DNS), your local DNS resolver might have the updated IP address, but where LetsEncrypt’s servers are the DNS records might not have updated yet. When this happens, LE challenges the old address and naturally fails. This might be the case with yours, but it should have resolved itself in time - not to mention LetsEncrypt don’t cache DNS and are usually pretty quick off the mark with DNS updates, and the outbound connection error to LetsEncrypt indicates other issues.
I was able to enable activate caddy with tls self_signed and it indeed does bring invalid certificate, had to enable port 2015 to access the page on https, but i saw your explanation else where in this community on why self-signed cannot be hosted on 443,
curl: (7) Failed to connect to X.duckdns.org port 80: connection refused.
Oh ok , i tried even ddns and no ip… still the same, i think they all are the same when it comes to this issue… i tried running port 80 to the NVR and it looks like my port 80 is blocked from ISP end as im unable to connect to port 80 from any external network,.
Ahh, my mistake. You can host self-signed on port 443, you just have to do it explicitly in the Caddyfile (and it won’t be valid of course).
Using http://X.duckdns.org, https://X.duckdns.org as your site label will do that, but you’ll have to set up HTTP->S redirection manually (Caddy usually handles it for you when Automatic HTTPS is enabled).
I think this one’s because curl infers HTTP from your request when it’s actually HTTPS. Try curl -kIL https://X.duckdns.org:2015 with this setup or just https://X.duckdns.org if you change your Caddyfile label to serve the site over 443.
That’s unfortunate. It would handily explain why you weren’t able to complete the ACME challenge.
Hello Whitestrake, thank you for everything, after a long journey and much calls with ISP, i found the ISP was blocking the ports, i got port 80 and 443 released and its all working now. i wanted to thank you for your help.