1. Caddy version (caddy version
):
v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
2. How I run Caddy:
I run caddy on macOS as a reverse proxy for my domain thesklab.ca.
a. System environment:
Running it on macOS High Sierra –– 10.13.6
b. Command:
nano /etc/caddyfile
to edit my caddy file
sudo caddy stop
sudo caddy start
NOTE: I start/stop because the reload command gives me an error (I’ll leave that to another post after completing my research to make sure that it’s no error on my end)
d. My complete Caddyfile or JSON config:
{
http_port 8080
https_port 8443
email myemail@provider.com
}
plex.thesklab.ca {
reverse_proxy localhost:32400
}
portainer.thesklab.ca {
reverse_proxy 192.168.1.9:9000
}
3. The problem I’m having:
I serve my website through CloudFlare. Each time I add anew reverse-proxy, Caddy fails to get a new SSL Cert and throws the error below.
The error is resolved when I pause CloudFlare on my domain.
4. Error messages and/or full log output:
2020/07/12 02:03:27 [ERROR] attempt 1: [portainer.thesklab.ca] Obtain: [portainer.thesklab.ca] error: one or more domains had a problem:
[portainer.thesklab.ca] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://portainer.thesklab.ca/.well-known/acme-challenge/LgrrBZ03m7WC5pwh8euygOjEKi-R2IqoiPxLXEV2yuw [2606:4700:3036::681f:4f35]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js ", url:
- retrying in 1m0s (44.987895225s/720h0m0s elapsed)...
2020/07/12 02:04:28 [INFO] [portainer.thesklab.ca] acme: Obtaining bundled SAN certificate given a CSR
2020/07/12 02:04:28 [INFO] [portainer.thesklab.ca] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122849
2020/07/12 02:04:28 [INFO] [portainer.thesklab.ca] acme: use tls-alpn-01 solver
2020/07/12 02:04:28 [INFO] [portainer.thesklab.ca] acme: Trying to solve TLS-ALPN-01
2020/07/12 02:04:29 http: TLS handshake error from 127.0.0.1:53557: EOF
2020/07/12 02:04:34 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122849
2020/07/12 02:04:35 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122849
2020/07/12 02:04:35 [ERROR] error: one or more domains had a problem:
[portainer.thesklab.ca] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
(challenge=tls-alpn-01 remaining=[http-01])
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Obtaining bundled SAN certificate given a CSR
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Could not find solver for: tls-alpn-01
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: use http-01 solver
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Trying to solve HTTP-01
2020/07/12 02:05:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:05:24 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:05:24 [ERROR] error: one or more domains had a problem:
[portainer.thesklab.ca] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://portainer.thesklab.ca/.well-known/acme-challenge/sGwZfb2KHBPmZ8_l6GzxENqAJelBXberGS9nRJNxDxE [2606:4700:3035::ac43:d34f]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js ", url:
(challenge=http-01 remaining=[])
The important part of this code is:
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Could not find solver for: tls-alpn-01
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: use http-01 solver
2020/07/12 02:04:37 [INFO] [portainer.thesklab.ca] acme: Trying to solve HTTP-01
2020/07/12 02:05:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:05:24 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/76122920
2020/07/12 02:05:24 [ERROR] error: one or more domains had a problem:
[portainer.thesklab.ca] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://portainer.thesklab.ca/.well-known/acme-challenge/sGwZfb2KHBPmZ8_l6GzxENqAJelBXberGS9nRJNxDxE [2606:4700:3035::ac43:d34f]:
5. What I already tried:
I can resolve the issue by turning CloudFlare protection off to get the initial cert.
From this post, it looks like the issue was resolved where the user didn’t need to turn off CloudFlare protection.
I couldn’t find a known issue being tracked in GitHub for this, and I didn’t want to open a new one until I was sure that there’s no fault on my end.
Is this a known issue or is something missing in my caddy file? Please let me know.