HTTP-01 challenge via redirect

afk · October 12, 2023, 6:18pm

1. The problem I’m having:

Hi, I’m currently working for a hosting provider and building a centralised certificate management system using caddy for certs issuance.

Basically, caddy has only minimal configuration to manage certificates for a set of domains.
Validation should be possible with DNS-01 and HTTP-01 challenges.
These domains are not served, directly or indirectly, through this caddy instance.

DNS-01 challenges are working fine.

For some domains however, we don’t have access to the DNS zone and rely on HTTP-01.
The problem I’m facing is trying to validate certificates for a domain following a redirection for the HTTP-01 challenge. The imagined flow would be the following.

Configure caddy to manage a certificate for eva-euvaluersalliance.com
Let’s Encrypt servers try to fetch the challenge file at /.well-known/acme-challenge/…
The request goes to http://eva-euvaluersalliance.com//.well-known/acme-challenge/…
The server for eva-euvaluersalliance.com (haproxy in this case), responds with a 302 to http://acme.cms-france.net/.well-known/acme-challenge/…
acme.cms-france.net resolves to the caddy server that should validate the challenge

However, in this configuration, caddy doesn’t seem to repond to the challenge.

Is this use case supported or is caddy only using the hostname that is used for the challenge request to map the correct reponse ?
Said differently, can caddy validate a challenge for domain-a.tld if the challenge request is sent to domain-b.tld, when both domain-a.tld and domain-b.tld are declared in caddy’s config ?

I know that we could probably proxy the request to caddy instead of a 302 but that involves a bit more configuration for each customer web server and opening additional http trafic between our subnets which is not ideal.

2. Error messages and/or full log output:

The 302 redirect is working correctly:

❯ curl --head --location http://eva-euvaluersalliance.com/.well-known/acme-challenge/1234
HTTP/1.1 302 Found
content-length: 0
location: http://acme.cms-france.net/.well-known/acme-challenge/1234
cache-control: no-cache

HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://acme.cms-france.net/.well-known/acme-challenge/1234
Server: Caddy
Date: Thu, 12 Oct 2023 17:28:27 GMT

HTTP/2 200
alt-svc: h3=":443"; ma=2592000
server: Caddy
date: Thu, 12 Oct 2023 17:28:27 GMT

Here is caddy’s log:

{"level":"info","ts":1697124064.5307875,"msg":"serving initial configuration"}
{"level":"info","ts":1697124064.5350225,"logger":"tls.obtain","msg":"lock acquired","identifier":"eva-euvaluersalliance.com"}
{"level":"info","ts":1697124064.5351093,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"eva-euvaluersalliance.com"}
{"level":"debug","ts":1697124064.5351233,"logger":"events","msg":"event","name":"cert_obtaining","id":"8879f571-494b-4f45-8c5e-562ba74d0355","origin":"tls","data":{"identifier":"eva-euvaluersalliance.com"}}
{"level":"debug","ts":1697124064.5353405,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"info","ts":1697124064.5355384,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["eva-euvaluersalliance.com"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"__REDACTED__"}
{"level":"info","ts":1697124064.5355492,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["eva-euvaluersalliance.com"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"__REDACTED__"}
{"level":"debug","ts":1697124065.0054219,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:04 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124065.1552908,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 12 Oct 2023 15:21:05 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Oaj3whhZ8srl4YnIShcH1v_F6pSfTY9yB3UbKpZapCgrbF1EKwo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124065.3457706,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["363"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:05 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/110325894/11534852484"],"Replay-Nonce":["Oaj3whhZhKBvdmCeryinZ_6eQa0Siyik65JKlcOWGV9DapxaKSQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1697124065.5032196,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820316224","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:05 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["HzmSNKzxrURB_ILfJPvoVKv6WyG_Z4ByHSK7AyEzXdi2D2eu63M"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124065.5043633,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:50210: EOF"}
{"level":"debug","ts":1697124065.6638887,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8820316224/HGXOiA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["197"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:05 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820316224>;rel=\"up\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8820316224/HGXOiA"],"Replay-Nonce":["HzmSNKzxBJw-W2JhFKDDyZ517xAarD7WN1isE4TU_OEV1s5YJmI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124066.0694933,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820316224","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:05 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["HzmSNKzx-6N-H-WLPmzCFU4SMnh6gbfy9Shg8RiOKqkqHLlg4YM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124066.4871533,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820316224","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["883"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:06 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["HzmSNKzxHqwxxbXApJpbip1X8uTkIrV33FbS9PErQyCy8X4QkHk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124067.6797035,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["363"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/110325894/11534853554"],"Replay-Nonce":["HzmSNKzxIfHtGVpe6jJFcXvgr_1f23XGtIjKQrksU2O0JYl5KL4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1697124067.8349,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820317354","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["HzmSNKzxxutbgogutszoDExE91RIRtyOXzgf8XvnsVRs_Vadpmw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124067.8350677,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1697124067.8350763,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"eva-euvaluersalliance.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1697124067.8354185,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"eva-euvaluersalliance.com","challenge_type":"http-01"}
{"level":"debug","ts":1697124067.8354323,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"eva-euvaluersalliance.com","challenge_type":"http-01"}
{"level":"debug","ts":1697124067.9925983,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8820317354/mQ9Ewg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["193"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:07 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820317354>;rel=\"up\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8820317354/mQ9Ewg"],"Replay-Nonce":["HzmSNKzxweP4Yp56msUSpa7P0w-3aykp3ArcfI2XSnk_LJfziTA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124067.992844,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"eva-euvaluersalliance.com","challenge_type":"http-01"}
{"level":"debug","ts":1697124068.3950732,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820317354","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:08 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["HzmSNKzx0EkIcPKzEXKLhoGYNpeGvrksyMX2Y65SF9eUn30BTo0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1697124068.4716346,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"acme.cms-france.net","remote_addr":"13.59.103.246:47712","user_agent":"Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)","error":"no information found to solve challenge for identifier: acme.cms-france.net"}
{"level":"debug","ts":1697124068.6654506,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f53f234f-aeec-4e27-94f6-b3f1580ff85a","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53,49170,10,4865,4866,4867],"ServerName":"acme.cms-france.net","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1697124068.665935,"logger":"tls.handshake","msg":"choosing certificate","identifier":"acme.cms-france.net","num_choices":1}
{"level":"debug","ts":1697124068.6660805,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"acme.cms-france.net","subjects":["acme.cms-france.net"],"managed":true,"issuer_key":"acme-staging-v02.api.letsencrypt.org-directory","hash":"a6e3457c5513441718d33fed7377bcafd7d4799ca5914c5c4adabb03f3d23d58"}
{"level":"debug","ts":1697124068.6662,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"13.59.103.246","remote_port":"26502","subjects":["acme.cms-france.net"],"managed":true,"expiration":1704806443,"hash":"a6e3457c5513441718d33fed7377bcafd7d4799ca5914c5c4adabb03f3d23d58"}
{"level":"error","ts":1697124068.764812,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"acme.cms-france.net","remote_addr":"13.59.103.246:26502","user_agent":"Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)","error":"no information found to solve challenge for identifier: acme.cms-france.net"}
{"level":"debug","ts":1697124068.8011904,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820317354","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:08 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Oaj3whhZdbLiwBNS36O3ICCp__hFS9rIIwqDV-cPZfLLVnuax7A"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1697124068.8212357,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"acme.cms-france.net","remote_addr":"34.221.96.183:13362","user_agent":"Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)","error":"no information found to solve challenge for identifier: acme.cms-france.net"}
{"level":"debug","ts":1697124069.1668713,"logger":"events","msg":"event","name":"tls_get_certificate","id":"c2ccbdfb-1b8e-43bd-a649-019afbf87a48","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53,49170,10,4865,4866,4867],"ServerName":"acme.cms-france.net","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1697124069.1671698,"logger":"tls.handshake","msg":"choosing certificate","identifier":"acme.cms-france.net","num_choices":1}
{"level":"debug","ts":1697124069.1672926,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"acme.cms-france.net","subjects":["acme.cms-france.net"],"managed":true,"issuer_key":"acme-staging-v02.api.letsencrypt.org-directory","hash":"a6e3457c5513441718d33fed7377bcafd7d4799ca5914c5c4adabb03f3d23d58"}
{"level":"debug","ts":1697124069.1673977,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"34.221.96.183","remote_port":"55936","subjects":["acme.cms-france.net"],"managed":true,"expiration":1704806443,"hash":"a6e3457c5513441718d33fed7377bcafd7d4799ca5914c5c4adabb03f3d23d58"}
{"level":"debug","ts":1697124069.2101216,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820317354","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:09 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["HzmSNKzxeZLXSBpy_yQgevRuh3ZQoPKnr1A4CSj5zaThrsiqLo4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1697124069.2279575,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"acme.cms-france.net","remote_addr":"66.133.109.36:52625","user_agent":"Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)","error":"no information found to solve challenge for identifier: acme.cms-france.net"}
{"level":"error","ts":1697124069.342291,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"acme.cms-france.net","remote_addr":"34.221.96.183:55936","user_agent":"Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)","error":"no information found to solve challenge for identifier: acme.cms-france.net"}
{"level":"debug","ts":1697124069.6131046,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820317354","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:09 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Oaj3whhZgNLaqx2t5WCn8e_SmEMmhrK3822fMOuOLnvW1Qb5wDc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124069.7885487,"logger":"events","msg":"event","name":"tls_get_certificate","id":"0103890d-ada2-48b7-a84e-c337c15b7c76","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53,49170,10,4865,4866,4867],"ServerName":"acme.cms-france.net","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1697124069.7889822,"logger":"tls.handshake","msg":"choosing certificate","identifier":"acme.cms-france.net","num_choices":1}
{"level":"debug","ts":1697124069.7891147,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"acme.cms-france.net","subjects":["acme.cms-france.net"],"managed":true,"issuer_key":"acme-staging-v02.api.letsencrypt.org-directory","hash":"a6e3457c5513441718d33fed7377bcafd7d4799ca5914c5c4adabb03f3d23d58"}
{"level":"debug","ts":1697124069.789225,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"66.133.109.36","remote_port":"32385","subjects":["acme.cms-france.net"],"managed":true,"expiration":1704806443,"hash":"a6e3457c5513441718d33fed7377bcafd7d4799ca5914c5c4adabb03f3d23d58"}
{"level":"error","ts":1697124069.9341,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"acme.cms-france.net","remote_addr":"66.133.109.36:32385","user_agent":"Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)","error":"no information found to solve challenge for identifier: acme.cms-france.net"}
{"level":"debug","ts":1697124070.0180728,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820317354","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["827"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:09 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Oaj3whhZarLce3GjCcfxRedCZLDw4r4Z_2oRM97BbQEwWr0vkR4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1697124070.4227135,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8820317354","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["110325894"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["1767"],"Content-Type":["application/json"],"Date":["Thu, 12 Oct 2023 15:21:10 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Oaj3whhZOzX-KsLFeU4obFEWXDFuhcqxxtltNz-6d0ZUoQsTsCw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1697124070.4228754,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"eva-euvaluersalliance.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"The key authorization file from the server did not match this challenge. Expected \"YrGC9yz22v4L-lNBTtdgH1XrURF3gVDvSKqY_deKv7c.NshTIV4HCv2BtJuwr1GAFMXjdQcCzuBmvVCiKwGS10o\" (got \"\")","instance":"","subproblems":[]}}
{"level":"error","ts":1697124070.4229007,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"eva-euvaluersalliance.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"The key authorization file from the server did not match this challenge. Expected \"YrGC9yz22v4L-lNBTtdgH1XrURF3gVDvSKqY_deKv7c.NshTIV4HCv2BtJuwr1GAFMXjdQcCzuBmvVCiKwGS10o\" (got \"\")","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/110325894/11534853554","attempt":2,"max_attempts":3}
{"level":"error","ts":1697124070.422922,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"eva-euvaluersalliance.com","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - The key authorization file from the server did not match this challenge. Expected \"YrGC9yz22v4L-lNBTtdgH1XrURF3gVDvSKqY_deKv7c.NshTIV4HCv2BtJuwr1GAFMXjdQcCzuBmvVCiKwGS10o\" (got \"\")"}
{"level":"debug","ts":1697124070.4229422,"logger":"events","msg":"event","name":"cert_failed","id":"abfacda2-94ee-4d4d-a166-46af2ddad18a","origin":"tls","data":{"error":{},"identifier":"eva-euvaluersalliance.com","issuers":["acme-staging-v02.api.letsencrypt.org-directory"],"renewal":false}}
{"level":"error","ts":1697124070.422979,"logger":"tls.obtain","msg":"will retry","error":"[eva-euvaluersalliance.com] Obtain: [eva-euvaluersalliance.com] solving challenge: eva-euvaluersalliance.com: [eva-euvaluersalliance.com] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - The key authorization file from the server did not match this challenge. Expected \"YrGC9yz22v4L-lNBTtdgH1XrURF3gVDvSKqY_deKv7c.NshTIV4HCv2BtJuwr1GAFMXjdQcCzuBmvVCiKwGS10o\" (got \"\") (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":5.887934498,"max_duration":2592000}

3. Caddy version:

v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=

4. How I installed and ran Caddy:

Caddy has been compiled with plugins using xcaddy following the official documentation.

XCaddy is installed from the official repositories:

# Source: Caddy
# Site: https://github.com/caddyserver/xcaddy
# Repository: Caddy / xcaddy
# Description: Build Caddy with plugins (requires Go installed)


deb [signed-by=/usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/xcaddy/deb/debian any-version main

deb-src [signed-by=/usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/xcaddy/deb/debian any-version main

xcaddy build --with github.com/caddy-dns/powerdns --with github.com/mholt/caddy-events-exec

a. System environment:

Ubuntu 22.04, using systemd 249 (249.11-0ubuntu3.10).

b. Command:

systemctl start caddy.service

c. Service/unit/compose file:

Default package provided systemd service file with additional envvars.

[Service]
Environment="CMS_PDNS_API_URL=__REDACTED__"
Environment="CMS_PDNS_API_TOKEN=__REDACTED__"
Environment="VAULT_ADDR=__REDACTED__"

d. My complete Caddy config:

In Caddyfile:

# Global options
# We set default acme_ca to the staging URL as a safeguard
{
        debug

        email infogerance@cms-france.net
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory

        events {
                on cert_obtained exec /usr/local/bin/caddy-event-push-vault --certificate-path {event.data.certificate_path} --private-key-path {event.data.private_key_path}
        }
}

# Snippets
(acme) {
        tls {
                ca https://acme-v02.api.letsencrypt.org/directory
                dns powerdns {env.CMS_PDNS_API_URL} {env.CMS_PDNS_API_TOKEN}
                resolvers 1.1.1.1 8.8.8.8
        }
}

(acme-staging) {
        tls {
                ca https://acme-staging-v02.api.letsencrypt.org/directory
                dns powerdns {env.CMS_PDNS_API_URL} {env.CMS_PDNS_API_TOKEN}
                resolvers 1.1.1.1 8.8.8.8
        }
}

# Hosts config

import conf.d/*

In conf.d files:

acme.cms-france.net {
        import acme
}

eva-euvaluersalliance.com {
}

5. Links to relevant resources:

Validation via redirection should be possible:

HTTP Domain Verification with Redirect - Help - Let's Encrypt Community Support
The RFC (RFC 8555 - Automatic Certificate Management Environment (ACME)) states page 64:

The server SHOULD follow redirects when dereferencing the URL.
Clients might use redirects, for example, so that the response can be
provided by a centralized certificate management server. See
Section 10.2 for security considerations related to redirects.

matt · October 13, 2023, 1:27am

Welcome @afk –

First, I want to suggest that your company get a sponsorship – this will help ensure ongoing development of the server, as well as granting your company access to more private support. We have good relations with clients in France!

A CA’s redirect logic is CA-dependent (i.e. it is not specified in the standard).

Caddy validates the Host header to prevent DNS rebinding attacks. If the Host header sent by the client does not match the domain of the challenge identifier, Caddy will ignore the request.

If we disable this, Caddy would be vulnerable to DNS rebinding attacks.

I’d recommend that CAs preserve the Host header properly (even if they use the redirect to change the resolved host they connect to).

With a sponsorship, this is something we could help pursue for you.

afk · October 13, 2023, 11:50am

Hi Matt, thanks for answering so quickly !

I’ll definitely pass on the message to the people concerned with providers/sponsorships. Unfortunately, I’m just a technical engineer there and don’t have any say in this matter. As of now, Caddy is only used for this small project which started a few weeks ago.

I’ll surely consider a personal donation though. I’m using caddy on my private server and I’m really happy with it !

Ok, thanks for the explanation. This is understandable.

I’ll find another way to do validation, either proxy the challenge request or ask the client for a DNS CNAME to a domain we control.

Thank you for all your open-source work and congratulations on becoming a dad !

matt · October 13, 2023, 1:37pm

Thank you!

One other thought that could simplify things – have you considered replacing HAProxy with Caddy? That way you won’t have to deal with the redirects or proxying at all.

afk · October 13, 2023, 4:16pm

Yes, technically we could in this case.

However, we manage lots of differents systems, including legacy servers, appliances, etc… And we also need to deploy traditional certificates provided by our clients for some domains, mixed with Let’s Encrypt certs for others.

It is a lot easier for us to manage the complexity by centralising certificate management and deployement rather than letting each proxy / web server manage its own certs and script edge cases locally.

I’d gladly replace apache/nginx where possible though even without the automatic cert management.

matt · October 13, 2023, 7:42pm

Oh, Caddy is good at both of those

Just wanted to let you know.

And to clarify, Caddy is precisely how you can simplify your infrastructure and centralize your cert management.

Maybe we should set up a call sometime to talk about what’s possible for your business. I feel like our current website/docs understate what is possible with Caddy.

system · November 12, 2023, 7:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.