Error adding certificate on my local server's domain name

tri · August 10, 2023, 1:31pm

1. The problem I’m having:

I am trying to proxy my local website but when launching caddy I have errors in the logs telling me that lets encrypt cannot certify my domain name, so my website isn’t certified

2. Error messages and/or full log output:

août 10 15:14:01 example.lan caddy[80761]: {"level":"error","ts":1691673241.56095,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"sub.example.lan","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"sub.example.lan\": Domain name does not end with a valid public suffix (TLD)"}
août 10 15:14:01 example.lan caddy[80761]: {"level":"debug","ts":1691673241.5611944,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
août 10 15:14:01 example.lan caddy[80761]: {"level":"info","ts":1691673241.5622146,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["sub.example.lan"],"ca":"https://acme.zerossl.com/v2/DV90","account":"admin@example.fr"}
août 10 15:14:01 example.lan caddy[80761]: {"level":"info","ts":1691673241.5624,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["sub.example.lan"],"ca":"https://acme.zerossl.com/v2/DV90","account":"admin@example.fr"}
août 10 15:14:01 example.lan caddy[80761]: {"level":"debug","ts":1691673241.8369036,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.7.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Thu, 10 Aug 2023 13:14:01 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
août 10 15:14:02 example.lan caddy[80761]: {"level":"debug","ts":1691673242.4072201,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.7.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Thu, 10 Aug 2023 13:14:02 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["LoJxynE1ySrBjq5UVAqBMJriJmxnhd3h8OhQbjKCdbI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
août 10 15:14:02 example.lan caddy[80761]: {"level":"debug","ts":1691673242.6205025,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.3 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["123"],"Content-Type":["application/problem+json"],"Date":["Thu, 10 Aug 2023 13:14:02 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["gRCsHOxVnMRHw9f0zuGpj1KUrCPLw_UzQ30YvZaJUOE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":400}
août 10 15:14:02 example.lan caddy[80761]: {"level":"error","ts":1691673242.6214533,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"example.lan","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [sub.example.lan]"}
août 10 15:14:02 example.lan caddy[80761]: {"level":"debug","ts":1691673242.6219587,"logger":"events","msg":"event","name":"cert_failed","id":"c5ba3a15-d491-4d65-9e8f-c7b783345383","origin":"tls","data":{"error":{},"identifier":"sub.example.lan","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
août 10 15:14:02 example.lan caddy[80761]: {"level":"error","ts":1691673242.6223698,"logger":"tls.obtain","msg":"will retry","error":"[sub.example.lan] Obtain: [sub.example.lan] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [sub.example.lan] (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":1.905036892,"max_duration":2592000}

3. Caddy version:

v2.7.3

4. How I installed and ran Caddy:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
systemctl start caddy.service
systemctl enable caddy.service

a. System environment:

debian 11

b. Command:

vi /etc/caddy/Caddyfile
systemctl restart caddy
journalctl --no-pager -u caddy

c. Service/unit/compose file:

systemd

d. My complete Caddy config:

{
        debug true
}

sub.example.lan {
    reverse_proxy sub.example.lan:80
}

francislavoie · August 10, 2023, 3:14pm

This doesn’t look like a public domain, so you can’t get a publicly trusted certificate.

You’ll need to add tls internal to have Caddy issue a cert using it’s own CA, then run sudo caddy trust to install the root CA cert in your system’s trust store.

francislavoie · August 11, 2023, 3:47pm

Yes, it’s impossible to get a publicly trusted certificate for a TLD like .lan because it’s not a registered TLD.

You’ll need to use a real domain name (one you purchased, or a free one from DuckDNS or something, and not one you invented). Then you’ll either have to have your server publicly accessible to use the ACME HTTP or ACME TLS-ALPN challenges, OR you’ll need to compile Caddy with a DNS plugin for the DNS provider you chose to solve the ACME DNS challenge, to prove you control the domain.

tri · August 14, 2023, 7:24am

So if I understand correctly, I have no possible solution for certifying my web pages on my local network?

francislavoie · August 14, 2023, 7:36am

Like I said:

And you’ll need to install the root CA cert to any devices on your network that you want to trust the server.

There’s no way to automate installation of root CA certs onto other devices, it has to be done manually, but you only need to do it once.

francislavoie · August 14, 2023, 8:07pm

You need to install Caddy’s root CA cert on any devices that want to connect to your server. This establishes trust.

tri · August 24, 2023, 2:24pm

Please, it’s possible to delete the post ? there is some credential like FQDN that I don’t want to let in public…

system · September 23, 2023, 2:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.