Getting error about authorization took too long

Shoaib_Sharif · May 27, 2021, 5:02am

1. Caddy version (`caddy version`): v2.4.1 h1:kAJ0JB5Xk5gPdTH/27S5cyoMGqD5lBAe9yZ8zTjVJa0=

2. How I run Caddy:

I have a droplet on docker where I am trying to run this laravel repo.
When I am trying to run on :80, it works fine

:80 {
    root * /srv/public

    log
    encode gzip

    php_fastcgi 127.0.0.1:9000

    file_server
}

But when I am trying to run with domain name I can go to the website because browser cannot establish a secure connection. You can visit this website

a. System environment:

Docker version : 20.10.6
OS: Ubuntu hirsute (21.04)

b. Command:

I am using docker so this doesn’t apply;

c. Service/unit/compose file:

version: "3"
services:
  caddy:
    image: caddy
    restart: unless-stopped
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - .:/srv
      - ./caddy_data:/data
      - ./caddy_config:/config
    ports:
      - 80:80
      - 443:443

  php:
    build: ./docker
    restart: unless-stopped
    working_dir: /srv
    volumes:
      - .:/srv
  postgres:
    image: postgres:12-alpine
    volumes: 
      - ./database:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: app
      POSTGRES_USER: app
      POSTGRES_PASSWORD: app
      PGDATA: /var/lib/postgresql/data/pgdata
    ports:
      - 54321:5432

d. My complete Caddyfile or JSON config:

snippet.dokan.app {
    root * /srv/public

    log
    encode gzip

    php_fastcgi 127.0.0.1:9000

    file_server
}

3. The problem I’m having:

root@snippet:~/snippet_api# curl -L snippet.dokan.app
curl: (7) Failed to connect to snippet.dokan.app port 80: Connection refused

4. Error messages and/or full log output:

2021/05/27 04:43:53.191	INFO	using adjacent Caddyfile
2021/05/27 04:43:53.194	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/05/27 04:43:53.194	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2021/05/27 04:43:53.194	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2021/05/27 04:43:53.195	INFO	http	enabling automatic TLS certificate management	{"domains": ["snippet.dokan.app"]}
2021/05/27 04:43:53.196	INFO	autosaved config (load with --resume flag)	{"file": "/root/.config/caddy/autosave.json"}
2021/05/27 04:43:53.196	INFO	serving initial configuration
2021/05/27 04:43:53.196	INFO	tls.obtain	acquiring lock	{"identifier": "snippet.dokan.app"}
2021/05/27 04:43:53.199	INFO	tls.obtain	lock acquired	{"identifier": "snippet.dokan.app"}
2021/05/27 04:43:53.208	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc0002552d0"}
2021/05/27 04:43:53.208	INFO	tls	cleaning storage unit	{"description": "FileStorage:/root/.local/share/caddy"}
2021/05/27 04:43:53.208	INFO	tls	finished cleaning storage units
2021/05/27 04:43:53.211	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["snippet.dokan.app"]}
2021/05/27 04:43:53.211	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["snippet.dokan.app"]}
2021/05/27 04:43:53.561	WARN	tls.issuance.zerossl	missing email address for ZeroSSL; it is strongly recommended to set one for next time
2021/05/27 04:43:53.777	INFO	tls.issuance.zerossl	generated EAB credentials	{"key_id": "uD-5yWLSdq4pcTzMlBo5hw"}
2021/05/27 04:43:54.330	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["snippet.dokan.app"]}
2021/05/27 04:43:54.330	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["snippet.dokan.app"]}
2021/05/27 04:43:54.622	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "snippet.dokan.app", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2021/05/27 04:43:55.248	INFO	tls.issuance.acme	served key authentication	{"identifier": "snippet.dokan.app", "challenge": "http-01", "remote": "91.199.212.132:57406", "distributed": false}
2021/05/27 04:44:00.037	INFO	tls.issuance.acme.acme_client	validations succeeded; finalizing order	{"order": "https://acme.zerossl.com/v2/DV90/order/4UDYKHDpDYZtPgBeoP7srA"}
2021/05/27 04:49:02.451	ERROR	tls.obtain	will retry	{"error": "[snippet.dokan.app] Obtain: [snippet.dokan.app] finalizing order https://acme.zerossl.com/v2/DV90/order/4UDYKHDpDYZtPgBeoP7srA: order took too long (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 309.251859771, "max_duration": 2592000}
2021/05/27 04:50:03.924	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "snippet.dokan.app", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}

5. What I already tried:

It worked on my first try. I have checked and it was Let’s Encrypt SSL. I had to shut down the application multiple times and that’s when I wasn’t able to get into the website.

6. Links to relevant resources:

matt · May 27, 2021, 2:41pm

Could be a hiccup with ZeroSSL. They might have been doing some maintenance or something.

Shoaib_Sharif · May 27, 2021, 4:38pm

I think so. I was quite frustrated why it was not working. Is there anyway I can force to use Let’s Encrypt instead of using ZeroSSL?

francislavoie · May 27, 2021, 6:23pm

Caddy automatically cycles between the two. If one doesn’t work, it tries the other. It tries Let’s Encrypt first. You shouldn’t need to do anything.

matt · May 27, 2021, 7:23pm

To expand on this correct answer, Caddy will retry with the same CA as any previous certificate that has a private key for that name.

Shoaib_Sharif · May 27, 2021, 8:49pm

But for some reason, it didn’t work that way. I never see the log trying to SSL with Let’s Encrypt. It tried the very first time when I boot my application. After that, everytime I start the docker it tries with ZeroSSL. I deleted the docker image and tried again, it didn’t try to SSL with Let’s Encrypt. Then, I deleted docker image and manually installed command line but it didn’t work either. Last, I deleted my digitalocean droplet and tried with a fresh digitalocean droplet with docker image, and didn’t help either. Am I missing something?

Shoaib_Sharif · May 28, 2021, 2:02am

Can you move them to use Let’s Encrypt instead. Is there anyway to do that?

matt · May 28, 2021, 5:11pm

I have this bookmarked to return to it soon, I just need to get a few other things taken care of first.

Levi_Durfee · June 2, 2021, 3:13pm

I’m having a similar issue and I think my problem is with Cloudflare.

balloon · June 4, 2021, 10:10am

ZeroSSL had a problem for a few days, but the cause and details have been clarified.
I report separately. Be careful if you are using ZeroSSL with Caddy.

github.com/caddyserver/caddy

ZeroSSL certificate must be forcibly reissued

opened 09:28AM - 04 Jun 21 UTC

closed 04:27PM - 04 Jun 21 UTC

fu-sen

bug

https://help.zerossl.com/hc/en-us/articles/900006733066 ZeroSSL has announced… that certificates issued by ACME may be revoked by Sectigo. Caddy-issued certificates clearly fall into this category. Certificates prior to May 21, 2021 must be prompted to reship the certificate. Can this be handled at the Caddy level? If necessary, we also need to provide a means for the user to handle it manually.

balloon · June 4, 2021, 10:16am

This is a different issue. Occurs when going through Cloudflare.
Recently we have touched on this issue:

system · June 26, 2021, 5:02am

This topic was automatically closed after 30 days. New replies are no longer allowed.