[Gandi] Unable to obtain certificates HTTPS certificates

Help
1

1. Caddy version (caddy version):

CADDY_VERSION=v2.2.0 xcaddy build --with github.com/caddy-dns/gandi

2. How I run Caddy:

# caddy.service
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --envfile /etc/caddy/Caddyfile.env --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

a. System environment:

  • Running on a Scaleway instance
  • Ubuntu bionic
  • Go 1.15.2

d. My complete Caddyfile or JSON config:

# /etc/caddy/Caddyfile
{
	# Enable Debug mode
	debug

       # Disable admin console
	admin off

	# Default email for tls
	email contact@skynewz.dev

	acme_ca https://acme-v02.api.letsencrypt.org/directory
}

:80 {
	header -Server
}

cloud.skynewz.dev, *.cloud.skynewz.dev {
	# https://caddyserver.com/docs/caddyfile/directives/push
	push

	# https://caddyserver.com/docs/caddyfile/directives/encode
	encode zstd gzip

	# https://caddyserver.com/docs/caddyfile/directives/metrics
	metrics /metrics

	# https://caddyserver.com/docs/caddyfile/directives/tls
	tls {
		dns gandi {env.GANDI_API_TOKEN}
	}

	# https://caddyserver.com/docs/caddyfile/directives/header
	header {
		# Hide "Server: Caddy"
		-Server
		
		# prevent attacks such as Cross Site Scripting (XSS)
		Content-Security-Policy default-src 'self' cloud.skynewz.dev, *.cloud.skynewz.dev
		
		# enable the cross-site scripting (XSS) filter built into modern web browsers
		X-XSS-Protection 1; mode=block

		# ensures the connection cannot be establish through an insecure HTTP connection 
		Strict-Transport-Security max-age=31536000; includeSubDomains; preload

		# clickjacking protection
		X-Frame-Options DENY

		# provides clickjacking protection. Disable iframes
		X-Frame-Options: SAMEORIGIN

		# disable clients from sniffing the media type
		X-Content-Type-Options nosniff

		# keep referrer data off of HTTP connections
		Referrer-Policy no-referrer-when-downgrade
	}

	# https://caddyserver.com/docs/caddyfile/directives/respond
	# Replace backends health checks and provide one for this LB
	# respond /health 200
	
	# https://caddyserver.com/docs/caddyfile/directives/log
	log {
		output stdout
		format console
	}
	
	# https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
	reverse_proxy * {
		# Specify backend here
		to 10.70.12.85:30438
		to 10.69.102.65:30438
	
		lb_policy round_robin
		lb_try_duration 1s
		lb_try_interval 250ms

		# health_path     /health # Backend health check path
		# health_port     80 # Default same as backend port
		# health_interval 10s
		# health_timeout  2s
		# health_status   200
		# health_body "OK"

		fail_duration 2s
		max_fails 2
		unhealthy_status 5xx
		unhealthy_latency 10s
		unhealthy_request_count 10
	}
}

# /etc/caddy/Caddyfile.env
GANDI_API_TOKEN=[redacted]

3. The problem I’m having:

My acme TXT records are properly set in the related Gandi DNS zones. But obtaining the certificate always timeout.

4. Error messages and/or full log output:

@ 10800 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1602253807 10800 3600 604800 10800
*.cloud 300 IN CNAME cloud.skynewz.dev.
@ 300 IN A 185.199.108.153
@ 300 IN A 185.199.109.153
@ 300 IN A 185.199.110.153
@ 300 IN A 185.199.111.153
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 300 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "1MXf_ZXP2fsqcL5aoHRp7lEKlFKKfF80nRrqQ_U9KXI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "41fqxzBfjOf60IdI8IwIEX_3re4aEYpJj_1lGBCuu6s"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "41fqxzBfjOf60IdI8IwIEX_3re4aEYpJj_1lGBCuu6s"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "CazgFDn_IrmDw0KXVqs4Kl5-Vv8MKvUwKT_YQzBoz0o"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "KYCFYVONLOBSUoDgM6KZp55POKlZxouvu7WqxR-EfSo"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "VtcQKWe7NBIqe2aBvR5Wy6NBrgP3Q8yIS5yRCmIZ1TI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "VtcQKWe7NBIqe2aBvR5Wy6NBrgP3Q8yIS5yRCmIZ1TI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "VtcQKWe7NBIqe2aBvR5Wy6NBrgP3Q8yIS5yRCmIZ1TI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "VtcQKWe7NBIqe2aBvR5Wy6NBrgP3Q8yIS5yRCmIZ1TI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "fafuT42wKuL1AjHUOtDuuH0jABkwmdRk1lFl_O9qKmc"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "gswLJvKEqFcuyDgUriNoE_hlgf71USFm4AePzj-NHJ4"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "hVzS2nnXTErK6Xv8D4xGO15q96V2OO5uJT41d4i2Tro"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "slAdKF1G9qWnPknE9Tua1aVg9yux9JWB-ObtBGfx4Uc"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "tTmFZ_um62V4jNCnirwWB533pq-esRsOCxfDmWvi1As"
cloud 300 IN A 51.15.212.58

Oct 09 14:42:05 caddy systemd[1]: Started Caddy.
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1453805,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1503983,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.151538,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000338690"}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1533282,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":4
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1533804,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.153854,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud.skynewz.dev"]}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1541166,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.154134,"msg":"serving initial configuration"}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1555028,"logger":"tls","msg":"cleaned up storage units"}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1563451,"logger":"tls.obtain","msg":"acquiring lock","identifier":"cloud.skynewz.dev"}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1569538,"logger":"tls.obtain","msg":"lock acquired","identifier":"cloud.skynewz.dev"}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.1688776,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["cloud.skynewz.dev"]}
Oct 09 14:42:05 caddy caddy[5517]: {"level":"info","ts":1602254525.169309,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["cloud.skynewz.dev"]}
Oct 09 14:42:06 caddy caddy[5517]: Oct 09 14:42:06 caddy caddy[5517]: {"level":"info","ts":1602254526.2846875,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cloud.skynewz.dev","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Oct 09 14:44:08 caddy caddy[5517]: {"level":"error","ts":1602254648.374959,"logger":"tls.obtain","msg":"will retry","error":"[cloud.skynewz.dev] Obtain: [cloud.skynewz.dev] solving challenges: waiting for solver *certmagic.DNS01Solver to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/98841065/5602236743) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":123.217807825,"max_duration":2592000}
Oct 09 14:45:11 caddy caddy[5517]: {"level":"info","ts":1602254711.0881233,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cloud.skynewz.dev","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
…
Looping on this 😞

5. What I already tried:

  • Same issue with basic Caddyfile
cloud.skynewz.dev
tls contact@skynewz.dev {
	dns gandi {env.GANDI_API_TOKEN}
}
respond "Hello, world!"
  • Set resolv.conf to 1.1.1.1/1.0.01 and dig 
root@caddy:~# dig cloud.skynewz.dev

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> cloud.skynewz.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35385
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cloud.skynewz.dev.		IN	A

;; ANSWER SECTION:
cloud.skynewz.dev.	189	IN	A	51.15.139.15

;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Oct 09 20:59:03 UTC 2020
;; MSG SIZE  rcvd: 62

root@caddy:~# dig foo.cloud.skynewz.dev

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> foo.cloud.skynewz.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39890
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;foo.cloud.skynewz.dev.		IN	A

;; ANSWER SECTION:
foo.cloud.skynewz.dev.	300	IN	CNAME	cloud.skynewz.dev.
cloud.skynewz.dev.	300	IN	A	51.15.139.15

;; Query time: 88 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Oct 09 21:01:33 UTC 2020
;; MSG SIZE  rcvd: 80
  • Tried on my laptop, also have this issue
2020/10/10 14:50:51.407	INFO	using adjacent Caddyfile
2020/10/10 14:50:51.412	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/10/10 14:50:51.413	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc0003b5c00"}
2020/10/10 14:50:51.414	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/10/10 14:50:51.414	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/10/10 14:50:51.415	INFO	http	enabling automatic TLS certificate management	{"domains": ["cloud.skynewz.dev", "*.cloud.skynewz.dev"]}
2020/10/10 14:50:51.416	INFO	autosaved config	{"file": "/Users/quentin/Library/Application Support/Caddy/autosave.json"}
2020/10/10 14:50:51.416	INFO	serving initial configuration
2020/10/10 14:50:51.416	INFO	tls.obtain	acquiring lock	{"identifier": "*.cloud.skynewz.dev"}
2020/10/10 14:50:51.416	INFO	tls.obtain	acquiring lock	{"identifier": "cloud.skynewz.dev"}
2020/10/10 14:50:51.418	INFO	tls.obtain	lock acquired	{"identifier": "*.cloud.skynewz.dev"}
2020/10/10 14:50:51.418	INFO	tls.obtain	lock acquired	{"identifier": "cloud.skynewz.dev"}
2020/10/10 14:50:51.420	INFO	tls	cleaned up storage units
2020/10/10 14:50:57.504	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["*.cloud.skynewz.dev"]}
2020/10/10 14:50:57.504	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["*.cloud.skynewz.dev"]}
2020/10/10 14:50:57.838	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "*.cloud.skynewz.dev", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2020/10/10 14:51:02.967	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["cloud.skynewz.dev"]}
2020/10/10 14:51:02.967	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["cloud.skynewz.dev"]}
2020/10/10 14:51:05.479	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "cloud.skynewz.dev", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2020/10/10 14:53:00.456	ERROR	tls.obtain	will retry	{"error": "[*.cloud.skynewz.dev] Obtain: [*.cloud.skynewz.dev] solving challenges: waiting for solver *certmagic.DNS01Solver to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/98930981/5619072497) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 129.039618791, "max_duration": 2592000}
  • Try on laptop with another root domain hello.lemairepro.fr, same issue…

6. Links to relevant resources:

Github issue : [Gandi] Unable to obtain certificates HTTPS certificates · Issue #3787 · caddyserver/caddy · GitHub

2

EDIT : I don’t have this issue with Caddy v2.1.0

root@055e6da050ce:/code# ./caddy version
v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
root@055e6da050ce:/code# ./caddy run
2020/10/10 15:38:55.726	INFO	using adjacent Caddyfile
2020/10/10 15:38:55.731	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/10/10 15:38:55 [INFO][cache:0xc00013bd40] Started certificate maintenance routine
2020/10/10 15:38:55.731	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/10/10 15:38:55.743	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/10/10 15:38:55.745	INFO	http	enabling automatic TLS certificate management	{"domains": ["*.cloud.skynewz.dev", "cloud.skynewz.dev"]}
2020/10/10 15:38:55.748	INFO	tls	cleaned up storage units
2020/10/10 15:38:55.748	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/10/10 15:38:55.748	INFO	serving initial configuration
2020/10/10 15:38:55 [INFO][cloud.skynewz.dev] Obtain certificate; acquiring lock...
2020/10/10 15:38:55 [INFO][*.cloud.skynewz.dev] Obtain certificate; acquiring lock...
2020/10/10 15:38:55 [INFO][cloud.skynewz.dev] Obtain: Lock acquired; proceeding...
2020/10/10 15:38:55 [INFO][*.cloud.skynewz.dev] Obtain: Lock acquired; proceeding...
2020/10/10 15:38:56 [INFO] acme: Registering account for contact@skynewz.dev
2020/10/10 15:38:56 [INFO][cloud.skynewz.dev] Waiting on rate limiter...
2020/10/10 15:38:56 [INFO][cloud.skynewz.dev] Done waiting
2020/10/10 15:38:56 [INFO] [cloud.skynewz.dev] acme: Obtaining bundled SAN certificate given a CSR
2020/10/10 15:38:56 [INFO][*.cloud.skynewz.dev] Waiting on rate limiter...
2020/10/10 15:38:56 [INFO][*.cloud.skynewz.dev] Done waiting
2020/10/10 15:38:56 [INFO] [*.cloud.skynewz.dev] acme: Obtaining bundled SAN certificate given a CSR
2020/10/10 15:38:57 [INFO] [cloud.skynewz.dev] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7797770761
2020/10/10 15:38:57 [INFO] [cloud.skynewz.dev] acme: Could not find solver for: tls-alpn-01
2020/10/10 15:38:57 [INFO] [cloud.skynewz.dev] acme: Could not find solver for: http-01
2020/10/10 15:38:57 [INFO] [cloud.skynewz.dev] acme: use dns-01 solver
2020/10/10 15:38:57 [INFO] [cloud.skynewz.dev] acme: Preparing to solve DNS-01
2020/10/10 15:38:57 [INFO] [*.cloud.skynewz.dev] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7797770792
2020/10/10 15:38:57 [INFO] [*.cloud.skynewz.dev] acme: use dns-01 solver
2020/10/10 15:38:57 [INFO] [*.cloud.skynewz.dev] acme: Preparing to solve DNS-01
2020/10/10 15:38:58 [INFO] [cloud.skynewz.dev] acme: Trying to solve DNS-01
2020/10/10 15:38:58 [INFO] [cloud.skynewz.dev] acme: Checking DNS record propagation using [192.168.65.1:53]
2020/10/10 15:38:58 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2020/10/10 15:38:58 [INFO] [cloud.skynewz.dev] acme: Waiting for DNS record propagation.
2020/10/10 15:38:58 [INFO] [*.cloud.skynewz.dev] acme: Trying to solve DNS-01
2020/10/10 15:38:58 [INFO] [*.cloud.skynewz.dev] acme: Checking DNS record propagation using [192.168.65.1:53]
2020/10/10 15:38:58 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2020/10/10 15:38:58 [INFO] [*.cloud.skynewz.dev] acme: Waiting for DNS record propagation.
2020/10/10 15:39:00 [INFO] [cloud.skynewz.dev] acme: Waiting for DNS record propagation.
2020/10/10 15:39:00 [INFO] [*.cloud.skynewz.dev] acme: Waiting for DNS record propagation.
2020/10/10 15:39:03 [INFO] [*.cloud.skynewz.dev] acme: Waiting for DNS record propagation.
2020/10/10 15:39:05 [INFO] [*.cloud.skynewz.dev] acme: Waiting for DNS record propagation.
2020/10/10 15:39:06 [INFO] [cloud.skynewz.dev] The server validated our request
2020/10/10 15:39:06 [INFO] [cloud.skynewz.dev] acme: Cleaning DNS-01 challenge
2020/10/10 15:39:07 [INFO] [*.cloud.skynewz.dev] acme: Waiting for DNS record propagation.
2020/10/10 15:39:07 [INFO] [cloud.skynewz.dev] acme: Validations succeeded; requesting certificates
2020/10/10 15:39:07 [INFO] [cloud.skynewz.dev] Server responded with a certificate.
2020/10/10 15:39:07 [INFO][cloud.skynewz.dev] Certificate obtained successfully
2020/10/10 15:39:07 [INFO][cloud.skynewz.dev] Obtain: Releasing lock
2020/10/10 15:39:12 [INFO] [*.cloud.skynewz.dev] The server validated our request
2020/10/10 15:39:12 [INFO] [*.cloud.skynewz.dev] acme: Cleaning DNS-01 challenge
2020/10/10 15:39:13 [INFO] [*.cloud.skynewz.dev] acme: Validations succeeded; requesting certificates
2020/10/10 15:39:14 [INFO] [*.cloud.skynewz.dev] Server responded with a certificate.
2020/10/10 15:39:14 [INFO][*.cloud.skynewz.dev] Certificate obtained successfully
2020/10/10 15:39:14 [INFO][*.cloud.skynewz.dev] Obtain: Releasing lock
3

This topic was automatically closed after 30 days. New replies are no longer allowed.