Failed to get certificate: acme: Error 400


(Chuck Connors) #1

Very new to Caddy but excited that it might be exactly what I need. I’ve got caddy running on my openmediavault server which is:

Linux omv 4.17.0-0.bpo.3-amd64 #1 SMP Debian 4.17.17-1~bpo9+1 (2018-08-27) x86_64 GNU/Linux

I was getting errors trying to run on port 80 saying that the port was already in use so I’m running caddy like this:

root@omv:/sharedfolders/appdata/Caddy/direct# caddy -http-port 82 -host mycoolsubdomain.duckdns.org

I enter my email for the duckdns account and I get this error:

Activating privacy features... 2018/09/10 07:43:54 [mycoolsubdomain.duckdns.org] failed to get certificate: acme: Error 400 - urn:ietf:params:acme:error:connection - Fetching http://mycoolsubdomain.duckdns.org/.well-known/acme-challenge/PJ3F1jq1KL3rxuB9Maxc4AD6xuBOi5J88wOsPLcq-pI: Timeout during connect (likely firewall problem)

I have both ports 82 and 443 forwarded to the machine that Caddy is running on. To the best of my knowledge, there is no firewall running on this machine. Also, my ISP blocks port 80 for home use so that’s another reason I am using port 82.

Can someone give me some suggestions on what to try so that I can get this running? Many many thanks!


(Chuck Connors) #2

Figured out what was running on port 80 and was able to stop it. Forwarded 80 from my router to the caddy machine and ran it without -http-port 82 but am getting the same error.

Is there a way to challenge on 443 instead of 80 or 82? Perhaps the ISP blocking of port 80 is the problem?


(Chuck Connors) #3

Also, before coming to Caddy, I was trying to set up reverse proxy with NGINX. I have set up a Let’s Encrypt docker container and it successfully pulls certs for my subdomain at duckdns.org . Can I somehow use those certs with Caddy? Would that eliminate the problem that I am having?


(Chuck Connors) #4

So I can load certs by changing my Caddyfile to include:

mycoolsubdomain.duckdns.org:443
tls  cert.pem privkey.pem
proxy /  192.168.0.25:8080

and when launched from command line I see:

Activating privacy features... done.
https://mycoolsubdomain.duckdns.org
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".

netstat -ltnp shows

tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      2533/python
tcp6       0      0 :::443                  :::*                    LISTEN      30293/caddy

The first entry at 8080 is the web page I’m wanting to forward to. This is a docker container running sabnzb . I can access it on my network at 192.168.0.25 (IP of the server), but docker shows it running as IP 0.0.0.0 … Also you can see caddy running at 443 but it is at tcp6 … what does this mean?


(Chuck Connors) #5

So it turns out that my router (Google Wifi) needed to be rebooted as the port forwarding confused it somehow.


(Matthew Fay) #6

Interesting.

If port 80 is blocked by your ISP, it should be impossible for LetsEncrypt to do HTTP validation. LetsEncrypt doesn’t care what port Caddy is running on - HTTP validation must always take place on the standard port 80.