Fails to grab SSL Cert (Acme error 403)

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

I run caddy on macOS as a reverse proxy for my domain thesklab.ca.

a. System environment:

Running it on macOS High Sierra –– 10.13.6

b. Command:

nano /etc/caddyfile to edit my caddy file

sudo caddy stop

sudo caddy start

NOTE: I start/stop because the reload command gives me an error (I’ll leave that to another post after completing my research to make sure that it’s no error on my end)

d. My complete Caddyfile or JSON config:

{
http_port 8080
https_port 8443
email myemail@provider.com
}

plex.thesklab.ca {
    reverse_proxy localhost:32400
}

portainer.thesklab.ca {
    reverse_proxy 192.168.1.9:9000
}

3. The problem I’m having:

I serve my website through CloudFlare. Each time I add anew reverse-proxy, Caddy fails to get a new SSL Cert and throws the error below.

The error is resolved when I pause CloudFlare on my domain.

4. Error messages and/or full log output:

2020/07/12 02:03:27 [ERROR] attempt 1: [portainer.thesklab.ca] Obtain: [portainer.thesklab.ca] error: one or more domains had a problem:
[portainer.thesklab.ca] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://portainer.thesklab.ca/.well-known/acme-challenge/LgrrBZ03m7WC5pwh8euygOjEKi-R2IqoiPxLXEV2yuw [2606:4700:3036::681f:4f35]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url: 
 - retrying in 1m0s (44.987895225s/720h0m0s elapsed)...
2020/07/12 02:04:28 [INFO] [portainer.thesklab.ca] acme: Obtaining bundled SAN certificate given a CSR
2020/07/12 02:04:28 [INFO] [portainer.thesklab.ca] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122849
2020/07/12 02:04:28 [INFO] [portainer.thesklab.ca] acme: use tls-alpn-01 solver
2020/07/12 02:04:28 [INFO] [portainer.thesklab.ca] acme: Trying to solve TLS-ALPN-01
2020/07/12 02:04:29 http: TLS handshake error from 127.0.0.1:53557: EOF
2020/07/12 02:04:34 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122849
2020/07/12 02:04:35 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122849
2020/07/12 02:04:35 [ERROR] error: one or more domains had a problem:
[portainer.thesklab.ca] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: 
 (challenge=tls-alpn-01 remaining=[http-01])
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Obtaining bundled SAN certificate given a CSR
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Could not find solver for: tls-alpn-01
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: use http-01 solver
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Trying to solve HTTP-01
2020/07/12 02:05:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:05:24 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:05:24 [ERROR] error: one or more domains had a problem:
[portainer.thesklab.ca] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://portainer.thesklab.ca/.well-known/acme-challenge/sGwZfb2KHBPmZ8_l6GzxENqAJelBXberGS9nRJNxDxE [2606:4700:3035::ac43:d34f]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url: 
 (challenge=http-01 remaining=[])

The important part of this code is:

2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Could not find solver for: tls-alpn-01
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: use http-01 solver
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Trying to solve HTTP-01
2020/07/12 02:05:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:05:24 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:05:24 [ERROR] error: one or more domains had a problem:
[portainer.thesklab.ca] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://portainer.thesklab.ca/.well-known/acme-challenge/sGwZfb2KHBPmZ8_l6GzxENqAJelBXberGS9nRJNxDxE [2606:4700:3035::ac43:d34f]: 

5. What I already tried:

I can resolve the issue by turning CloudFlare protection off to get the initial cert.

From this post, it looks like the issue was resolved where the user didn’t need to turn off CloudFlare protection.

I couldn’t find a known issue being tracked in GitHub for this, and I didn’t want to open a new one until I was sure that there’s no fault on my end.

Is this a known issue or is something missing in my caddy file? Please let me know.

6. Links to relevant resources:

Looks like Cloudflare is returning a HTML document for this URI, possibly instead of sending the request back to the origin server.

Neither. I’m more inclined to suspect some kind of caching or page rules, maybe. Caddy should never serve a HTML document for that path, especially if it’s the one that requested a certificate.

I’ve personally seen orange-cloud domains renew certs with HTTP challenges, so I know it is possible under normal circumstances.

Hey @S-Kay,

Just had another user on Github with what looks like an identical issue.

The advice I gave over there may be applicable to you, so you might want to check it out.

This topic was automatically closed after 30 days. New replies are no longer allowed.