Error 525 ssl handshake failed

Help
2

Error 525 comes from Cloudflare, not from Caddy.

Looks like Cloudflare is trying to connect to www.lowarya.net, not lowarya.net. Those are different domains. You only told Caddy to manage a certificate for lowarya.net.

3

I added a new entry below the other but still the same problem. I think there are things missing in my configuration but I don’t know what.

www.lowarya.net {
  tls myEmail@example.fr {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  }
}
4

Try to connect directly to your origin server and see if it’s producing the expected certificates.

You can do this either by finding out your IP address and overriding the DNS checks with a cURL command (e.g. curl -kIL www.lowarya.net --resolve www.lowarya.net:80:[ORIGIN IP] --resolve www.lowarya.net:443:[ORIGIN IP] (replacing both instances of [ORIGIN IP] with your own external IP address), or by turning off the orange cloud in your Cloudflare dashboard and waiting for DNS propagation.

There is nothing inherently missing from your configuration that I can see which would be required for a simple setup to function. The web server isn’t really doing much (you have no directives that actually produce content) but it should still be functioning and accessible (producing Status 200 OK with blank pages).

2 Likes
5

Here is the result :

Capture
Capture704×107 4.39 KB

6

Alright, so far the most likely cause is that Caddy simply never successfully requisitioned a certificate for that domain.

To find out if that’s the case and why, it’s time to go to your Caddy logs. Your points of interest are:

  • Most recently whenever HTTPS requests are attempted, what does Caddy report?
  • Originally when setting up DNS validation, what output did Caddy give regarding the challenge attempts?
1 Like
7

Check out the logs of my container caddy. Or Pastbin.

{"level":"info","ts":1614185807.673957,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
{"level":"info","ts":1614185808.6750298,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00042afc0"}
{"level":"info","ts":1614185808.6752598,"logger":"tls.obtain","msg":"releasing lock","identifier":"lowarya.net"}
{"level":"info","ts":1614185808.6752853,"logger":"tls.obtain","msg":"releasing lock","identifier":"www.lowarya.net"}
{"level":"error","ts":1614185808.6757424,"logger":"tls","msg":"job failed","error":"lowarya.net: obtaining certificate: context canceled"}
{"level":"error","ts":1614185808.6757555,"logger":"tls","msg":"job failed","error":"www.lowarya.net: obtaining certificate: context canceled"}
{"level":"info","ts":1614185809.1758463,"logger":"admin","msg":"stopped previous server"}
{"level":"info","ts":1614185809.1760871,"msg":"shutdown done","signal":"SIGTERM"}
{"level":"info","ts":1614282351.1134455,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1614282351.120586,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1614282351.1215386,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0003e5490"}
{"level":"info","ts":1614282351.1220176,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1614282351.122057,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1614282351.122928,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.lowarya.net","lowarya.net"]}
{"level":"info","ts":1614282351.123872,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1614282351.124019,"msg":"serving initial configuration"}
{"level":"info","ts":1614282351.1247184,"logger":"tls.obtain","msg":"acquiring lock","identifier":"www.lowarya.net"}
{"level":"info","ts":1614282351.1262805,"logger":"tls.obtain","msg":"lock acquired","identifier":"www.lowarya.net"}
{"level":"info","ts":1614282351.1250682,"logger":"tls.obtain","msg":"acquiring lock","identifier":"lowarya.net"}
{"level":"info","ts":1614282351.126771,"logger":"tls.obtain","msg":"lock acquired","identifier":"lowarya.net"}
{"level":"info","ts":1614282351.1271727,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1614282351.154174,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["www.lowarya.net"]}
{"level":"info","ts":1614282351.1542013,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["lowarya.net"]}
{"level":"info","ts":1614282351.1544158,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["www.lowarya.net"]}
{"level":"info","ts":1614282351.154606,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["lowarya.net"]}
{"level":"info","ts":1614282352.3780818,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.lowarya.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1614282352.7044818,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"lowarya.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1614282353.5047364,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"www.lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for www.lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282353.6525683,"logger":"tls.obtain","msg":"will retry","error":"[www.lowarya.net] Obtain: [www.lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-v02.api.letsencrypt.org/acme/order/113609671/8121643786) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.526122497,"max_duration":2592000}
{"level":"error","ts":1614282354.299245,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282354.4408627,"logger":"tls.obtain","msg":"will retry","error":"[lowarya.net] Obtain: [lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-v02.api.letsencrypt.org/acme/order/113609671/8121643849) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":3.314070923,"max_duration":2592000}
{"level":"info","ts":1614282414.6645567,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.lowarya.net","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1614282415.4613917,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"www.lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for www.lowarya.net (probably OK if presenting failed)"}
{"level":"info","ts":1614282415.7531357,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"lowarya.net","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1614282416.0117018,"logger":"tls.obtain","msg":"will retry","error":"[www.lowarya.net] Obtain: [www.lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18231387/247243714) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":64.885255503,"max_duration":2592000}
{"level":"error","ts":1614282416.5793214,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282416.7273855,"logger":"tls.obtain","msg":"will retry","error":"[lowarya.net] Obtain: [lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18231387/247243727) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":65.600592996,"max_duration":2592000}
{"level":"info","ts":1614282537.4083526,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.lowarya.net","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1614282537.8909068,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"lowarya.net","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1614282538.1968732,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"www.lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for www.lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282538.3424087,"logger":"tls.obtain","msg":"will retry","error":"[www.lowarya.net] Obtain: [www.lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18231387/247244545) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":187.215962597,"max_duration":2592000}
{"level":"error","ts":1614282538.9540389,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282539.0988069,"logger":"tls.obtain","msg":"will retry","error":"[lowarya.net] Obtain: [lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18231387/247244550) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":187.972014776,"max_duration":2592000}
{"level":"info","ts":1614282659.2607992,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.lowarya.net","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1614282659.9691448,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"lowarya.net","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1614282660.0919404,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"www.lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for www.lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282660.311493,"logger":"tls.obtain","msg":"will retry","error":"[www.lowarya.net] Obtain: [www.lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18231387/247245516) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":309.185046944,"max_duration":2592000}
{"level":"error","ts":1614282660.824008,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282661.472535,"logger":"tls.obtain","msg":"will retry","error":"[lowarya.net] Obtain: [lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18231387/247245526) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":310.345742472,"max_duration":2592000}
{"level":"info","ts":1614282961.214291,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.lowarya.net","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1614282962.0535383,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"www.lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for www.lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282962.1968896,"logger":"tls.obtain","msg":"will retry","error":"[www.lowarya.net] Obtain: [www.lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18231387/247247952) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":611.07044295,"max_duration":2592000}
{"level":"info","ts":1614282962.3521876,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"lowarya.net","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1614282963.4611344,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"lowarya.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for lowarya.net (probably OK if presenting failed)"}
{"level":"error","ts":1614282963.6067624,"logger":"tls.obtain","msg":"will retry","error":"[lowarya.net] Obtain: [lowarya.net] solving challenges: presenting for challenge: adding temporary record for zone lowarya.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18231387/247247962) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":612.479969616,"max_duration":2592000}
8

I’m going to guess you didn’t use the right API token. Make sure to follow these instructions:

2 Likes
9

It works perfectly just a blank page but nothing serious thank you.

10

Great!

The empty page is because you haven’t told Caddy to actually serve any content, You’re probably looking for the file_server or reverse_proxy directives to help you do that.

You don’t need this, this was something in Caddy v1. In v2, the agreement is implicit by simply using Caddy.

11

I added a root to tell it to use the path /var/www/html but it doesn’t work I think I made a mistake. Otherwise I can directly use the volume /usr/share/caddy/index.html?

lowarya.net {
  tls myEmail@example.fr {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  }
  root * /var/www/html
  file_server
}
www.lowarya.net {
  tls myEmail@example.fr {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  }
  root * /var/www/html
  file_server
}
12

What do you have in /var/www/html? Are you mounting that as a volume in your Docker container?

13

No I do not mount it as a volume in my container this path refers to my physical machine. That’s why I wondered if I shouldn’t create a volume for it.

14

You’ll definitely need to. Programs in Docker containers are completely isolated from the host machine, they have access to nothing by default, so you need to map network ports or mount filesystem directories.

1 Like
15

Yes thank you again.

16

Sorry to come back unexpectedly. But I added a bind to add my html, css, js files the only problem is that the css and the js do not seem to load.

Caddyfile :

lowarya.net {
  tls myEmail@example.fr {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  }
  root * /usr/share/caddy
  file_server
}
www.lowarya.net {
  tls myEmail@example.fr {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  }
  root * /usr/share/caddy
  file_server
}
17

You didn’t give enough detail for us to have a clue what might be the problem.

What does your docker volume mount look like? What files are in that directory? What’s in your index.html? What asset paths is your HTML trying to load? What’s in your Caddy logs?

18

You didn’t give enough detail for us to have a clue what might be the problem.
What does your docker volume mount look like? What files are in that directory? What’s in your index.html? What asset paths is your HTML trying to load? What’s in your Caddy logs?

Caddy logs :

{"level":"info","ts":1614365841.8464136,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1614365841.8495314,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.lowarya.net","lowarya.net"]}
{"level":"info","ts":1614365841.8619227,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1614365841.8795667,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1614365841.8796155,"msg":"serving initial configuration"}
{"level":"info","ts":1614366613.6955974,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
{"level":"info","ts":1614366614.2081206,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0003c8770"}
{"level":"info","ts":1614366614.7094934,"logger":"admin","msg":"stopped previous server"}
{"level":"info","ts":1614366614.7097385,"msg":"shutdown done","signal":"SIGTERM"}
{"level":"info","ts":1614366616.038488,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1614366616.0472524,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1614366616.0483153,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000386000"}
{"level":"info","ts":1614366616.0486872,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1614366616.0487351,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1614366616.0502687,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["lowarya.net","www.lowarya.net"]}
{"level":"info","ts":1614366616.0597205,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1614366616.0772102,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1614366616.0772448,"msg":"serving initial configuration"}

Here are the volumes that I have mounted :

-v caddy_data:/data -v caddy_config:/config -v $PWD/Caddyfile:/etc/caddy/Caddyfile -v $PWD/website/index.html:/usr/share/caddy/index.html

My index.html only loads css and js.

19

You’ve only mounted your index.html but not the rest of your site. You should mount like this: -v $PWD/website:/usr/share/caddy

I would recommend using /srv instead of /usr/share/caddy though, easier to remember, and it’s the default working directory in the docker container, so like -v $PWD/website:/srv and in your Caddyfile, root * /srv.

2 Likes
20

It works perfectly thanks again.

2 Likes
21

This topic was automatically closed after 30 days. New replies are no longer allowed.