Error 403 failed cert


(chris) #1

I am trying to set a revers proxy for access to my home server. i have a domain and belive i have a records set right.

Ive searched and google, forums all and cannot find how to fix

[MYDOMAIN.COM] failed to get certificate: acme: Error 403


(Matthew Fay) #2

Hi @ill6031, welcome to the Caddy community.

Is that the full error line you received from Caddy? It looks like it is missing additional information.

Looks like mydomain.com is running an Apache server at the moment. You will need to make sure that Caddy is accessible on standard HTTP(S) ports for that domain instead of Apache.


(Matthew Fay) #5

We’ve got conflicting results here.

The first part:

This means that LetsEncrypt tried to look up which server to issue the ACME challenge to, but there were no A or CNAME records available for the requested domain name. This is consistent with what I’m seeing on my end for the domain media603.com currently - no records being returned.

However, this part:

is a completely different response. It means that LetsEncrypt found a server to issue the challenge to, and did so, but the server didn’t answer correctly. It looks like the server returned a HTML document. The most likely cause of this error is that a different server than Caddy is listening at the IP address you’ve pointed the domain to.

Either way, you need to make sure that:

  1. The domain name’s DNS records point to your server’s IP address
  2. Caddy is listening on ports 80 and 443 on that server

P.S. If you post your links in preformatted blocks, they don’t count as links, and you won’t run into any issues with the link limit.

```
preformatted text
```

or

`preformatted text`

(Matthew Fay) #7

Now your authoritative nameserver is reporting those three addresses as A records.

whitestrake at cadmus in ~
❯ dig @ns1.dnsowl.com media603.com a

; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.dnsowl.com media603.com a
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26625
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;media603.com.                  IN      A

;; ANSWER SECTION:
media603.com.           3603    IN      A       107.161.23.204
media603.com.           3603    IN      A       192.161.187.200
media603.com.           3603    IN      A       209.141.38.71

Is Caddy listening at all three IP addresses?


(chris) #8

no, none of those are my ip, domain host auto created those…when i deleted those 3 and entered my public i got the other error(400). So should I delete those again and eneter my public as just one a type and see if i get error 400 then go from there?


(chris) #9

this is my caddy file:

Blockquote
media603.com {

tls MY EMAIL
timeouts none
gzip

   


proxy /ombi 192.168.1.10:5000 {
websocket
transparent
}


# Optional security headers
header / {
-Server
Strict-Transport-Security "max-age=31536000;"
    Cache-Control "public, max-age=31536000"
Referrer-Policy "strict-origin"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
}


# Optional logging
log domain.log

}


(Matthew Fay) #10

The Caddyfile looks valid (although you may wish to specify an absolute path to your domain.log, or that file will be created in whichever directory you run Caddy from).

Yes, those three should be removed and replaced with the singular IP address of the server running Caddy.

Once those changes have been made, try again and let us know exactly what error you get, if any.


(chris) #11

failed to get certificate: acme: Error 400 - urn:ietf:params:acme:error:connection - Fetching http://media603.com/.well-known/acme-challenge/Uc45pVOPivSDyZtHap1jlme5Hlvk9s5zuvczq6KdmOM: Timeout during connect (likely firewall problem)


(chris) #12

on my windows firewall i have ports 80 and 443 set to allow incoming on private, public, and domain.

if i go to my router and go to port forwarding it says those ports are being used by router


(Matthew Fay) #13

You’ll need to ensure that your router has opened the ports externally and is forwarding them properly to the server running Caddy.


(chris) #14

i got it running by adding http:\ to the front of my domain, but with that caddy file i posted shouldnt it go to my site by typing mydomain.com/ombi?


(Matthew Fay) #15

When you type that in the address bar, your browser is simply trying to connect to your server via the IP address.

Naturally, if the router at that IP address isn’t accepting connections, nobody will be able to view your site.


(chris) #16

when i go to the ip i have as proxy or localhost:5000 i can connect, when i go to my public ip:5000 i can connect but when i type in the base i have after proxy i get nothing. I muhst be doing something wrong


(Matthew Fay) #17

When you browse to HTTP or HTTPS, you’re connecting on ports 80 and 443, respectively.

You might have port 5000 open and forwarded to your server, but you also need ports 80 and 443 to be forwarded as well. At a guess, 80 and 443 are probably the issue currently, especially if port 5000 works fine.


(chris) #18

OK, so even though I got it running by at the beginning of My caddyfile http://mydomain.com I still need 80 and 443 open. Since my router says I can’t I will have to try to figure out how to do That


(Matthew Fay) #19

With that change, Caddy will be serving on standard HTTP, which is port 80 by default.

You can forward a different port on your router - like 8080 - to port 80 on your Caddy host, and connect to http://media603.com:8080/ombi instead, but you’ll always need to specify the port in the browser’s URL bar that way because it’s not the HTTP standard.

You also won’t be able to use Automatic HTTPS without enabling the DNS challenge unless you can get those ports open.


(chris) #20

OK, thanks
Was gonna ask That next if I could add 8080 at end of my domain in top Of caddy file. I will have to try that when I get home today, thank you for all your help