Example Caddyfile for acme w INWX / dns challenge

anon62604972 · April 28, 2024, 7:49am

1. The problem I’m having:

I have caddy working als a reverse proxy with the following Caddyfile (minmal working example):

:80 {
    reverse_proxy :8080
    }

I’d like caddy to automatically get a cert from Let’s Encrypt using the dns challenge. My DNS provider is inwx and it’s supported (GitHub - caddy-dns/inwx: Caddy module: dns.providers.inwx).

2. Error messages and/or full log output:

2024/04/28 07:29:41.982 INFO    using adjacent Caddyfile
2024/04/28 07:29:41.984 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/04/28 07:29:41.984 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/04/28 07:29:41.984 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/04/28 07:29:41.984 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0000f3a71"}
2024/04/28 07:29:41.985 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/04/28 07:29:41.985 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2024/04/28 07:29:41.985 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2024/04/28 07:29:41.985 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/04/28 07:29:41.985 INFO    http    enabling automatic TLS certificate management   {"domains": ["server.tld.com"]}
2024/04/28 07:29:41.986 WARN    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:/root/.local/share/caddy", "instance": "0e2f7f23-d9a1-4785-b21a-baf3129f0652", "try_again": "2024/04/29 07:29:41.986", "try_again_in": 86399.999999144}
2024/04/28 07:29:41.986 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2024/04/28 07:29:41.986 INFO    serving initial configuration
2024/04/28 07:29:41.986 INFO    tls     finished cleaning storage units
2024/04/28 07:29:41.987 INFO    tls.obtain      acquiring lock  {"identifier": "server.tld.com"}
2024/04/28 07:29:41.989 INFO    tls.obtain      lock acquired   {"identifier": "server.tld.com"}
2024/04/28 07:29:41.989 INFO    tls.obtain      obtaining certificate   {"identifier": "server.tld.com"}
2024/04/28 07:29:41.990 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["server.tld.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "redacted"}
2024/04/28 07:29:41.990 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["server.tld.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "redacted"}
2024/04/28 07:29:43.124 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/04/28 07:29:46.340 ERROR   tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}
2024/04/28 07:29:46.541 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "server.tld.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme-v02.api.letsencrypt.org/acme/order/1694630215/264750527187) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2024/04/28 07:29:46.542 INFO    tls.issuance.zerossl    waiting on internal rate limiter        {"identifiers": ["server.tld.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "redacted"}
2024/04/28 07:29:46.542 INFO    tls.issuance.zerossl    done waiting on internal rate limiter   {"identifiers": ["server.tld.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "redacted"}
2024/04/28 07:29:48.041 INFO    tls.issuance.zerossl.acme_client        trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2024/04/28 07:29:51.224 ERROR   tls.issuance.zerossl.acme_client        cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}
2024/04/28 07:29:51.640 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "server.tld.com", "issuer": "acme.zerossl.com-v2-DV90", "error": "[server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme.zerossl.com/v2/DV90/order/N920FcbgtATjow2OBBAYvA) (ca=https://acme.zerossl.com/v2/DV90)"}
2024/04/28 07:29:51.640 ERROR   tls.obtain      will retry      {"error": "[server.tld.com] Obtain: [server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme.zerossl.com/v2/DV90/order/N920FcbgtATjow2OBBAYvA) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 9.650821592, "max_duration": 2592000}
2024/04/28 07:30:51.645 INFO    tls.obtain      obtaining certificate   {"identifier": "server.tld.com"}
2024/04/28 07:30:52.976 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2024/04/28 07:30:56.160 ERROR   tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}
2024/04/28 07:30:56.341 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "server.tld.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/146341284/12196123319) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2024/04/28 07:30:57.450 INFO    tls.issuance.zerossl.acme_client        trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2024/04/28 07:31:00.633 ERROR   tls.issuance.zerossl.acme_client        cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}
2024/04/28 07:31:01.075 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "server.tld.com", "issuer": "acme.zerossl.com-v2-DV90", "error": "[server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme.zerossl.com/v2/DV90/order/CSTtrt4ItkmlIcpigIb_Gptg) (ca=https://acme.zerossl.com/v2/DV90)"}
2024/04/28 07:31:01.075 ERROR   tls.obtain      will retry      {"error": "[server.tld.com] Obtain: [server.tld.com] solving challenges: presenting for challenge: adding temporary record for zone \"tld.com.\": (2200) Authentication error (order=https://acme.zerossl.com/v2/DV90/order/CSTtrt4ItkmlIcpigIb_Gptg) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 79.086112409, "max_duration": 2592000}
^C2024/04/28 07:31:29.029       INFO    shutting down   {"signal": "SIGINT"}
2024/04/28 07:31:29.030 WARN    exiting; byeee!! 👋     {"signal": "SIGINT"}
2024/04/28 07:31:29.030 INFO    http    servers shutting down with eternal grace period
2024/04/28 07:31:29.030 INFO    tls.obtain      releasing lock  {"identifier": "server.tld.com"}
2024/04/28 07:31:29.030 ERROR   tls.obtain      unable to unlock        {"identifier": "server.tld.com", "lock_key": "issue_cert_server.tld.com", "error": "remove /root/.local/share/caddy/locks/issue_cert_server.tld.com.lock: no such file or directory"}
2024/04/28 07:31:29.030 ERROR   tls     job failed      {"error": "server.tld.com: obtaining certificate: context canceled"}
2024/04/28 07:31:29.030 INFO    admin   stopped previous server {"address": "localhost:2019"}
2024/04/28 07:31:29.031 INFO    shutdown complete       {"signal": "SIGINT", "exit_code": 0}

The problem is with my Caddyfile (pasted below), but even after reading lots I’m unable to find what exactly to put into it

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

I selected the inwx plugin and downloaded the caddy binary from Download Caddy.

a. System environment:

Debian 12.5, 64bit, no docker

b. Command:

caddy run

c. Service/unit/compose file:

Still evaluating caddy, no unit file.

d. My complete Caddy config:

I added the following Caddyfile.

{
    email myself@domain.com
    acme_dns inwx {
        username "redacted"
        password "redacted"
        shared_secret "redacted"
        endpoint_url "https://api.ote.domrobot.com/jsonrpc/"
    }
}

server.tld.com:443 {
    reverse_proxy :8080
}

5. Links to relevant resources:

francislavoie · April 29, 2024, 5:50am

This looks like your config for your DNS provider is wrong.

I know nothing about that DNS provider, probably best if you open an issue on github to get help.

anon62604972 · April 29, 2024, 6:06am

anon62604972:

2024/04/28 07:29:46.340 ERROR   tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}

Oh, all right. I thought this line and the next one were about Let’s Encrypt rather than my DNS provider.

anon62604972:

2024/04/28 07:29:43.124 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "server.tld.com", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/04/28 07:29:46.340 ERROR   tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "server.tld.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.server.tld.com\" (usually OK if presenting also failed)"}

But I’m one step further now, as you didn’t say my Cadddyfile was not OK

system · May 29, 2024, 6:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.