HTTP/400 Error received after changing from acme_dns global option to tls directive

Help
1

1. The problem I’m having:

Hello all,

I’m trying to get Caddy up and running with a wildcard certificate through the DNS challenge to allow for it to be a reverse proxy internally on my network and make things a bit nicer when I’m on Tailscale remotely. Previously I was using the acme_dns global option (commented out in my Caddyfile), however it was timing out while waiting for the record propagation, so I switched to using the tls directive instead and fed it Quad9 as a resolver as I have Technitium operating as my DNS server on the network, and it’s pointing back at the Caddy server itself in anticipation of it working, with an A record for the domain itself, and CNAME records set up for all the subdomains I have listed in the Caddyfile.

After the change from global option to directive, the logs appear to be showing that Caddy now cannot actually place the DNS challenge record with my registrar (Namesilo) with an HTTP/400 error. I just reissued a new API token this morning and replaced it in my .env file, so it’s up to date and should be working. Is there an issue with my tls directive, or some issue elsewhere with my setup? I’d like to avoid exposing/forwarding ports if I can, I want to keep this rather isolated if feasible.

2. Error messages and/or full log output:

{"level":"info","ts":1723471655.2210047,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1723471655.2344685,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1723471655.2347314,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":3}
{"level":"info","ts":1723471655.2388623,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1723471655.2392488,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0003e9d00"}
{"level":"info","ts":1723471655.239563,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1723471655.2461364,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1723471655.2546184,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1723471655.2547846,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1723471655.2820082,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1723471655.2935047,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1723471655.2935338,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.hermnet.org"]}
{"level":"info","ts":1723471655.2938173,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1723471655.2938337,"msg":"serving initial configuration"}
{"level":"info","ts":1723471655.2941442,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.hermnet.org"}
{"level":"info","ts":1723471655.2988243,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"f19ca2e2-900c-4592-b4ca-8d854e9ffae6","try_again":1723558055.298815,"try_again_in":86399.999999314}
{"level":"info","ts":1723471655.298946,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1723471655.40907,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.hermnet.org"}
{"level":"info","ts":1723471655.409277,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.hermnet.org"}
{"level":"info","ts":1723471655.420125,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.hermnet.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"certificates@hermnet.org"}
{"level":"info","ts":1723471655.4201841,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.hermnet.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"certificates@hermnet.org"}
{"level":"info","ts":1723471655.4202483,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1887056136","account_contact":["mailto:certificates@hermnet.org"]}
{"level":"info","ts":1723471656.8095036,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.hermnet.org","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1723471668.344679,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.hermnet.org","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1723471668.344839,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.hermnet.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1887056136/295649641826","attempt":1,"max_attempts":3}
{"level":"error","ts":1723471668.3449442,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.hermnet.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain"}
{"level":"error","ts":1723471668.345086,"logger":"tls.obtain","msg":"will retry","error":"[*.hermnet.org] Obtain: [*.hermnet.org] solving challenge: *.hermnet.org: [*.hermnet.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":12.935936235,"max_duration":2592000}
{"level":"info","ts":1723471728.3474252,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.hermnet.org"}
{"level":"info","ts":1723471728.348348,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/159090673","account_contact":["mailto:certificates@hermnet.org"]}
{"level":"info","ts":1723471729.2994294,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.hermnet.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1723471740.2394154,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.hermnet.org","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1723471740.2395508,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.hermnet.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/159090673/18367562143","attempt":1,"max_attempts":3}
{"level":"error","ts":1723471740.239645,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.hermnet.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain"}
{"level":"error","ts":1723471740.2398028,"logger":"tls.obtain","msg":"will retry","error":"[*.hermnet.org] Obtain: [*.hermnet.org] solving challenge: *.hermnet.org: [*.hermnet.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":84.830652777,"max_duration":2592000}
{"level":"info","ts":1723471860.242474,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.hermnet.org"}
{"level":"info","ts":1723471860.243069,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/159090673","account_contact":["mailto:certificates@hermnet.org"]}
{"level":"info","ts":1723471860.6415124,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.hermnet.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1723471871.6830816,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.hermnet.org","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1723471871.6832235,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.hermnet.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/159090673/18367597613","attempt":1,"max_attempts":3}
{"level":"error","ts":1723471871.683271,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.hermnet.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain"}
{"level":"error","ts":1723471871.6833751,"logger":"tls.obtain","msg":"will retry","error":"[*.hermnet.org] Obtain: [*.hermnet.org] solving challenge: *.hermnet.org: [*.hermnet.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":216.274225456,"max_duration":2592000}
{"level":"info","ts":1723471991.6870887,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.hermnet.org"}
{"level":"info","ts":1723471991.6879714,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/159090673","account_contact":["mailto:certificates@hermnet.org"]}
{"level":"info","ts":1723471992.0073411,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.hermnet.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1723472003.087248,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.hermnet.org","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1723472003.0873575,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.hermnet.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/159090673/18367635023","attempt":1,"max_attempts":3}
{"level":"error","ts":1723472003.087397,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.hermnet.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain"}
{"level":"error","ts":1723472003.087474,"logger":"tls.obtain","msg":"will retry","error":"[*.hermnet.org] Obtain: [*.hermnet.org] solving challenge: *.hermnet.org: [*.hermnet.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":347.6783249,"max_duration":2592000}
{"level":"info","ts":1723472303.0886636,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.hermnet.org"}
{"level":"info","ts":1723472303.0898333,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/159090673","account_contact":["mailto:certificates@hermnet.org"]}
{"level":"info","ts":1723472303.8862467,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.hermnet.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1723472314.9992726,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.hermnet.org","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1723472314.9993832,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.hermnet.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/159090673/18367711753","attempt":1,"max_attempts":3}
{"level":"error","ts":1723472314.9994605,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.hermnet.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain"}
{"level":"error","ts":1723472314.9995546,"logger":"tls.obtain","msg":"will retry","error":"[*.hermnet.org] Obtain: [*.hermnet.org] solving challenge: *.hermnet.org: [*.hermnet.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":659.590403945,"max_duration":2592000}

3. Caddy version:

v2.8.4

4. How I installed and ran Caddy:

a. System environment:

Kubuntu 24.04 via Docker

b. Command:

docker compose up -d

c. Service/unit/compose file:

  caddy:
    build: ./dockerfile-caddy
    container_name: caddy
    hostname: caddy
    env_file: .env
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
     #- ./site:/srv
      - ./caddy_data:/data
      - ./caddy_config:/config

Dockerfile used to build my Caddy image

FROM caddy:2.8.4-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/namesilo

FROM caddy:2.8.4

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

d. My complete Caddy config:

My domain is within the .env file and so is hidden within the Caddyfile, it’s hermnet.org

# Global Options. Includes email, and ACME challenge details
{
log log-main {
    format json
    output file /data/logs/caddy_access.log {
        roll_size 20mb
        roll_keep 10
        roll_keep_for 365d
        }
    }

email certificates@hermnet.org
#acme_dns namesilo {$NAMESILO_API_TOKEN}
}

# Site block. Used for, theoretically, grabbing a cert and controlling all things for the reverse proxy related to the subdomains.
*.hermnet.org {
    log {
        format json
        output file /data/logs/caddy_access.log {
        roll_size 20mb
        roll_keep 10
        roll_keep_for 365d
        }
    }

    tls {
        issuer acme {
            dns namesilo {$NAMESILO_API_TOKEN}
            propagation_delay 10s
            propagation_timeout -1
            resolvers 9.9.9.9
        }

        #issuer zerossl {
        #    dns namesilo {$NAMESILO_API_TOKEN}
        #    propagation_delay 10s
        #    propagation_timeout -1
        #    resolvers 9.9.9.9
        #}
    }


    @pve host pve.{$MY_DOMAIN}
    handle @pve {
        reverse_proxy https://192.168.1.41:8006 {
            transport http {
                tls
                tls_insecure_skip_verify
            }
        }
    }

    @pbs host pbs.{$MY_DOMAIN}
    handle @pbs {
        reverse_proxy https://192.168.2.212:8007 {
            transport http {
                tls
                tls_insecure_skip_verify

            }
        }
    }

    @opnsense host opnsense.{$MY_DOMAIN}
    handle @opnsense {
        reverse_proxy https://192.168.1.47 {
            transport http {
                tls
                tls_insecure_skip_verify
            }
        }
    }

    @omv host omv.{$MY_DOMAIN}
    handle @omv {
        reverse_proxy 192.168.2.188:80
    }

    @technitium host technitium.{MY_DOMAIN}
    handle @technitium {
        reverse_proxy 192.168.2.189:53443
    }

    @pi host pi.{$MY_DOMAIN}
    handle @pi {
        reverse_proxy 192.168.1.77/admin
    }

    @openbooks host openbooks.{$MY_DOMAIN}
    handle @openbooks {
        reverse_proxy 192.168.2.205:8080/openbooks/
    }

    handle {
        abort
    }

}

5. Links to relevant resources:

2

Howdy @RockBrackenshield, welcome to the Caddy community.

It looks like you’ve disabled propagation checks entirely:

  • propagation_timeout is a duration value that sets the maximum time to wait for the DNS TXT records to appear when using the DNS challenge. Set to -1 to disable propagation checks. Default 2 minutes.
  • propagation_delay is a duration value that sets how long to wait before starting DNS TXT records propagation checks when using the DNS challenge. Default 0 (no wait).

tls (Caddyfile directive) — Caddy Documentation

Based on the behaviour in the logs, it seems like this setup simply has Caddy wait 10 seconds and then trigger the LetsEncrypt challenge, without actually checking to ensure the TXT record has propagated yet at all.

Evidently, it seems like ten seconds is too short for an API call to NameSilo to produce a publicly observable TXT record, because LetsEncrypt is telling you:

HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hermnet.org - check that a DNS record exists for this domain

Indeed, if Caddy was previously waiting the full default 2 minutes and couldn’t see the record propagated, I’m not sure how waiting just 10 seconds would have a better result.

You probably would’ve needed to wait longer, rather than pulling the trigger much much much earlier, if NameSilo’s API is that slow.

1 Like
3

Ahh, okay, thank you! I had misinterpreted that; I for some reason had in my end that setting the propagation_timeout to -1 would put no maximum timeout rather than disable it entirely. NameSilo’s mentioned they push every 15 minutes, but I had trouble with that before on different reverse proxies… I’ll set it to 20 minutes and give that a shot. Thank you!

1 Like
4

Well, it was certainly better, but it still appears to have failed. In the logs there was mention of it successfully downloading certificate chains, but ultimately it mentions it fails, again for timing out. I’ll expand the timeframe again, maybe a full hour, but is there anything else in here that may need attention?

Edit: Hey hey, looks like it worked! It was able to download the chains and obtain the certificate, and it looks like it worked out well with handling the reverse proxy. Thanks for your help!

{"level":"info","ts":1723545122.2529387,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1723545122.2529583,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":3}
{"level":"info","ts":1723545122.254656,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1723545122.2549353,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1723545122.2550826,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1723545122.2550871,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00012ef80"}
{"level":"info","ts":1723545122.256372,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1723545122.2565098,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1723545122.2567747,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1723545122.2569067,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1723545122.2569647,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.hermnet.org"]}
{"level":"info","ts":1723545122.257248,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1723545122.2572613,"msg":"serving initial configuration"}
{"level":"info","ts":1723545122.2574723,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.hermnet.org"}
{"level":"info","ts":1723545122.2814474,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"f19ca2e2-900c-4592-b4ca-8d854e9ffae6","try_again":1723631522.2814412,"try_again_in":86399.999999393}
{"level":"info","ts":1723545122.2869508,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1723545122.2927725,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.hermnet.org"}
{"level":"info","ts":1723545122.2930562,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.hermnet.org"}
{"level":"info","ts":1723545122.2937448,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.hermnet.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"certificates@hermnet.org"}
{"level":"info","ts":1723545122.293777,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.hermnet.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"certificates@hermnet.org"}
{"level":"info","ts":1723545122.2937975,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1887056136","account_contact":["mailto:certificates@hermnet.org"]}
{"level":"info","ts":1723545123.3864896,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.hermnet.org","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1723546325.3829002,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.hermnet.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.hermnet.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1887056136/295891549656) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1723546325.3831117,"logger":"tls.obtain","msg":"will retry","error":"[*.hermnet.org] Obtain: [*.hermnet.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1887056136/295891549656) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":1203.090293676,"max_duration":2592000}
{"level":"info","ts":1723546385.3858953,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.hermnet.org"}
{"level":"info","ts":1723546385.386794,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/159090673","account_contact":["mailto:certificates@hermnet.org"]}
{"level":"info","ts":1723546386.218982,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.hermnet.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1723547060.1048017,"logger":"tls.issuance.acme.acme_client","msg":"authorization finalized","identifier":"*.hermnet.org","authz_status":"valid"}
{"level":"info","ts":1723547060.1049411,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/159090673/18385855063"}
{"level":"info","ts":1723547063.5180879,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["*.hermnet.org"],"window_start":1728642319.3333333,"window_end":1728815119.3333333,"selected_time":1728793793,"recheck_after":1723568663.518076,"explanation_url":""}
{"level":"info","ts":1723547063.7251582,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["*.hermnet.org"],"window_start":1728642319.3333333,"window_end":1728815119.3333333,"selected_time":1728761067,"recheck_after":1723568663.725152,"explanation_url":""}
{"level":"info","ts":1723547063.725369,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2bd7d02ff79a8ace672d2a753487058aad42"}
{"level":"info","ts":1723547063.7259133,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.hermnet.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"certificates@hermnet.org"}
{"level":"info","ts":1723547063.7259977,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.hermnet.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"certificates@hermnet.org"}
{"level":"info","ts":1723547063.726037,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1887056136","account_contact":["mailto:certificates@hermnet.org"]}
{"level":"info","ts":1723547064.5207365,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.hermnet.org","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1723548266.9359763,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.hermnet.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.hermnet.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1887056136/295897619266) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"info","ts":1723548266.9361584,"logger":"tls.obtain","msg":"releasing lock","identifier":"*.hermnet.org"}
{"level":"error","ts":1723548266.9363883,"logger":"tls","msg":"job failed","error":"*.hermnet.org: obtaining certificate: [*.hermnet.org] Obtain: [*.hermnet.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1887056136/295897619266) (ca=https://acme-v02.api.letsencrypt.org/directory)"}```
5

The logs tell a bit of an unlucky story.

First attempt via production endpoint (acme-v02.api) failed. Timestamp differential of ~1202 seconds (20 minutes) waiting for propagation. Caddy will retry shortly.

Second attempt, this time via the staging endpoint (acme-staging-v02.api). This succeeded with a timestamp differential of ~674 seconds (~11m 14s). These certs aren’t valid, but since it worked, Caddy realises it’s good to try again for the production endpoint.

Attempt the third, back on the production endpoint. Another 20 minutes waiting and no propagation.

I feel like NameSilo might be letting you down, here.

1 Like
6

Wow. It really only updates records every 15 minutes? That’s awful. Yeah if I were you I’d look to switch DNS providers ASAP. Big yikes. There’s really no reason it shouldn’t be near-immediate.

2 Likes
7

Changing’s my plan, but the namesilo module getting updated was enough to keep me with them for now. I’m still looking through other providers; I’ve heard Porkbun is really good and I think it’s at the top of my list at the moment, but haven’t committed to any in particular yet.

8

Porkbun just uses Cloudflare for DNS: porkbun.com | Free DNS Powered by Cloudflare

You don’t really need to change registrar if you’re happy with current pricing, just changing the nameserver should be plenty. You might as well use Cloudflare directly; no need to use their orange cloud, you can just take advantage of their free DNS. I use it pretty extensively, and their API updates reflect pretty much instantly across their DNS clusters.

3 Likes
9

Ahh, okay, I thought I had to change the registrar to change things like that. Okay, great! I’ve got the nameserver change pending with Cloudflare and the records moved over.

To confirm, for the caddy certificates, I would need to rebuild caddy using Cloudflare instead of Namesilo, and rewrite the Caddyfile to reference Cloudflare instead of Namesilo with this change, correct? Since Cloudflare is handling the DNS records now (as I understand it?)

10

Yeah, that’s pretty much exactly right.

Have a look at GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare, there’s instructions on exactly how to spit out the right Cloudflare token to put in your Caddyfile.

3 Likes
11

Fantastic, thanks for that confirmation! It’ll be good to have records updating more quickly rather than fighting that timer for sure.

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.