1. Caddy version (caddy version
):
v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I=
(Built with xcaddy + Redis.)
2. How I run Caddy:
caddy start
a. System environment:
Debian 10. 16 GB memory.
b. Command:
sudo ./caddy start
c. Service/unit/compose file:
n/a
d. My complete Caddyfile or JSON config:
I’ve redacted a couple bits of semi-sensitive info with “…”.
{
on_demand_tls {
ask https://micro.blog/pages/ssl/check
interval 2m
burst 100
}
acme_ca https://acme.zerossl.com/v2/DV90
email ...
storage redis {
host "..."
port 9000
password ""
db 1
}
log {
output file /var/log/caddy-main.log {
roll_keep_for 5d
}
format console
}
}
:443 {
tls {
on_demand
issuer zerossl ABCDEFGHIJK {
disable_tlsalpn_challenge
}
}
root * /home/web/sites/{host}
file_server
log {
output file /var/log/caddy-access.log {
roll_keep_for 5d
}
format console
}
handle_errors {
@502 {
expression {http.error.status_code} == 502
}
handle @502 {
rewrite * 502.html
file_server
}
handle {
# we do this to route 404s back to our web app for special handling
rewrite * /pages/migration/redirect{path}?domain={host}
reverse_proxy micro.blog {
header_up Host micro.blog
}
}
}
}
3. The problem I’m having:
Hi! I run Micro.blog, a blog hosting service, and we’ve been migrating from Nginx to Caddy. My approach has been to use a load balancer (on Linode) to direct all port 80 traffic and a small percentage of port 443 traffic to Caddy, to slowly ramp up the HTTPS certificates in Caddy.
For the most part, this has worked wonderfully, but there are some custom domains from our customers that aren’t successfully getting new HTTPS certificates. Most of the problem seems to be from domain names routed through Cloudflare. I’ve read all the forum posts about this and have continued to tweak my Caddyfile, but still don’t have a solution that works all the time. The domains that fail, repeatedly fail.
These errors show up in the Caddy log with “could not get certificate from issuer” and “context deadline exceeded”.
Note that we don’t have any control over Cloudflare for these domains. I thought that forcing port 80 authentication would solve this, but no luck. Thanks in advance for any suggestions!
4. Error messages and/or full log output:
I’ve redacted the domain name to “example.com” here because I don’t want to share our customers’ domain names. There’s nothing special about the domain name other than it is pointed to Cloudflare DNS.
1.629637776267173e+09 info tls.on_demand obtaining new certificate {"server_name": "example.com"}
1.6296377762703438e+09 info tls.obtain acquiring lock {"identifier": "example.com"}
1.6296377762708578e+09 info tls.obtain lock acquired {"identifier": "example.com"}
1.629637776272935e+09 info tls.issuance.acme waiting on internal rate limiter {"identifiers": ["example.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "admin@micro.blog"}
1.6296377762729974e+09 info tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["example.com"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "admin@micro.blog"}
1.6296377767547162e+09 info tls.issuance.acme.acme_client trying to solve challenge {"identifier": "example.com", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
1.6296378662696438e+09 error tls.issuance.acme.acme_client deactivating authorization {"identifier": "example.com", "authz": "https://acme.zerossl.com/v2/DV90/authz/Bigx1fMATvYx9AnXWx5RYw", "error": "request to https://acme.zerossl.com/v2/DV90/authz/Bigx1fMATvYx9AnXWx5RYw failed after 1 attempts: context deadline exceeded"}
1.6296378662697086e+09 error tls.obtain could not get certificate from issuer {"identifier": "example.com", "issuer": "acme.zerossl.com-v2-DV90", "error": "[example.com] solving challenges: [example.com] context deadline exceeded (order=https://acme.zerossl.com/v2/DV90/order/vICNCQMlEyXQ8JSnFIUyuw) (ca=https://acme.zerossl.com/v2/DV90)"}
1.6296378662697346e+09 error tls.obtain will retry {"error": "[example.com] Obtain: [example.com] solving challenges: [example.com] context deadline exceeded (order=https://acme.zerossl.com/v2/DV90/order/vICNCQMlEyXQ8JSnFIUyuw) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 89.998822121, "max_duration": 2592000}
1.6296378662697573e+09 info tls.obtain releasing lock {"identifier": "example.com"}
5. What I already tried:
- Added
ask
in Caddyfile. - Changed config to only use ZeroSSL. We were getting rate-limited by Let’s Encrypt.
- Added a ZeroSSL API key.
- Routed all port 80 to Caddy.
- Tried 100% of port 443 to Caddy or 5%.
- Disabled TLS-ALPN.
6. Links to relevant resources:
n/a