Figuring out why certs are not being renewed, ocsp: error from server: unauthorized


(Greggman) #1

I noticed the certs are expired on my site (almost exactly 3 months since I started using caddy :wink:). It’s been great so far.

Restarting caddy and looking in /var/log/syslog I see

Nov 29 10:28:32 greggman systemd[1]: Started Caddy HTTP/2 web server.
Nov 29 10:28:33 greggman caddy[2533]: Activating privacy features...2017/11/29 10:28:33 [WARNING] Stapling OCSP: no OCSP stapling for [www.greggman.com]: ocsp: error from server: unauthorized

which is the only error message I noticed.

Any idea what I need to do to get it to work again? I can post my Caddyfile and service.caddy if it would help but I don’t think there is anything weird in either.

caddy 0.10.10

Should I just rm /etc/ssl/caddy/* and restart?


(Matt Holt) #2

If you could post the full logs from those three months, that would be needed to know what is going on.


(Greggman) #3

Checking I only see logs since nov 22. Either than or I don’t know what happens to older logs. (I assume they get deleted). Do you really need to see something from 3 months ago?

Here’s the log from the 22nd to the 29th if you don’t mind taking a look

I see stuff about trying to get certs and getting rate limited. No idea why caddy would be asking for too many certs. Also I see where it apparently get new certs (says cert written to disk) but they messages about ignoring the new certs because there are already certs. Hmmm

My Caddyfile is a little convoluted but not that bad. Note SCHEME and PORT_URI_PART are not set (they’re only set when I’m running on my notebook to test. That way I don’t need a separate Caddyfile for just running locally without https

From my caddy.service file

Environment=ROOT=/var/www/public_html
Environment=LOGDIR=/var/www/


{$SCHEME}blog.greggman.com{$PORT_URI_PART} {
  import Caddy.shared

  rewrite {
    if {path} starts_with /game/
    to /redir-blog-to-games/
  }
  redir /redir-blog-to-games/ //games.greggman.com{$PORT_URI_PART}{uri}

  redir {
    if {>User-Agent} not_has FeedBurner
    if {>User-Agent} not_has FeedValidator
    /blog/feed/atom.xml http://feeds.feedburner.com/Greggmancom
  }

  rewrite {
    if {path} starts_with /blog/feed/
    to /blog/feed/atom.xml
  }

  redir {
    if_op or
    if {path} starts_with /downloads
    if {path} starts_with /images
    / //greggman.com{$PORT_URI_PART}{uri}
  }

  rewrite {
    if {path} is /
    to /redir-to-blog-home/
  }
  redir /redir-to-blog-home/ /blog/

  # TODO: use redir
  rewrite {
    if {path} starts_with /blog/tag/
    r ^/blog/tag/(.*)
    to /blog/categories/{1}
  }
  rewrite {
    if {path} starts_with /blog/category/
    r ^/blog/category/(.*)
    to /blog/categories/{1}
  }

  import Caddy.oldgmanredir
}

{$SCHEME}games.greggman.com{$PORT_URI_PART} {
  import Caddy.shared

  rewrite {
    if {path} starts_with /blog/
    to /redir-games-to-blog/
  }
  redir /redir-games-to-blog/ //blog.greggman.com{$PORT_URI_PART}{uri}

  redir {
    if {>User-Agent} not_has FeedBurner
    if {>User-Agent} not_has FeedValidator
    #if {path} starts_with /game/feed/
    /blog/feed/atom.xml http://feeds.feedburner.com/Gamesgreggmancom
  }

  rewrite {
    if {path} starts_with /game/feed/
    to /game/feed/atom.xml
  }

  redir {
    if_op or
    if {path} starts_with /downloads
    if {path} starts_with /images
    / //greggman.com{$PORT_URI_PART}{uri}
  }

  rewrite {
    if {path} is /
    to /redir-to-game-home/
  }
  redir /redir-to-game-home/ /game/

  # TODO: use redir
  rewrite {
    if {path} starts_with /game/tag/
    r ^/game/tag/(.*)
    to /game/categories/{1}
  }
  rewrite {
    if {path} starts_with /game/category/
    r ^/game/category/(.*)
    to /game/categories/{1}
  }


  import Caddy.oldgmanredir
}

{$SCHEME}greggman.com{$PORT_URI_PART}, {$SCHEME}www.greggman.com{$PORT_URI_PART} {
  import Caddy.shared

  rewrite {
    if {path} starts_with /game/
    to /redir-greggman-to-games/
  }
  redir /redir-greggman-to-games/ //games.greggman.com{$PORT_URI_PART}{uri}

  rewrite {
    if {path} starts_with /blog/
    to /redir-greggman-to-blog/
  }
  redir /redir-greggman-to-blog/ //blog.greggman.com{$PORT_URI_PART}{uri}

  browse /downloads
  browse /images

  cgi /api/rebuild ../manage/start-rebuild.sh

  cors /downloads/examples

  import Caddy.oldgmanredir
}

Caddy.shared is

# shared caddy settings

root {$ROOT}
tls letsencrpyt@greggman.com

errors {$LOGDIR}logs/errors.log {
  404 r/errors/404.html
  rotate_size 10 # Rotate a log when it reaches 10 MB
  rotate_age  14 # Keep rotated log files for 14 days
  rotate_keep 5  # Keep at most 5 rotated log files
}

log / {$LOGDIR}logs/requests.log "{combined}" {
   rotate_size 10  # Rotate after 10 MB
   rotate_age  30  # Keep rotated files for 30 days
   rotate_keep 5   # Keep at most 5 log files
}

The Caddy.oldgmanredir is just a bunch (~1700) old redirects like

...
redir "/pages/jmail.htm" "//games.greggman.com{$PORT_URI_PART}/game/sending_japanese_email_from_perl/" 301
redir "/pages/old-movies/old-movies.html" "//blog.greggman.com{$PORT_URI_PART}/blog/old_movies/" 301
redir "/pages/cutsprites/cutsprites.htm" "//games.greggman.com{$PORT_URI_PART}/game/automatically_cutting_out_images_in_photoshop/" 301
redir "/pages/phishing/phishing.htm" "//blog.greggman.com{$PORT_URI_PART}/blog/how_to_detect_e_mail_scams__phishing_/" 301
...

(Matt Holt) #4

Thanks. Were you always using Caddy 0.10.10? (And yes, the full log would have been helpful.)


(Greggman) #5

I was using 0.10.7 until yesterday. I tried upgrading in the hope that would fix things.


(Matt Holt) #6

It did. :wink: But the rate limit effects will have to wear off naturally with time. Give it a week from the time of upgrade. For good measure you can clear out your ~/.caddy/ocsp folder, which is a cache of OCSP staples.


(Greggman) #7

Thank you Matt. The site is already back up. I guess upgrading did the trick it just took until it tried to renew certs again.


(system) #8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.