Thank you for Caddy!
1. The problem I’m having:
As a Caddy user I would like to use a private internal ACME CA that only requires valid external account bindings (eab). No further challenges are done due to firewall restrictions in this DMZ. They officially support acme.sh and cert-manager, but of course I would like to use Caddy.
Using Caddy, however, results in the error:
“HTTP 403 urn:ietf:params:acme:error:orderNotReady - Certificate order is failed”
I am not sure of the cause, but my initial thoughts were that this was related to the challenges. After configuring disable_http_challenge and disable_tlsalpn_challenge I got the error no solvers available for remaining challenges.
My question would be if Caddy supports this ACME setup.
2. Error messages and/or full log output:
aug 14 15:28:07 server01 caddy[40708]: {"level":"debug","ts":1755178087.0411003,"msg":"http request","method":"POST","url":"https://ca.company.org/acme/v2/my-order/EyOVjRtQKNMXWiOXOr7ihSzNB5NPWV-eHOH5BSbPjSU","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.1-0.20250616201409-2f0fc62b34b9 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["https://confluence.company.org"],"Cache-Control":["no-store, max-age=0"],"Content-Length":["326"],"Content-Security-Policy":["script-src 'nonce-ZkzU2bsEEUkpuHHH8qyyuxiIOlL5zc0jlctmB-Pk6gs'"],"Content-Type":["application/json"],"Date":["Thu, 14 Aug 2025 13:28:07 GMT"],"Referrer-Policy":["same-origin"],"Replay-Nonce":["ZkzU2bsEEUkpuHHH8qyyuxiIOlL5zc0jlctmB-Pk6gs"],"Retry-After":["2"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"Vary":["Origin"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["deny"],"X-Xss-Protection":["1; mode=block"]},"status_code":200}
aug 14 15:28:09 server01 caddy[40708]: {"level":"debug","ts":1755178089.0785868,"msg":"http request","method":"POST","url":"https://ca.company.org/acme/v2/my-order/EyOVjRtQKNMXWiOXOr7ihSzNB5NPWV-eHOH5BSbPjSU","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.1-0.20250616201409-2f0fc62b34b9 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["https://confluence.company.org"],"Cache-Control":["no-store, max-age=0"],"Content-Length":["326"],"Content-Security-Policy":["script-src 'nonce-m8OgjzPwQCfGibKw7NxwyWQf3jb8wKadC4joqONjBgc'"],"Content-Type":["application/json"],"Date":["Thu, 14 Aug 2025 13:28:09 GMT"],"Referrer-Policy":["same-origin"],"Replay-Nonce":["m8OgjzPwQCfGibKw7NxwyWQf3jb8wKadC4joqONjBgc"],"Retry-After":["Thu, 14 Aug 2025 13:28:11 GMT"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"Vary":["Origin"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["deny"],"X-Xss-Protection":["1; mode=block"]},"status_code":200}
aug 14 15:28:11 server01 caddy[40708]: {"level":"debug","ts":1755178091.0392897,"msg":"http request","method":"POST","url":"https://ca.company.org/acme/v2/my-order/EyOVjRtQKNMXWiOXOr7ihSzNB5NPWV-eHOH5BSbPjSU","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.1-0.20250616201409-2f0fc62b34b9 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["https://confluence.company.org"],"Cache-Control":["no-store, max-age=0"],"Content-Length":["104"],"Content-Security-Policy":["script-src 'nonce-bkhFoYyEzVLxG-4mhEcV0Gjd2fwpkDkXp26APK7XVOM'"],"Content-Type":["application/problem+json; charset=utf-8"],"Date":["Thu, 14 Aug 2025 13:28:11 GMT"],"Referrer-Policy":["same-origin"],"Replay-Nonce":["bkhFoYyEzVLxG-4mhEcV0Gjd2fwpkDkXp26APK7XVOM"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"Vary":["Origin"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["deny"],"X-Xss-Protection":["1; mode=block"]},"status_code":403}
aug 14 15:28:11 server01 caddy[40708]: {"level":"error","ts":1755178091.0394351,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"test.prd.internal.company.org","issuer":"ca.company.org-acme-v2-directory","error":"HTTP 403 urn:ietf:params:acme:error:orderNotReady - Certificate order is failed"}
aug 14 15:28:11 server01 caddy[40708]: {"level":"debug","ts":1755178091.039464,"logger":"events","msg":"event","name":"cert_failed","id":"e6a758c6-0577-44f6-912a-a11febf3b66a","origin":"tls","data":{"error":{},"identifier":"test.prd.internal.company.org","issuers":["ca.company.org-acme-v2-directory"],"renewal":false}}
aug 14 15:28:11 server01 caddy[40708]: {"level":"error","ts":1755178091.0394921,"logger":"tls.obtain","msg":"will retry","error":"[test.prd.internal.company.org] Obtain: [test.prd.internal.company.org test.prd.internal.company.org] finalizing order https://ca.company.org/acme/v2/my-order/EyOVjRtQKNMXWiOXOr7ihSzNB5NPWV-eHOH5BSbPjSU: polling order status: attempt 1: https://ca.company.org/acme/v2/my-order/EyOVjRtQKNMXWiOXOr7ihSzNB5NPWV-eHOH5BSbPjSU: HTTP 403 urn:ietf:params:acme:error:orderNotReady - Certificate order is failed (ca=https://ca.company.org/acme/v2/directory)","attempt":2,"retrying_in":120,"elapsed":72.542136451,"max_duration":2592000}
3. Caddy version:
2.10.0
4. My Caddy config
tls {
issuer acme {
dir https://ca.company.org/acme/v2/directory
eab key_id MAC_KEY
}
key_type rsa4096
}