HTTPS/TLS Certificate Authorization Fails when Port 80 is Not Open

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

a. System environment:

Raspberry Pi OS May 27th
systemd

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

caddy.service

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

192.168.1.7, 100.36.30.171:1996, nizar.cf:1996 {
  encode gzip

  redir /cloud /cloud/
  redir /cloud/.well-known/caldav /cloud/remote.php/dav 301
  redir /cloud/.well-known/carddav /cloud/remote.php/dav 301
#  rewrite /cloud/index.php/* /cloud/index.php?{query}
  route /cloud/* {
    root * /var/www
    php_fastcgi unix//run/php/php7.3-fpm.sock
    file_server
  }

  redir /bitw /bitwarden/
  redir /bitw/ /bitwarden/
  redir /bitwarden /bitwarden/
  reverse_proxy /bitwarden/* localhost:3401

  redir /rss /miniflux/
  redir /rss/ /miniflux/
  redir /miniflux /miniflux/
  reverse_proxy /miniflux/* unix//run/miniflux/miniflux.sock
}

I also tried changing nizar.cf:1996 to just nizar.cf

3. The problem I’m having:

I cannot access my server using the domain name. From the logs, it looks like the issue is coming from TLS ceritificate authorization, but I cannot understand exactly what happened. It looks like I somehow reached the limit of Let’s Encrypt too. Does this mean I cannot try this again for a week? :cold_sweat:

4. Error messages and/or full log output:

Jul 25 20:29:11 raspberrypi systemd[1]: Started Caddy.
Jul 25 20:29:11 raspberrypi caddy[26273]: caddy.HomeDir=/var/lib/caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.GOOS=linux
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.GOARCH=arm
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.Compiler=gc
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.NumCPU=4
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.GOMAXPROCS=4
Jul 25 20:29:11 raspberrypi caddy[26273]: runtime.Version=go1.14.4
Jul 25 20:29:11 raspberrypi caddy[26273]: os.Getwd=/
Jul 25 20:29:11 raspberrypi caddy[26273]: LANG=en_GB.UTF-8
Jul 25 20:29:11 raspberrypi caddy[26273]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Jul 25 20:29:11 raspberrypi caddy[26273]: HOME=/var/lib/caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: LOGNAME=caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: USER=caddy
Jul 25 20:29:11 raspberrypi caddy[26273]: INVOCATION_ID=0b9a6dff2b724e6f8f2d368265ff34b4
Jul 25 20:29:11 raspberrypi caddy[26273]: JOURNAL_STREAM=8:180697
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3250854,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3331683,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3338196,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3338912,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [INFO][cache:0x3a052c0] Started certificate maintenance routine
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3369493,"logger":"tls","msg":"setting internal issuer for automation policy that has only internal subjects but no issuer configured","subjects":["192.168.1.7","100.36.30.171"]}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.3434038,"logger":"tls","msg":"cleaned up storage units"}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"warn","ts":1595705351.4740827,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 define JAVA_HOME environment variable to use the Java trust
Jul 25 20:29:11 raspberrypi sudo[26285]: pam_unix(sudo:auth): conversation failed
Jul 25 20:29:11 raspberrypi sudo[26285]: pam_unix(sudo:auth): auth could not identify password for [caddy]
Jul 25 20:29:11 raspberrypi sudo[26285]:    caddy : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_319666144580785802039522281007369208486.crt
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"error","ts":1595705351.504455,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.5050778,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["192.168.1.7","100.36.30.171","nizar.cf"]}
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [WARNING] Stapling OCSP: no OCSP stapling for [192.168.1.7]: no OCSP server specified in certificate
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [WARNING] Stapling OCSP: no OCSP stapling for [100.36.30.171]: no OCSP server specified in certificate
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.5107906,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jul 25 20:29:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705351.5108519,"msg":"serving initial configuration"}
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [INFO][nizar.cf] Obtain certificate; acquiring lock...
Jul 25 20:29:11 raspberrypi caddy[26273]: 2020/07/25 20:29:11 [INFO][nizar.cf] Obtain: Lock acquired; proceeding...
Jul 25 20:29:12 raspberrypi caddy[26273]: 2020/07/25 20:29:12 [INFO][nizar.cf] Waiting on rate limiter...
Jul 25 20:29:12 raspberrypi caddy[26273]: 2020/07/25 20:29:12 [INFO][nizar.cf] Done waiting
Jul 25 20:29:12 raspberrypi caddy[26273]: 2020/07/25 20:29:12 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:29:12 raspberrypi caddy[26273]: 2020/07/25 20:29:12 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  (challenge=http-01 remaining=[tls-alpn-01])
Jul 25 20:29:14 raspberrypi caddy[26273]: 2020/07/25 20:29:14 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:29:15 raspberrypi caddy[26273]: 2020/07/25 20:29:15 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  (challenge=tls-alpn-01 remaining=[])
Jul 25 20:29:17 raspberrypi caddy[26273]: 2020/07/25 20:29:17 [ERROR] attempt 1: [nizar.cf] Obtain: [nizar.cf] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  - retrying in 1m0s (5.448503698s/720h0m0s elapsed)...
Jul 25 20:30:17 raspberrypi caddy[26273]: 2020/07/25 20:30:17 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:30:18 raspberrypi caddy[26273]: 2020/07/25 20:30:18 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614936
Jul 25 20:30:18 raspberrypi caddy[26273]: 2020/07/25 20:30:18 [INFO] [nizar.cf] acme: use tls-alpn-01 solver
Jul 25 20:30:18 raspberrypi caddy[26273]: 2020/07/25 20:30:18 [INFO] [nizar.cf] acme: Trying to solve TLS-ALPN-01
Jul 25 20:30:20 raspberrypi caddy[26273]: 2020/07/25 20:30:20 http: TLS handshake error from 127.0.0.1:33804: EOF
Jul 25 20:30:20 raspberrypi caddy[26273]: 2020/07/25 20:30:20 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614936
Jul 25 20:30:21 raspberrypi caddy[26273]: 2020/07/25 20:30:21 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614936
Jul 25 20:30:21 raspberrypi caddy[26273]: 2020/07/25 20:30:21 [ERROR] error: one or more domains had a problem:
Jul 25 20:30:21 raspberrypi caddy[26273]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
Jul 25 20:30:21 raspberrypi caddy[26273]:  (challenge=tls-alpn-01 remaining=[http-01])
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614955
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] acme: Could not find solver for: tls-alpn-01
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] acme: use http-01 solver
Jul 25 20:30:23 raspberrypi caddy[26273]: 2020/07/25 20:30:23 [INFO] [nizar.cf] acme: Trying to solve HTTP-01
Jul 25 20:30:24 raspberrypi caddy[26273]: 2020/07/25 20:30:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614955
Jul 25 20:30:24 raspberrypi caddy[26273]: 2020/07/25 20:30:24 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82614955
Jul 25 20:30:24 raspberrypi caddy[26273]: 2020/07/25 20:30:24 [ERROR] error: one or more domains had a problem:
Jul 25 20:30:24 raspberrypi caddy[26273]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/cryPJ52nhXHTjdPbxot1mFXHJFBF9PuYol9Wj1G6oS0 [2606:4700:3033::6812:23fe]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url:
Jul 25 20:30:24 raspberrypi caddy[26273]:  (challenge=http-01 remaining=[])
Jul 25 20:30:26 raspberrypi caddy[26273]: 2020/07/25 20:30:26 [ERROR] attempt 2: [nizar.cf] Obtain: [nizar.cf] error: one or more domains had a problem:
Jul 25 20:30:26 raspberrypi caddy[26273]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/cryPJ52nhXHTjdPbxot1mFXHJFBF9PuYol9Wj1G6oS0 [2606:4700:3033::6812:23fe]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url:
Jul 25 20:30:26 raspberrypi caddy[26273]:  - retrying in 2m0s (1m14.972943739s/720h0m0s elapsed)...
Jul 25 20:31:11 raspberrypi systemd[1]: Reloading Caddy.
Jul 25 20:31:11 raspberrypi caddy[26323]: {"level":"info","ts":1595705471.1045518,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1183035,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_addr":"127.0.0.1:38696","headers":{"Accept-Encoding":["gzip"],"Content-Length":["4962"],"Content-Type":["application/json"],"Origin":["localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1225312,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [INFO][cache:0x3839c00] Started certificate maintenance routine
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.123557,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.123613,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.123701,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1266718,"logger":"tls","msg":"setting internal issuer for automation policy that has only internal subjects but no issuer configured","subjects":["100.36.30.171","192.168.1.7"]}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"warn","ts":1595705471.136581,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 define JAVA_HOME environment variable to use the Java trust
Jul 25 20:31:11 raspberrypi sudo[26330]: pam_unix(sudo:auth): conversation failed
Jul 25 20:31:11 raspberrypi sudo[26330]: pam_unix(sudo:auth): auth could not identify password for [caddy]
Jul 25 20:31:11 raspberrypi sudo[26330]:    caddy : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_319666144580785802039522281007369208486.crt
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"error","ts":1595705471.1673262,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1677632,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["100.36.30.171","192.168.1.7"]}
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [WARNING] Stapling OCSP: no OCSP stapling for [100.36.30.171]: no OCSP server specified in certificate
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [WARNING] Stapling OCSP: no OCSP stapling for [192.168.1.7]: no OCSP server specified in certificate
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [INFO][cache:0x3a052c0] Stopped certificate maintenance routine
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [INFO][nizar.cf] Obtain: Releasing lock
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1739233,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.1739645,"logger":"admin.api","msg":"load complete"}
Jul 25 20:31:11 raspberrypi caddy[26273]: 2020/07/25 20:31:11 [ERROR] nizar.cf: obtaining certificate: context canceled
Jul 25 20:31:11 raspberrypi systemd[1]: Reloaded Caddy.
Jul 25 20:31:11 raspberrypi caddy[26273]: {"level":"info","ts":1595705471.6232014,"logger":"admin","msg":"stopped previous server"}

This seems to be the key error:

[nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/cryPJ52nhXHTjdPbxot1mFXHJFBF9PuYol9Wj1G6oS0 [2606:4700:3033::6812:23fe]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url:
Jul 25 20:30:24 raspberrypi caddy[26273]:  (challenge=http-01 remaining=[])

5. What I already tried:

I somewhat documented it above, but I tried playing around with Caddyfile, I checked DNS and made sure all is correct, I made sure that accessing everything from local network and IP works.

I also made sure all my permissions are correct. I keep getting the one error about not being in sudoers and being able to access the local CA, but my permissions are configured correctly there. But also, that should not matter because it is only for local access, right?

I would appreciate any help I can get, please! Thank you :slightly_smiling_face:

6. Links to relevant resources:

I tried again at a later time. It is weird that the errors are not all the same

Jul 25 20:55:08 raspberrypi caddy[26699]: INVOCATION_ID=0aa27e3543bf482ba2bbef75f619b3ba
Jul 25 20:55:08 raspberrypi caddy[26699]: JOURNAL_STREAM=8:182920
Jul 25 20:55:08 raspberrypi caddy[26699]: {"level":"info","ts":1595706908.871657,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jul 25 20:55:08 raspberrypi caddy[26699]: {"level":"info","ts":1595706908.8829105,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["[::1]:2019","127.0.0.1:2019","localhost:2019"]}
Jul 25 20:55:08 raspberrypi caddy[26699]: 2020/07/25 20:55:08 [INFO][cache:0x2952100] Started certificate maintenance routine
Jul 25 20:55:08 raspberrypi caddy[26699]: {"level":"info","ts":1595706908.8846006,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jul 25 20:55:08 raspberrypi caddy[26699]: {"level":"info","ts":1595706908.8846645,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jul 25 20:55:08 raspberrypi caddy[26699]: {"level":"info","ts":1595706908.8847263,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
Jul 25 20:55:08 raspberrypi caddy[26699]: {"level":"info","ts":1595706908.8879383,"logger":"tls","msg":"setting internal issuer for automation policy that has only internal subjects but no issuer configured","subjects":["192.168.1.7","100.36.30.171"]}
Jul 25 20:55:08 raspberrypi caddy[26699]: {"level":"info","ts":1595706908.8962243,"logger":"tls","msg":"cleaned up storage units"}
Jul 25 20:55:09 raspberrypi caddy[26699]: {"level":"warn","ts":1595706909.030126,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 define JAVA_HOME environment variable to use the Java trust
Jul 25 20:55:09 raspberrypi sudo[26711]: pam_unix(sudo:auth): conversation failed
Jul 25 20:55:09 raspberrypi sudo[26711]: pam_unix(sudo:auth): auth could not identify password for [caddy]
Jul 25 20:55:09 raspberrypi sudo[26711]:    caddy : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_319666144580785802039522281007369208486.crt
Jul 25 20:55:09 raspberrypi caddy[26699]: {"level":"error","ts":1595706909.0611112,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Jul 25 20:55:09 raspberrypi caddy[26699]: {"level":"info","ts":1595706909.0618622,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["192.168.1.7","100.36.30.171","nizar.cf"]}
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 [WARNING] Stapling OCSP: no OCSP stapling for [192.168.1.7]: no OCSP server specified in certificate
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 [WARNING] Stapling OCSP: no OCSP stapling for [100.36.30.171]: no OCSP server specified in certificate
Jul 25 20:55:09 raspberrypi caddy[26699]: {"level":"info","ts":1595706909.0682638,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jul 25 20:55:09 raspberrypi caddy[26699]: {"level":"info","ts":1595706909.0683098,"msg":"serving initial configuration"}
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 [INFO][nizar.cf] Obtain certificate; acquiring lock...
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 [INFO][nizar.cf] Obtain: Lock acquired; proceeding...
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 [INFO][nizar.cf] Waiting on rate limiter...
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 [INFO][nizar.cf] Done waiting
Jul 25 20:55:09 raspberrypi caddy[26699]: 2020/07/25 20:55:09 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:55:11 raspberrypi caddy[26699]: 2020/07/25 20:55:11 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  (challenge=tls-alpn-01 remaining=[http-01])
Jul 25 20:55:13 raspberrypi caddy[26699]: 2020/07/25 20:55:13 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:55:14 raspberrypi caddy[26699]: 2020/07/25 20:55:14 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  (challenge=http-01 remaining=[])
Jul 25 20:55:16 raspberrypi caddy[26699]: 2020/07/25 20:55:16 [ERROR] attempt 1: [nizar.cf] Obtain: [nizar.cf] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  - retrying in 1m0s (6.88053952s/720h0m0s elapsed)...
Jul 25 20:56:16 raspberrypi caddy[26699]: 2020/07/25 20:56:16 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:56:17 raspberrypi caddy[26699]: 2020/07/25 20:56:17 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624052
Jul 25 20:56:17 raspberrypi caddy[26699]: 2020/07/25 20:56:17 [INFO] [nizar.cf] acme: Could not find solver for: tls-alpn-01
Jul 25 20:56:17 raspberrypi caddy[26699]: 2020/07/25 20:56:17 [INFO] [nizar.cf] acme: use http-01 solver
Jul 25 20:56:17 raspberrypi caddy[26699]: 2020/07/25 20:56:17 [INFO] [nizar.cf] acme: Trying to solve HTTP-01
Jul 25 20:56:17 raspberrypi caddy[26699]: 2020/07/25 20:56:17 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624052
Jul 25 20:56:18 raspberrypi caddy[26699]: 2020/07/25 20:56:18 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624052
Jul 25 20:56:18 raspberrypi caddy[26699]: 2020/07/25 20:56:18 [ERROR] error: one or more domains had a problem:
Jul 25 20:56:18 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/_cGQfMttoDiTRgX_HRVQ7wRUYNtwE0cBfj581hqVNS8 [2606:4700:3037::ac43:9d9d]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url:
Jul 25 20:56:18 raspberrypi caddy[26699]:  (challenge=http-01 remaining=[tls-alpn-01])
Jul 25 20:56:20 raspberrypi caddy[26699]: 2020/07/25 20:56:20 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:56:20 raspberrypi caddy[26699]: 2020/07/25 20:56:20 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624093
Jul 25 20:56:20 raspberrypi caddy[26699]: 2020/07/25 20:56:20 [INFO] [nizar.cf] acme: use tls-alpn-01 solver
Jul 25 20:56:20 raspberrypi caddy[26699]: 2020/07/25 20:56:20 [INFO] [nizar.cf] acme: Trying to solve TLS-ALPN-01
Jul 25 20:56:24 raspberrypi caddy[26699]: 2020/07/25 20:56:24 http: TLS handshake error from 127.0.0.1:33858: EOF
Jul 25 20:56:25 raspberrypi caddy[26699]: 2020/07/25 20:56:25 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624093
Jul 25 20:56:25 raspberrypi caddy[26699]: 2020/07/25 20:56:25 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624093
Jul 25 20:56:25 raspberrypi caddy[26699]: 2020/07/25 20:56:25 [ERROR] error: one or more domains had a problem:
Jul 25 20:56:25 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
Jul 25 20:56:25 raspberrypi caddy[26699]:  (challenge=tls-alpn-01 remaining=[])
Jul 25 20:56:27 raspberrypi caddy[26699]: 2020/07/25 20:56:27 [ERROR] attempt 2: [nizar.cf] Obtain: [nizar.cf] error: one or more domains had a problem:
Jul 25 20:56:27 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
Jul 25 20:56:27 raspberrypi caddy[26699]:  - retrying in 2m0s (1m18.390410199s/720h0m0s elapsed)...
Jul 25 20:58:27 raspberrypi caddy[26699]: 2020/07/25 20:58:27 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:58:28 raspberrypi caddy[26699]: 2020/07/25 20:58:28 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624956
Jul 25 20:58:28 raspberrypi caddy[26699]: 2020/07/25 20:58:28 [INFO] [nizar.cf] acme: use tls-alpn-01 solver
Jul 25 20:58:28 raspberrypi caddy[26699]: 2020/07/25 20:58:28 [INFO] [nizar.cf] acme: Trying to solve TLS-ALPN-01
Jul 25 20:58:33 raspberrypi caddy[26699]: 2020/07/25 20:58:33 http: TLS handshake error from 127.0.0.1:33864: EOF
Jul 25 20:58:33 raspberrypi caddy[26699]: 2020/07/25 20:58:33 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624956
Jul 25 20:58:34 raspberrypi caddy[26699]: 2020/07/25 20:58:34 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82624956
Jul 25 20:58:34 raspberrypi caddy[26699]: 2020/07/25 20:58:34 [ERROR] error: one or more domains had a problem:
Jul 25 20:58:34 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
Jul 25 20:58:34 raspberrypi caddy[26699]:  (challenge=tls-alpn-01 remaining=[http-01])
Jul 25 20:58:36 raspberrypi caddy[26699]: 2020/07/25 20:58:36 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 20:58:36 raspberrypi caddy[26699]: 2020/07/25 20:58:36 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82625011
Jul 25 20:58:36 raspberrypi caddy[26699]: 2020/07/25 20:58:36 [INFO] [nizar.cf] acme: Could not find solver for: tls-alpn-01
Jul 25 20:58:36 raspberrypi caddy[26699]: 2020/07/25 20:58:36 [INFO] [nizar.cf] acme: use http-01 solver
Jul 25 20:58:36 raspberrypi caddy[26699]: 2020/07/25 20:58:36 [INFO] [nizar.cf] acme: Trying to solve HTTP-01
Jul 25 20:58:37 raspberrypi caddy[26699]: 2020/07/25 20:58:37 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82625011
Jul 25 20:58:37 raspberrypi caddy[26699]: 2020/07/25 20:58:37 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82625011
Jul 25 20:58:37 raspberrypi caddy[26699]: 2020/07/25 20:58:37 [ERROR] error: one or more domains had a problem:
Jul 25 20:58:37 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/ILLrGAs1VUhnaJgHFNO85hUNMR0lrZe0BHwrrX2yC2Y [2606:4700:3034::6812:22fe]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url:
Jul 25 20:58:37 raspberrypi caddy[26699]:  (challenge=http-01 remaining=[])
Jul 25 20:58:39 raspberrypi caddy[26699]: 2020/07/25 20:58:39 [ERROR] attempt 3: [nizar.cf] Obtain: [nizar.cf] error: one or more domains had a problem:
Jul 25 20:58:39 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/ILLrGAs1VUhnaJgHFNO85hUNMR0lrZe0BHwrrX2yC2Y [2606:4700:3034::6812:22fe]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url:
Jul 25 20:58:39 raspberrypi caddy[26699]:  - retrying in 2m0s (3m30.295514725s/720h0m0s elapsed)...
Jul 25 21:00:39 raspberrypi caddy[26699]: 2020/07/25 21:00:39 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 21:00:40 raspberrypi caddy[26699]: 2020/07/25 21:00:40 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82625996
Jul 25 21:00:40 raspberrypi caddy[26699]: 2020/07/25 21:00:40 [INFO] [nizar.cf] acme: Could not find solver for: tls-alpn-01
Jul 25 21:00:40 raspberrypi caddy[26699]: 2020/07/25 21:00:40 [INFO] [nizar.cf] acme: use http-01 solver
Jul 25 21:00:40 raspberrypi caddy[26699]: 2020/07/25 21:00:40 [INFO] [nizar.cf] acme: Trying to solve HTTP-01
Jul 25 21:00:40 raspberrypi caddy[26699]: 2020/07/25 21:00:40 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82625996
Jul 25 21:00:41 raspberrypi caddy[26699]: 2020/07/25 21:00:41 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82625996
Jul 25 21:00:41 raspberrypi caddy[26699]: 2020/07/25 21:00:41 [ERROR] error: one or more domains had a problem:
Jul 25 21:00:41 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://nizar.cf/.well-known/acme-challenge/QltpQGLzh83Wd4OEs1bEEtkxjiedgM1sLGoEyVCq3uU [2606:4700:3037::ac43:9d9d]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", url:
Jul 25 21:00:41 raspberrypi caddy[26699]:  (challenge=http-01 remaining=[tls-alpn-01])
Jul 25 21:00:43 raspberrypi caddy[26699]: 2020/07/25 21:00:43 [INFO] [nizar.cf] acme: Obtaining bundled SAN certificate given a CSR
Jul 25 21:00:43 raspberrypi caddy[26699]: 2020/07/25 21:00:43 [INFO] [nizar.cf] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82626016
Jul 25 21:00:43 raspberrypi caddy[26699]: 2020/07/25 21:00:43 [INFO] [nizar.cf] acme: use tls-alpn-01 solver
Jul 25 21:00:43 raspberrypi caddy[26699]: 2020/07/25 21:00:43 [INFO] [nizar.cf] acme: Trying to solve TLS-ALPN-01
Jul 25 21:00:45 raspberrypi caddy[26699]: 2020/07/25 21:00:45 http: TLS handshake error from 127.0.0.1:33886: EOF
Jul 25 21:00:46 raspberrypi caddy[26699]: 2020/07/25 21:00:46 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82626016
Jul 25 21:00:46 raspberrypi caddy[26699]: 2020/07/25 21:00:46 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82626016
Jul 25 21:00:46 raspberrypi caddy[26699]: 2020/07/25 21:00:46 [ERROR] error: one or more domains had a problem:
Jul 25 21:00:46 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
Jul 25 21:00:46 raspberrypi caddy[26699]:  (challenge=tls-alpn-01 remaining=[])
Jul 25 21:00:48 raspberrypi caddy[26699]: 2020/07/25 21:00:48 [ERROR] attempt 4: [nizar.cf] Obtain: [nizar.cf] error: one or more domains had a problem:
Jul 25 21:00:48 raspberrypi caddy[26699]: [nizar.cf] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
Jul 25 21:00:48 raspberrypi caddy[26699]:  - retrying in 5m0s (5m39.437081071s/720h0m0s elapsed)...

Looks like my issue is in Let’s Encrypt and my setup specifically.

for my ISP-provided IP address, I can only use port 1996. It looks like Let’s Encrypt requires me to have port 80 too, but I am unable to do that. The reason is that someone else on my network already has it occupied and I cannot use it.

I guess a side question is: Is it possible to use my own SSL certificate with caddy? how would I go about doing that? I found this link below in the documentation, but it looks like it is incomplete currently

1 Like

Yep, the error you’re seeing is because LE is trying to contact your server on port 80, but it’s hitting the other server instead.

You could use the DNS challenge, which doesn’t require your server to be publicly accessible by LE:

You can also specify your own cert and key with the tls directive:

1 Like

Thank you @francislavoie! I thought I was at a dead end here, but it looks like there is hope! I tried the DNS challenge route like you suggested. However, I still have some errors, albeit different ones:

Jul 26 03:55:20 raspberrypi caddy[30881]: 2020/07/26 03:55:20 [INFO] [nizar.cf] acme: Preparing to solve DNS-01
Jul 26 03:55:21 raspberrypi caddy[30881]: 2020/07/26 03:55:21 [INFO] [nizar.cf] acme: Cleaning DNS-01 challenge
Jul 26 03:55:21 raspberrypi caddy[30881]: 2020/07/26 03:55:21 [WARN] [nizar.cf] acme: cleaning up failed: no memory of presenting a DNS record for nizar.cf
Jul 26 03:55:21 raspberrypi caddy[30881]: 2020/07/26 03:55:21 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82793320
Jul 26 03:55:21 raspberrypi caddy[30881]: 2020/07/26 03:55:21 [ERROR] error: one or more domains had a problem:
Jul 26 03:55:21 raspberrypi caddy[30881]: [nizar.cf] [nizar.cf] acme: error presenting token: got error status: HTTP 401: []
Jul 26 03:55:21 raspberrypi caddy[30881]:  (challenge=dns-01 remaining=[])
Jul 26 03:55:23 raspberrypi caddy[30881]: 2020/07/26 03:55:23 [ERROR] attempt 5: [nizar.cf] Obtain: [nizar.cf] error: one or more domains had a problem:
Jul 26 03:55:23 raspberrypi caddy[30881]: [nizar.cf] [nizar.cf] acme: error presenting token: got error status: HTTP 401: []
Jul 26 03:55:23 raspberrypi caddy[30881]:  - retrying in 10m0s (10m21.77428467s/720h0m0s elapsed)...

It looks like others have had a similar issue, and their issue was that they were using API Keys instead of tokens. I made sure that I was using the tokens, so unfortunately that is not the issue. I also double checked my permissions. They are indeed: Zone.Zone.READ and Zone.DNS.EDIT.

Any ideas what could be the issue?

thanks again for the help!

My updated Caddyfile, for reference:

nizar.cf:1996 {
  encode gzip

  tls {
    dns cloudflare API_TOKEN_PLAINTEXT_REDACTED
  }

  redir /cloud /cloud/
  redir /cloud/.well-known/caldav /cloud/remote.php/dav 301
  redir /cloud/.well-known/carddav /cloud/remote.php/dav 301
  route /cloud/* {
    root * /var/www
    php_fastcgi unix//run/php/php7.3-fpm.sock
    file_server
  }

  redir /bitw /bitwarden/
  redir /bitw/ /bitwarden/
  redir /bitwarden /bitwarden/
  reverse_proxy /bitwarden/* localhost:3401

  redir /rss /miniflux/
  redir /rss/ /miniflux/
  redir /miniflux /miniflux/
  reverse_proxy /miniflux/* unix//run/miniflux/miniflux.sock
}

Since this is a separate issue than what was in the OP, I opened up a new thread linked below, and marked francislavoie’s answer as the solution. Thanks again!

Link to new thread:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.