Example Caddyfile for acme w INWX / dns challenge

Help
1

1. The problem I’m having:

I have caddy working als a reverse proxy with the following Caddyfile (minmal working example):

:80 {
    reverse_proxy :8080
    }

I’d like caddy to automatically get a cert from Let’s Encrypt using the dns challenge. My DNS provider is inwx and it’s supported (GitHub - caddy-dns/inwx: Caddy module: dns.providers.inwx).

2. Error messages and/or full log output:

2024/04/28 07:29:41.982 INFO    using adjacent Caddyfile
2024/04/28 07:29:41.984 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/04/28 07:29:41.984 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/04/28 07:29:41.984 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/04/28 07:29:41.984 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0000e3f80"}
2024/04/28 07:29:41.985 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/04/28 07:29:41.985 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2024/04/28 07:29:41.985 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2024/04/28 07:29:41.985 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/04/28 07:29:41.985 INFO    http    enabling automatic TLS certificate management   {"domains": ["server.tld.com"]}
2024/04/28 07:29:41.986 WARN    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:/root/.local/share/caddy", "instance": "0e3f6b23-d9a1-4785-b39f-baf3129f0670", "try_again": "2024/04/29 07:29:41.986", "try_again_in": 86399.999999144}
2024/04/28 07:29:41.986 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2024/04/28 07:29:41.986 INFO    serving initial configuration
2024/04/28 07:29:41.986 INFO    tls     finished cleaning storage units
2024/04/28 07:29:41.987 INFO    tls.obtain      acquiring lock  {"identifier": "server.tld.com"}
2024/04/28 07:29:41.989 INFO    tls.obtain      lock acquired   {"identifier": "server.tld.com"}
2024/04/28 07:29:41.989 INFO    tls.obtain      obtaining certificate   {"identifier": "server.tld.com"}
2024/04/28 07:29:41.990 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["server.tld.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "redacted"}
2024/04/28 07:29:41.990 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["server.tld.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "redacted"}
2024/04/28 07:29:43.124 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/04/28 07:29:46.340 ERROR   tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}
2024/04/28 07:29:46.541 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "server.tld.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme-v02.api.letsencrypt.org/acme/order/1694630127/264770597197) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2024/04/28 07:29:46.542 INFO    tls.issuance.zerossl    waiting on internal rate limiter        {"identifiers": ["server.tld.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "redacted"}
2024/04/28 07:29:46.542 INFO    tls.issuance.zerossl    done waiting on internal rate limiter   {"identifiers": ["server.tld.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "redacted"}
2024/04/28 07:29:48.041 INFO    tls.issuance.zerossl.acme_client        trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2024/04/28 07:29:51.224 ERROR   tls.issuance.zerossl.acme_client        cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}
2024/04/28 07:29:51.640 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "server.tld.com", "issuer": "acme.zerossl.com-v2-DV90", "error": "[server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme.zerossl.com/v2/DV90/order/N920FbbgkATjbw2OBZAYvA) (ca=https://acme.zerossl.com/v2/DV90)"}
2024/04/28 07:29:51.640 ERROR   tls.obtain      will retry      {"error": "[server.tld.com] Obtain: [server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme.zerossl.com/v2/DV90/order/N920FbbgkATjbw2OBZAYvA) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 9.650821592, "max_duration": 2592000}
2024/04/28 07:30:51.645 INFO    tls.obtain      obtaining certificate   {"identifier": "server.tld.com"}
2024/04/28 07:30:52.976 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2024/04/28 07:30:56.160 ERROR   tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}
2024/04/28 07:30:56.341 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "server.tld.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/146241294/16197127314) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2024/04/28 07:30:57.450 INFO    tls.issuance.zerossl.acme_client        trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2024/04/28 07:31:00.633 ERROR   tls.issuance.zerossl.acme_client        cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}
2024/04/28 07:31:01.075 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "server.tld.com", "issuer": "acme.zerossl.com-v2-DV90", "error": "[server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme.zerossl.com/v2/DV90/order/CSTtvt4BtkewIcgIb_Gptg) (ca=https://acme.zerossl.com/v2/DV90)"}
2024/04/28 07:31:01.075 ERROR   tls.obtain      will retry      {"error": "[server.tld.com] Obtain: [server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme.zerossl.com/v2/DV90/order/CSTtvt4BtkewIcgIb_Gptg) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 79.086112409, "max_duration": 2592000}
^C2024/04/28 07:31:29.029       INFO    shutting down   {"signal": "SIGINT"}
2024/04/28 07:31:29.030 WARN    exiting; byeee!! 👋     {"signal": "SIGINT"}
2024/04/28 07:31:29.030 INFO    http    servers shutting down with eternal grace period
2024/04/28 07:31:29.030 INFO    tls.obtain      releasing lock  {"identifier": "server.tld.com"}
2024/04/28 07:31:29.030 ERROR   tls.obtain      unable to unlock        {"identifier": "server.tld.com", "lock_key": "issue_cert_server.tld.com", "error": "remove /root/.local/share/caddy/locks/issue_cert_server.tld.com.lock: no such file or directory"}
2024/04/28 07:31:29.030 ERROR   tls     job failed      {"error": "server.tld.com: obtaining certificate: context canceled"}
2024/04/28 07:31:29.030 INFO    admin   stopped previous server {"address": "localhost:2019"}
2024/04/28 07:31:29.031 INFO    shutdown complete       {"signal": "SIGINT", "exit_code": 0}

The problem is with my Caddyfile (pasted below), but even after reading lots I’m unable to find what exactly to put into it

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

I selected the inwx plugin and downloaded the caddy binary from Download Caddy.

a. System environment:

Debian 12.5, 64bit, no docker

b. Command:

caddy run

c. Service/unit/compose file:

Still evaluating caddy, no unit file.

d. My complete Caddy config:

I added the following Caddyfile.

{
    email myself@domain.com
    acme_dns inwx {
        username "redacted"
        password "redacted"
        shared_secret "redacted"
        endpoint_url "https://api.ote.domrobot.com/jsonrpc/"
    }
}

server.tld.com:443 {
    reverse_proxy :8080
}

5. Links to relevant resources:

2

This looks like your config for your DNS provider is wrong.

I know nothing about that DNS provider, probably best if you open an issue on github to get help.

3

Oh, all right. I thought this line and the next one were about Let’s Encrypt rather than my DNS provider.

But I’m one step further now, as you didn’t say my Cadddyfile was not OK :slight_smile: