1. The problem I’m having:
I’m testing the ACME implementation in Caddy against Digicert’s ACME service and it’s causing an error - I think in the register phase - and is unable to continue.
2. Error messages and/or full log output:
2024/12/12 16:31:28.247 INFO tls.obtain acquiring lock {"identifier": "test-20241211c.example.ac.uk"}
2024/12/12 16:31:28.247 INFO tls finished cleaning storage units
2024/12/12 16:31:28.247 INFO tls.obtain lock acquired {"identifier": "test-20241211c.example.ac.uk"}
2024/12/12 16:31:28.247 INFO tls.obtain obtaining certificate {"identifier": "test-20241211c.example.ac.uk"}
2024/12/12 16:31:28.247 DEBUG events event {"name": "cert_obtaining", "id": "65246b26-6da2-483c-9fa6-3dd005169815", "origin": "tls", "data": {"identifier":"test-20241211c.example.ac.uk"}}
2024/12/12 16:31:28.248 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2024/12/12 16:31:28.248 INFO serving initial configuration
2024/12/12 16:31:28.249 DEBUG tls.obtain trying issuer 1/1 {"issuer": "one.digicert.com-mpki-api-v1-acme-v2-directory"}
2024/12/12 16:31:28.555 DEBUG tls.issuance.acme.acme_client http request {"method": "GET", "url": "https://one.digicert.com/mpki/api/v1/acme/v2/directory", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["no-cache, no-store, max-age=0, must-revalidate"],"Connection":["keep-alive"],"Content-Type":["application/json"],"Date":["Thu, 12 Dec 2024 16:31:28 GMT"],"Expires":["0"],"Pragma":["no-cache"],"Referrer-Policy":["no-referrer"],"Set-Cookie":["visid_incap_2533550=tgHEZfeRTAmMz1OFX8G4hOAPW2cAAAAAQUIPAAAAAABEZIMX4wJqeKYcv7UuAppS; expires=Thu, 11 Dec 2025 23:07:08 GMT; HttpOnly; path=/; Domain=.digicert.com; Secure; SameSite=None","incap_ses_1364_2533550=uBmAAGm1uBmZOKXi4ebtEuAPW2cAAAAAW1W0RnJd0gEdg6kPAx8X/A==; path=/; Domain=.digicert.com; Secure; SameSite=None"],"Strict-Transport-Security":["max-age=15724800"],"Vary":["Accept-Encoding"],"X-Cdn":["Imperva"],"X-Content-Type-Options":["nosniff"],"X-Envoy-Upstream-Service-Time":["3"],"X-Frame-Options":["SAMEORIGIN"],"X-Iinfo":["9-2379172-2379187 NNNY CT(120 124 0) RT(1734021088060 66) q(0 0 0 -1) r(1 1) U2"],"X-Xss-Protection":["0"]}, "status_code": 200}
2024/12/12 16:31:28.717 DEBUG tls.issuance.acme.acme_client http request {"method": "HEAD", "url": "https://one.digicert.com/mpki/api/v1/acme/v2/new-nonce", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["no-store"],"Connection":["keep-alive"],"Date":["Thu, 12 Dec 2024 16:31:28 GMT"],"Referrer-Policy":["no-referrer"],"Replay-Nonce":["cMNdvyqkg4LdMyygI51oJejwxNiewoSNTYIEDRzcyAsOFXjPmtgRKZpBQndxVV4J"],"Set-Cookie":["visid_incap_2533550=OPxHOksGSVCLquAcYPGD1OAPW2cAAAAAQUIPAAAAAAAkhbbRTI8CY1E/twzY/0EC; expires=Thu, 11 Dec 2025 23:07:08 GMT; HttpOnly; path=/; Domain=.digicert.com; Secure; SameSite=None","incap_ses_1364_2533550=EiG4K4fF5zq8OKXi4ebtEuAPW2cAAAAA5SkNYvNff0irtrzQdYdJ3A==; path=/; Domain=.digicert.com; Secure; SameSite=None"],"Strict-Transport-Security":["max-age=15724800"],"X-Cdn":["Imperva"],"X-Content-Type-Options":["nosniff"],"X-Envoy-Upstream-Service-Time":["6"],"X-Frame-Options":["SAMEORIGIN"],"X-Iinfo":["9-2379172-2379187 SNNy RT(1734021088060 223) q(0 0 0 -1) r(2 2) U6"],"X-Xss-Protection":["0"]}, "status_code": 204}
2024/12/12 16:31:28.921 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://one.digicert.com/mpki/api/v1/acme/v2/new-account", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["no-store"],"Connection":["keep-alive"],"Content-Type":["application/problem+json"],"Date":["Thu, 12 Dec 2024 16:31:28 GMT"],"Referrer-Policy":["no-referrer"],"Replay-Nonce":["UKiBkULiLWRPv8ibszuG8mWjeUuCg8VBC-uQCvaaQkP-1K5CbPgtylpQsFVkzIHe"],"Set-Cookie":["visid_incap_2533550=gbE1rgdPQYK3e3e/sMJbZuAPW2cAAAAAQUIPAAAAAAAFr5C9v4+jONYNOzSRJJVO; expires=Thu, 11 Dec 2025 23:07:08 GMT; HttpOnly; path=/; Domain=.digicert.com; Secure; SameSite=None","incap_ses_1364_2533550=1R6mRXrPgHTwOKXi4ebtEuAPW2cAAAAAks7jNlHTVz3YQIIRojT4Cw==; path=/; Domain=.digicert.com; Secure; SameSite=None"],"Strict-Transport-Security":["max-age=15724800"],"X-Cdn":["Imperva"],"X-Content-Type-Options":["nosniff"],"X-Envoy-Upstream-Service-Time":["49"],"X-Frame-Options":["SAMEORIGIN"],"X-Iinfo":["9-2379172-2379187 SNYy RT(1734021088060 383) q(0 0 0 -1) r(2 2) U6"],"X-Xss-Protection":["0"]}, "status_code": 400}
2024/12/12 16:31:28.921 ERROR tls.obtain could not get certificate from issuer {"identifier": "test-20241211c.example.ac.uk", "issuer": "one.digicert.com-mpki-api-v1-acme-v2-directory", "error": "HTTP 0 urn:ietf:params:acme:error:accountrequestError - Unable to process the request., problem \"urn:ietf:params:acme:error:issuance:UnrecognizedPropertyException\": "}
2024/12/12 16:31:28.921 DEBUG events event {"name": "cert_failed", "id": "438165d8-1642-4f8e-ac72-892ab8562ef6", "origin": "tls", "data": {"error":{},"identifier":"test-20241211c.example.ac.uk","issuers":["one.digicert.com-mpki-api-v1-acme-v2-directory"],"renewal":false}}
2024/12/12 16:31:28.921 ERROR tls.obtain will retry {"error": "[test-20241211c.example.ac.uk] Obtain: registering account [mailto:matthew.slowe@jisc.ac.uk] with server: attempt 1: https://one.digicert.com/mpki/api/v1/acme/v2/new-account: HTTP 0 urn:ietf:params:acme:error:accountrequestError - Unable to process the request., problem \"urn:ietf:params:acme:error:issuance:UnrecognizedPropertyException\": ", "attempt": 1, "retrying_in": 60, "elapsed": 0.674111701, "max_duration": 2592000}
3. Caddy version:
v2.8.4
4. How I installed and ran Caddy:
Running Caddy inside Alpine 3.21 OCI container installed from package using apk add caddy
a. System environment:
Docker running Alpine 3.2.1 using Caddy package.
Also tested using the official caddy:alpine
and caddy
images (which reports as v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
).
b. Command:
caddy run
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
{
log default {
level debug
}
}
test-20241211c.example.ac.uk {
reverse_proxy http://192.168.37.22:23080 {
trusted_proxies 0.0.0.0/0 ::/0
}
tls {
issuer acme {
dir https://one.digicert.com/mpki/api/v1/acme/v2/directory
eab "x" "y"
email test@example.ac.uk
disable_http_challenge
disable_tlsalpn_challenge
}
protocols tls1.2 tls1.3
ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
}
}
5. Links to relevant resources:
Unknown
Thanks!