1. Caddy version (caddy version
):
v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
2. How I run Caddy:
a. System environment:
Raspberry Pi OS May 27th
systemd
b. Command:
sudo systemctl start caddy
c. Service/unit/compose file:
caddy.service
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target
[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
192.168.1.7, 100.36.30.171:1996, nizar.cf:1996 {
encode gzip
redir /cloud /cloud/
redir /cloud/.well-known/caldav /cloud/remote.php/dav 301
redir /cloud/.well-known/carddav /cloud/remote.php/dav 301
# rewrite /cloud/index.php/* /cloud/index.php?{query}
route /cloud/* {
root * /var/www
php_fastcgi unix//run/php/php7.3-fpm.sock
file_server
}
redir /bitw /bitwarden/
redir /bitw/ /bitwarden/
redir /bitwarden /bitwarden/
reverse_proxy /bitwarden/* localhost:3401
redir /rss /miniflux/
redir /rss/ /miniflux/
redir /miniflux /miniflux/
reverse_proxy /miniflux/* unix//run/miniflux/miniflux.sock
}
I also tried changing nizar.cf:1996
to just nizar.cf
3. The problem I’m having:
I cannot access my server using the domain name. From the logs, it looks like the issue is coming from TLS ceritificate authorization, but I cannot understand exactly what happened. It looks like I somehow reached the limit of Let’s Encrypt too. Does this mean I cannot try this again for a week?
4. Error messages and/or full log output:
Jul 25 20:29:11 raspberrypi systemd[1]: Started Caddy.
Jul 25 20:29:11 raspberrypi caddy[26273]: caddy.HomeDir=/var/lib/caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.GOOS=linux
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.GOARCH=arm
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.Compiler=gc
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.NumCPU=4
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.GOMAXPROCS=4
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.Version=go1.14.4
Jul 25 20:29:11 raspberrypi caddy[26273]: os.Getwd=/
Jul 25 20:29:11 raspberrypi caddy[26273]: LANG=en_GB.UTF-8
Jul 25 20:29:11 raspberrypi caddy[26273]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Jul 25 20:29:11 raspberrypi caddy[26273]: HOME=/var/lib/caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: LOGNAME=caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: USER=caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: INVOCATION_ID=0b9a6dff2b724e6f8f2d368265ff34b4
Jul 25 20:29:11 raspberrypi caddy[26273]: JOURNAL_STREAM=8:180697
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3250854,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3331683,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3338196,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3338912,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [INFO][cache:0x3a052c0] Started certificate maintenance routine
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3369493,"logger":"tls","msg":"setting internal issuer for automation policy that has only internal subjects but no issuer configured","subjects":["192.168.1.7","100.36.30.171"]}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3434038,"logger":"tls","msg":"cleaned up storage units"}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"warn","ts":1595705351.4740827,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 define JAVA_HOME environment variable to use the Java trust
Jul 25 20:29:11 raspberrypi sudo[26285]: pam_unix(sudo:auth): conversation failed
Jul 25 20:29:11 raspberrypi sudo[26285]: pam_unix(sudo:auth): auth could not identify password for [caddy]
Jul 25 20:29:11 raspberrypi sudo[26285]: caddy : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_319666144580785802039522281007369208486.crt
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"error","ts":1595705351.504455,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.5050778,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["192.168.1.7","100.36.30.171","nizar.cf"]}
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [WARNING] Stapling OCSP: no OCSP stapling for [192.168.1.7]: no OCSP server specified in certificate
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [WARNING] Stapling OCSP: no OCSP stapling for [100.36.30.171]: no OCSP server specified in certificate
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.5107906,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.5108519,"msg":"serving initial configuration"}
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [INFO][nizar.cf] Obtain certificate; acquiring lock...
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [INFO][nizar.cf] Obtain: Lock acquired; proceeding...
Jul 25 20:29:12 raspberrypi caddy[26273]: 2020/07/25 20:29:12 [INFO][nizar.cf] Waiting on rate limiter...
Jul 25 20:29:12 raspberrypi caddy[26273]: 2020/07/25 20:29:12 [INFO][nizar.cf] Done waiting
Jul 25 20:29:12 raspberrypi caddy[26273]: 2020/07/25 20:29:12 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:29:12 raspberrypi caddy[26273]: 2020/07/25 20:29:12 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url: (challenge=http-01 remaining=[tls-alpn-01])
Jul 25 20:29:14 raspberrypi caddy[26273]: 2020/07/25 20:29:14 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:29:15 raspberrypi caddy[26273]: 2020/07/25 20:29:15 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url: (challenge=tls-alpn-01 remaining=[])
Jul 25 20:29:17 raspberrypi caddy[26273]: 2020/07/25 20:29:17 [ERROR] attempt 1: [nizar.cf] Obtain: [nizar.cf] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url: - retrying in 1m0s (5.448503698s/720h0m0s elapsed)...
Jul 25 20:30:17 raspberrypi caddy[26273]: 2020/07/25 20:30:17 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:30:18 raspberrypi caddy[26273]: 2020/07/25 20:30:18 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614936
Jul 25 20:30:18 raspberrypi caddy[26273]: 2020/07/25 20:30:18 [INFO] [nizar.cf] acme: use tls-alpn-01 solver
Jul 25 20:30:18 raspberrypi caddy[26273]: 2020/07/25 20:30:18 [INFO] [nizar.cf] acme: Trying to solve TLS-ALPN-01
Jul 25 20:30:20 raspberrypi caddy[26273]: 2020/07/25 20:30:20 http: TLS handshake error from 127.0.0.1:33804: EOF
Jul 25 20:30:20 raspberrypi caddy[26273]: 2020/07/25 20:30:20 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614936
Jul 25 20:30:21 raspberrypi caddy[26273]: 2020/07/25 20:30:21 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614936
Jul 25 20:30:21 raspberrypi caddy[26273]: 2020/07/25 20:30:21 [ERROR] error: one or more domains had a problem:
Jul 25 20:30:21 raspberrypi caddy[26273]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
Jul 25 20:30:21 raspberrypi caddy[26273]: (challenge=tls-alpn-01 remaining=[http-01])
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614955
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] acme: Could not find solver for: tls-alpn-01
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] acme: use http-01 solver
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] acme: Trying to solve HTTP-01
Jul 25 20:30:24 raspberrypi caddy[26273]: 2020/07/25 20:30:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614955
Jul 25 20:30:24 raspberrypi caddy[26273]: 2020/07/25 20:30:24 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614955
Jul 25 20:30:24 raspberrypi caddy[26273]: 2020/07/25 20:30:24 [ERROR] error: one or more domains had a problem:
Jul 25 20:30:24 raspberrypi caddy[26273]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/cryPJ52nhXHTjdPbxot1mFXHJFBF9PuYol9Wj1G6oS0 [2606:4700:3033::6812:23fe]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js ", url:
Jul 25 20:30:24 raspberrypi caddy[26273]: (challenge=http-01 remaining=[])
Jul 25 20:30:26 raspberrypi caddy[26273]: 2020/07/25 20:30:26 [ERROR] attempt 2: [nizar.cf] Obtain: [nizar.cf] error: one or more domains had a problem:
Jul 25 20:30:26 raspberrypi caddy[26273]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/cryPJ52nhXHTjdPbxot1mFXHJFBF9PuYol9Wj1G6oS0 [2606:4700:3033::6812:23fe]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js ", url:
Jul 25 20:30:26 raspberrypi caddy[26273]: - retrying in 2m0s (1m14.972943739s/720h0m0s elapsed)...
Jul 25 20:31:11 raspberrypi systemd[1]: Reloading Caddy.
Jul 25 20:31:11 raspberrypi caddy[26323]: {"level":"info","ts":1595705471.1045518,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1183035,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_addr":"127.0.0.1:38696","headers":{"Accept-Encoding":["gzip"],"Content-Length":["4962"],"Content-Type":["application/json"],"Origin":["localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1225312,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [INFO][cache:0x3839c00] Started certificate maintenance routine
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.123557,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.123613,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.123701,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1266718,"logger":"tls","msg":"setting internal issuer for automation policy that has only internal subjects but no issuer configured","subjects":["100.36.30.171","192.168.1.7"]}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"warn","ts":1595705471.136581,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 define JAVA_HOME environment variable to use the Java trust
Jul 25 20:31:11 raspberrypi sudo[26330]: pam_unix(sudo:auth): conversation failed
Jul 25 20:31:11 raspberrypi sudo[26330]: pam_unix(sudo:auth): auth could not identify password for [caddy]
Jul 25 20:31:11 raspberrypi sudo[26330]: caddy : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_319666144580785802039522281007369208486.crt
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"error","ts":1595705471.1673262,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1677632,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["100.36.30.171","192.168.1.7"]}
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [WARNING] Stapling OCSP: no OCSP stapling for [100.36.30.171]: no OCSP server specified in certificate
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [WARNING] Stapling OCSP: no OCSP stapling for [192.168.1.7]: no OCSP server specified in certificate
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [INFO][cache:0x3a052c0] Stopped certificate maintenance routine
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [INFO][nizar.cf] Obtain: Releasing lock
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1739233,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1739645,"logger":"admin.api","msg":"load complete"}
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [ERROR] nizar.cf: obtaining certificate: context canceled
Jul 25 20:31:11 raspberrypi systemd[1]: Reloaded Caddy.
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.6232014,"logger":"admin","msg":"stopped previous server"}
This seems to be the key error:
[nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/cryPJ52nhXHTjdPbxot1mFXHJFBF9PuYol9Wj1G6oS0 [2606:4700:3033::6812:23fe]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js ", url:
Jul 25 20:30:24 raspberrypi caddy[26273]: (challenge=http-01 remaining=[])
5. What I already tried:
I somewhat documented it above, but I tried playing around with Caddyfile, I checked DNS and made sure all is correct, I made sure that accessing everything from local network and IP works.
I also made sure all my permissions are correct. I keep getting the one error about not being in sudoers and being able to access the local CA, but my permissions are configured correctly there. But also, that should not matter because it is only for local access, right?
I would appreciate any help I can get, please! Thank you