I can't access to my server with my domain

tetratheta · October 24, 2022, 2:12pm

1. Output of `caddy version`:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

I want to run https://git.haipa.xyz which redirects client to Gitea on port 3000.
Since Caddy can automatically configure HTTPS, I didn’t installed any certbot or any other related packages. Caddy will act as ‘TLS termination proxy’, so HTTPS will be only available until Caddy, not Gitea.

Client <–(HTTPS)–> Caddy <–(HTTP)–> Gitea

a. System environment:

Result of lsb_release -a:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy

Caddy is directly installed to system. No Docker presents.

Caddy is running as systemd service.

● caddy.service - Caddy
     Loaded: loaded (/lib/systemd/system/caddy.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-10-23 20:46:06 KST; 1 day 2h ago
       Docs: https://caddyserver.com/docs/
   Main PID: 759 (caddy)
      Tasks: 9 (limit: 1076)
     Memory: 35.7M
        CPU: 6.720s
     CGroup: /system.slice/caddy.service
             └─759 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7293391,"logger":"http.log","msg":"server running","name":"sr>
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7296584,"logger":"http.log","msg":"server running","name":"re>
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7298453,"logger":"http","msg":"enabling automatic TLS certifi>
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7335446,"logger":"tls.cache.maintenance","msg":"stopped backg>
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.733737,"msg":"autosaved config (load with --resume flag)","fi>
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7340877,"logger":"admin.api","msg":"load complete"}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7408834,"logger":"admin","msg":"stopped previous server","add>
Oct 24 22:41:15 oracle2 caddy[759]: {"level":"info","ts":1666618875.6785727,"logger":"admin.api","msg":"received request","method>
Oct 24 22:41:15 oracle2 caddy[759]: {"level":"info","ts":1666618875.6788871,"msg":"config is unchanged"}
Oct 24 22:41:15 oracle2 caddy[759]: {"level":"info","ts":1666618875.6789656,"logger":"admin.api","msg":"load complete"}

b. Command:

Caddy is automatically starts when system start, and I didn’t called any Caddy command except for caddy reload --config /etc/caddy/Caddyfile.

d. My complete Caddy config:

https://git.haipa.xyz {
	reverse_proxy :3000
}

3. The problem I’m having:

When I try to connect to https://git.haipa.xyz, I get ERR_NAME_NOT_RESOLVED error code from my Chrome.

Here is a result of attemting to connect to https://git.haipa.xyz:

$ curl -v https://git.haipa.xyz
* Could not resolve host: git.haipa.xyz
* Closing connection 0
curl: (6) Could not resolve host: git.haipa.xyz

I should be able to see Gitea configuration screen, but since I can’t access to my site, I can’t configure it neither.

4. Error messages and/or full log output:

Result of journalctl -u caddy --no-pager | less +G:

Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.692325,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7276363,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000524e00"}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.72839,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7285645,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7290304,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7293391,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7296584,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7298453,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["git.haipa.xyz"]}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7335446,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0005bb2d0"}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.733737,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7340877,"logger":"admin.api","msg":"load complete"}
Oct 24 22:39:02 oracle2 caddy[759]: {"level":"info","ts":1666618742.7408834,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Oct 24 22:41:15 oracle2 caddy[759]: {"level":"info","ts":1666618875.6785727,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_ip":"127.0.0.1","remote_port":"44058","headers":{"Accept-Encoding":["gzip"],"Content-Length":["241"],"Content-Type":["application/json"],"Origin":["http://localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
Oct 24 22:41:15 oracle2 caddy[759]: {"level":"info","ts":1666618875.6788871,"msg":"config is unchanged"}
Oct 24 22:41:15 oracle2 caddy[759]: {"level":"info","ts":1666618875.6789656,"logger":"admin.api","msg":"load complete"}

5. What I already tried:

I tried to follow this CloudFlare’s article since I use CloudFlare as ‘DNS server’.

Mistyped domain or subdomain: No, I typed url(https://git.haipa.xyz) correctly.
Missing DNS records: No, I double-checked that git entry is pointing to IP of my instance.
DNSSEC wasn't disabled before the domain was added to Cloudflare: I can’t check because scan result is saying ‘Invalid domain name’. But if I remember correctly, there wasn’t any DNSSEC records before moving to CF, and after CF.
Nameservers no longer point to Cloudflare: I’m using CF’s nameserver.
Unresolved IP address: Both my main PC’s router and instance uses 1.1.1.1 as DNS resolver.

DNS propagation check result seems to be nice, because it is pointing to CF because I enabled proxy in CF dashboard.
It was pointing to actual IP address of my instance before I enabled proxy, so DNS propagation shouldn’t be the reason of this problem.

6. Links to relevant resources:

I don’t know what should I do next about this problem, so this section is empty.

francislavoie · October 24, 2022, 4:40pm

You mean proxy, not redirect. A redirect is a different HTTP concept, i.e. a special kind of response which contains the Location header, instructing the client to try again at a different URL.

Strange. I can resolve that domain name from my machine:

$ dig git.haipa.xyz

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> git.haipa.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29443
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;git.haipa.xyz.			IN	A

;; ANSWER SECTION:
git.haipa.xyz.		282	IN	A	172.64.80.1

;; Query time: 92 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Oct 24 12:38:24 EDT 2022
;; MSG SIZE  rcvd: 58

But when trying to use 1.1.1.1, it fails:

$ dig @1.1.1.1 git.haipa.xyz

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @1.1.1.1 git.haipa.xyz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64554
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for haipa.xyz.)
;; QUESTION SECTION:
;git.haipa.xyz.			IN	A

;; Query time: 72 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Oct 24 12:39:30 EDT 2022
;; MSG SIZE  rcvd: 91

tetratheta · October 24, 2022, 5:28pm

Does ‘who manages domain’ affects this? I transferred my domain to ‘Gabia’(South Korea) 60 days ago, and after that, I couldn’t access my domain and subdomain. Since the transfer, my domain were in ‘transfer lock’.

I even contacted Gabia for inaccessibility of my domain and they reset my domain’s nameserver to theirs. Well, that didn’t work neither. I still couldn’t access my domain. Changing nameserver to CF’s doesn’t work neither.

Maybe I should find another company like CF, but this always requires me to pay ~$10 for ‘transferring & extending’ domain for each domains I have.
I hope there is a way to transfer domain without extending it. I’m currently out of my budget.

Yes, you are right.

francislavoie · October 24, 2022, 5:40pm

Honestly, I’m not sure I can answer that. Maybe someone else can though

But yeah it seems clear this is a DNS issue, not a problem with Caddy in particular.

tetratheta · October 25, 2022, 8:17am

Found a reason why I can’t access my server with my domain.

I contacted Gabia, where I transferred my domain to find out what caused this problem.

It turned out that beefore I transfer my domain, I enabled DNSSEC and completely forgot about it. Since DNSSEC information doesn’t match, my domain couldn’t be reached, even though DNS information is set.

After the contact, Gabia cleared DNSSEC information, and now I can ping(Windows) my server and it prints CF server’s IP address.

Thank you for help so much!

And now, here is another problem:

$ curl -v https://git.haipa.xyz
*   Trying 104.21.63.172:443...
* Connected to git.haipa.xyz (104.21.63.172) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure

I thought that setting Caddyfile like this would automatically set HTTPS for my domain…

https://git.haipa.xyz {
	reverse_proxy :3000
}

So I removed everything under /var/lib/caddy/.local/share hoping it will remove all certs about git.haipa.xyz and Caddy will re-create it. Now I get these error and I don’t think Caddy get certs about my domain.

$ journalctl -u caddy --no-pager | less +G
Oct 25 17:13:09 oracle2 caddy[784]: {"level":"error","ts":1666685589.5747356,"logger":"tls.obtain","msg":"will retry","error":"[git.haipa.xyz] Obtain: account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority","attempt":1,"retrying_in":60,"elapsed":2.50185584,"max_duration":2592000}
Oct 25 17:14:09 oracle2 caddy[784]: {"level":"info","ts":1666685649.5750475,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"git.haipa.xyz"}
Oct 25 17:14:09 oracle2 caddy[784]: {"level":"warn","ts":1666685649.9767888,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 17:14:10 oracle2 caddy[784]: {"level":"warn","ts":1666685650.5666149,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 17:14:11 oracle2 caddy[784]: {"level":"warn","ts":1666685651.1647358,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 17:14:11 oracle2 caddy[784]: {"level":"error","ts":1666685651.1647918,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"git.haipa.xyz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"registering account [] with server: provisioning client: performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 17:14:11 oracle2 caddy[784]: {"level":"warn","ts":1666685651.1649406,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
Oct 25 17:14:11 oracle2 caddy[784]: {"level":"error","ts":1666685651.556948,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"git.haipa.xyz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority"}
Oct 25 17:14:11 oracle2 caddy[784]: {"level":"error","ts":1666685651.5570192,"logger":"tls.obtain","msg":"will retry","error":"[git.haipa.xyz] Obtain: account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority","attempt":2,"retrying_in":120,"elapsed":64.48413916,"max_duration":2592000}

francislavoie · October 25, 2022, 9:45am

Hmm, that’s strange. I’m thinking your machine might not have the root CA certs for ACME issuers installed. You might need to install the ca-certificates package. I’m surprised you might not already have it installed though

tetratheta · October 25, 2022, 9:59am

Hmm, ca-certificates package is already installed and its version is latest (20211016).
Is there any way to ‘complete reset’ Caddy and its config/data to its fresh installation state? I think I should re-do the whole configuration.

francislavoie · October 25, 2022, 10:11am

Yeah, Caddy’s default storage location when installed as an apt package is /var/lib/caddy/.local/share/caddy. You can wipe that out and restart the caddy service and it should give you a clean slate.

tetratheta · October 25, 2022, 10:41am

I stopped & restarted Caddy service with these command and printed Caddy’s log. I removed logs before Caddy stop because they are useless (I remove Caddy’s storage).

# systemctl stop caddy
# rm -rf /var/lib/caddy/.local/share/caddy/
# systemctl start caddy
# journalctl -u caddy --no-pager
Oct 25 19:27:25 oracle2 systemd[1]: caddy.service: Deactivated successfully.
Oct 25 19:27:25 oracle2 systemd[1]: Stopped Caddy.
Oct 25 19:27:25 oracle2 systemd[1]: caddy.service: Consumed 3.443s CPU time.
Oct 25 19:27:44 oracle2 systemd[1]: Starting Caddy...
Oct 25 19:27:44 oracle2 caddy[2009]: caddy.HomeDir=/var/lib/caddy
Oct 25 19:27:44 oracle2 caddy[2009]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Oct 25 19:27:44 oracle2 caddy[2009]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Oct 25 19:27:44 oracle2 caddy[2009]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Oct 25 19:27:44 oracle2 caddy[2009]: caddy.Version=v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
Oct 25 19:27:44 oracle2 caddy[2009]: runtime.GOOS=linux
Oct 25 19:27:44 oracle2 caddy[2009]: runtime.GOARCH=amd64
Oct 25 19:27:44 oracle2 caddy[2009]: runtime.Compiler=gc
Oct 25 19:27:44 oracle2 caddy[2009]: runtime.NumCPU=2
Oct 25 19:27:44 oracle2 caddy[2009]: runtime.GOMAXPROCS=2
Oct 25 19:27:44 oracle2 caddy[2009]: runtime.Version=go1.19.2
Oct 25 19:27:44 oracle2 caddy[2009]: os.Getwd=/
Oct 25 19:27:44 oracle2 caddy[2009]: LANG=C.UTF-8
Oct 25 19:27:44 oracle2 caddy[2009]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Oct 25 19:27:44 oracle2 caddy[2009]: NOTIFY_SOCKET=/run/systemd/notify
Oct 25 19:27:44 oracle2 caddy[2009]: HOME=/var/lib/caddy
Oct 25 19:27:44 oracle2 caddy[2009]: LOGNAME=caddy
Oct 25 19:27:44 oracle2 caddy[2009]: USER=caddy
Oct 25 19:27:44 oracle2 caddy[2009]: INVOCATION_ID=5bc22cb4a1fc42848e561df429d991cf
Oct 25 19:27:44 oracle2 caddy[2009]: JOURNAL_STREAM=8:27182
Oct 25 19:27:44 oracle2 caddy[2009]: SYSTEMD_EXEC_PID=2009
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8368983,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8419542,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8424625,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8424797,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8427632,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8428235,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.842884,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8429127,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.842918,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["git.haipa.xyz"]}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8432703,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.843395,"msg":"serving initial configuration"}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8434246,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8434372,"logger":"tls","msg":"finished cleaning storage units"}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8435004,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000350e00"}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8440943,"logger":"tls.obtain","msg":"acquiring lock","identifier":"git.haipa.xyz"}
Oct 25 19:27:44 oracle2 systemd[1]: Started Caddy.
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.8568292,"logger":"tls.obtain","msg":"lock acquired","identifier":"git.haipa.xyz"}
Oct 25 19:27:44 oracle2 caddy[2009]: {"level":"info","ts":1666693664.857371,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"git.haipa.xyz"}
Oct 25 19:27:45 oracle2 caddy[2009]: {"level":"warn","ts":1666693665.2171874,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 19:27:45 oracle2 caddy[2009]: {"level":"warn","ts":1666693665.832946,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 19:27:46 oracle2 caddy[2009]: {"level":"warn","ts":1666693666.4698102,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 19:27:46 oracle2 caddy[2009]: {"level":"error","ts":1666693666.469878,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"git.haipa.xyz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"registering account [] with server: provisioning client: performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 19:27:46 oracle2 caddy[2009]: {"level":"warn","ts":1666693666.470055,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
Oct 25 19:27:46 oracle2 caddy[2009]: {"level":"error","ts":1666693666.8967595,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"git.haipa.xyz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority"}
Oct 25 19:27:46 oracle2 caddy[2009]: {"level":"error","ts":1666693666.8971872,"logger":"tls.obtain","msg":"will retry","error":"[git.haipa.xyz] Obtain: account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority","attempt":1,"retrying_in":60,"elapsed":2.040012082,"max_duration":2592000}
Oct 25 19:28:46 oracle2 caddy[2009]: {"level":"info","ts":1666693726.89918,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"git.haipa.xyz"}
Oct 25 19:28:47 oracle2 caddy[2009]: {"level":"warn","ts":1666693727.2797995,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 19:28:47 oracle2 caddy[2009]: {"level":"warn","ts":1666693727.8695114,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 19:28:48 oracle2 caddy[2009]: {"level":"warn","ts":1666693728.4594836,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 19:28:48 oracle2 caddy[2009]: {"level":"error","ts":1666693728.4595308,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"git.haipa.xyz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"registering account [] with server: provisioning client: performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
Oct 25 19:28:48 oracle2 caddy[2009]: {"level":"warn","ts":1666693728.4596572,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
Oct 25 19:28:48 oracle2 caddy[2009]: {"level":"error","ts":1666693728.8526764,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"git.haipa.xyz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority"}
Oct 25 19:28:48 oracle2 caddy[2009]: {"level":"error","ts":1666693728.852737,"logger":"tls.obtain","msg":"will retry","error":"[git.haipa.xyz] Obtain: account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority","attempt":2,"retrying_in":120,"elapsed":63.995562624,"max_duration":2592000}

I see some error message related to certificate signed by unknown authority. Is this a reason of this problem?

francislavoie · October 25, 2022, 10:57am

Yeah, that’s why I asked that you make sure ca-certificates is installed. “unknown authority” suggests that the root CA certificates for Let’s Encrypt and ZeroSSL are not known by your system.

Try running update-ca-certificates and also try rebooting your server.

tetratheta · October 25, 2022, 11:13am

The reason why it failed was there was no /etc/ssl/certs/ directory present. So I created it and ran update-ca-certificates command. It created a lot of symlinks.

After the reboot, I think Caddy successfully got certificate of my domain. But, I can’t still connect to my domain.

$ journalctl -u caddy --no-pager
-- Boot 4ee522f5a68340a19fdcd75f38080a3e --
Oct 25 20:03:14 oracle2 systemd[1]: Starting Caddy...
Oct 25 20:03:17 oracle2 caddy[781]: caddy.HomeDir=/var/lib/caddy
Oct 25 20:03:17 oracle2 caddy[781]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Oct 25 20:03:17 oracle2 caddy[781]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Oct 25 20:03:17 oracle2 caddy[781]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Oct 25 20:03:17 oracle2 caddy[781]: caddy.Version=v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
Oct 25 20:03:17 oracle2 caddy[781]: runtime.GOOS=linux
Oct 25 20:03:17 oracle2 caddy[781]: runtime.GOARCH=amd64
Oct 25 20:03:17 oracle2 caddy[781]: runtime.Compiler=gc
Oct 25 20:03:17 oracle2 caddy[781]: runtime.NumCPU=2
Oct 25 20:03:17 oracle2 caddy[781]: runtime.GOMAXPROCS=2
Oct 25 20:03:17 oracle2 caddy[781]: runtime.Version=go1.19.2
Oct 25 20:03:17 oracle2 caddy[781]: os.Getwd=/
Oct 25 20:03:17 oracle2 caddy[781]: LANG=C.UTF-8
Oct 25 20:03:17 oracle2 caddy[781]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Oct 25 20:03:17 oracle2 caddy[781]: NOTIFY_SOCKET=/run/systemd/notify
Oct 25 20:03:17 oracle2 caddy[781]: HOME=/var/lib/caddy
Oct 25 20:03:17 oracle2 caddy[781]: LOGNAME=caddy
Oct 25 20:03:17 oracle2 caddy[781]: USER=caddy
Oct 25 20:03:17 oracle2 caddy[781]: INVOCATION_ID=22171b870fec4ba5ab6edf5435ad1107
Oct 25 20:03:17 oracle2 caddy[781]: JOURNAL_STREAM=8:21641
Oct 25 20:03:17 oracle2 caddy[781]: SYSTEMD_EXEC_PID=781
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.7964902,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8824391,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8825622,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8825753,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8827896,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.882846,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8828967,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8829257,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8829315,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["git.haipa.xyz"]}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8856232,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000288d90"}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8857229,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8880637,"logger":"tls","msg":"finished cleaning storage units"}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8884702,"logger":"tls.obtain","msg":"acquiring lock","identifier":"git.haipa.xyz"}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8939672,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 25 20:03:17 oracle2 systemd[1]: Started Caddy.
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.897457,"logger":"tls.obtain","msg":"lock acquired","identifier":"git.haipa.xyz"}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.8976166,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"git.haipa.xyz"}
Oct 25 20:03:17 oracle2 caddy[781]: {"level":"info","ts":1666695797.89848,"msg":"serving initial configuration"}
Oct 25 20:03:21 oracle2 caddy[781]: {"level":"info","ts":1666695801.9894607,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["git.haipa.xyz"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Oct 25 20:03:21 oracle2 caddy[781]: {"level":"info","ts":1666695801.9895027,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["git.haipa.xyz"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Oct 25 20:03:22 oracle2 caddy[781]: {"level":"info","ts":1666695802.3817394,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"git.haipa.xyz","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Oct 25 20:03:22 oracle2 caddy[781]: {"level":"info","ts":1666695802.8861287,"logger":"http","msg":"served key authentication","identifier":"git.haipa.xyz","challenge":"http-01","remote":"172.70.131.88:54902","distributed":false}
Oct 25 20:03:22 oracle2 caddy[781]: {"level":"info","ts":1666695802.8862755,"logger":"http","msg":"served key authentication","identifier":"git.haipa.xyz","challenge":"http-01","remote":"172.71.150.167:42838","distributed":false}
Oct 25 20:03:22 oracle2 caddy[781]: {"level":"info","ts":1666695802.9858973,"logger":"http","msg":"served key authentication","identifier":"git.haipa.xyz","challenge":"http-01","remote":"172.70.210.43:28098","distributed":false}
Oct 25 20:03:23 oracle2 caddy[781]: {"level":"info","ts":1666695803.0813582,"logger":"http","msg":"served key authentication","identifier":"git.haipa.xyz","challenge":"http-01","remote":"172.70.251.194:40270","distributed":false}
Oct 25 20:03:23 oracle2 caddy[781]: {"level":"info","ts":1666695803.592211,"logger":"http.acme_client","msg":"authorization finalized","identifier":"git.haipa.xyz","authz_status":"valid"}
Oct 25 20:03:23 oracle2 caddy[781]: {"level":"info","ts":1666695803.592237,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/793515257/137798193587"}
Oct 25 20:03:24 oracle2 caddy[781]: {"level":"info","ts":1666695804.4813645,"logger":"http.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/0345b57b97d8bc4e294e7fbba1157b16ca87"}
Oct 25 20:03:24 oracle2 caddy[781]: {"level":"info","ts":1666695804.4817753,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"git.haipa.xyz"}
Oct 25 20:03:24 oracle2 caddy[781]: {"level":"info","ts":1666695804.48181,"logger":"tls.obtain","msg":"releasing lock","identifier":"git.haipa.xyz"}

certificate obtained successfully so I think Caddy got the cert.

But when I try to connect to my domain, handshake fails.

$ curl -v https://git.haipa.xyz
*   Trying 104.21.63.172:443...
* Connected to git.haipa.xyz (104.21.63.172) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure

This is my current Caddyfile configuration.

https://git.haipa.xyz {
	reverse_proxy localhost:3000
}

francislavoie · October 26, 2022, 1:59am

When I try to connect to that domain, I’m actually reaching Cloudflare, not your server directly. And it’s causing a redirect loop:

$ curl -v https://git.haipa.xyz
*   Trying 172.64.80.1:443...
* Connected to git.haipa.xyz (172.64.80.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.haipa.xyz
*  start date: Oct 25 18:11:10 2022 GMT
*  expire date: Jan 23 18:11:09 2023 GMT
*  subjectAltName: host "git.haipa.xyz" matched cert's "*.haipa.xyz"
*  issuer: C=US; O=Let's Encrypt; CN=E1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55bd4cf44e80)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: git.haipa.xyz
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 308 
< date: Wed, 26 Oct 2022 01:58:14 GMT
< content-length: 0
< location: https://git.haipa.xyz/
< cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rBQNQzk3nMv%2FZwGb6Y4vIjHRAc4cYdwYWs0zxs4tDSyaKOa5hZmNJOZwijHB2UPI7oyPH5%2FasB%2FuOOIvNaExlOGBClugLrDOQbEhWPSfEUObNhmuD2%2BiQrGyp%2FgjfNOQ"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 75ff95f308071845-EWR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
< 
* Connection #0 to host git.haipa.xyz left intact

Notice the Location header near the end, this is causing a redirect loop.

tetratheta · October 26, 2022, 5:43am

I configured CF like this.

(Those 3 above is for another subdomains pointing to same instance for another use)

I thought that ‘Proxied’ is how CF secure my domain, right? Well, I will try without CF proxy then. I think turning that off will expose my instance’s IP to public.

EDIT: Turning off CF Proxy seems to be working. But is it safe? Am I ok to expose my instance’s IP address to public like this?

Whitestrake · October 26, 2022, 6:05am

What encryption mode do you have your site set to in Cloudflare? (Dashboard → your site → SSL/TLS → Overview)

tetratheta · October 26, 2022, 6:12am

It is set to ‘Flexible’. Should I change it to ‘Full’ or ‘Full (strict)’?

Whitestrake · October 26, 2022, 6:23am

The Flexible SSL encryption mode in the Cloudflare SSL/TLS app Overview tab encrypts traffic between the browser and the Cloudflare network over HTTPS. However, when the Flexible SSL option is enabled, Cloudflare sends requests to your origin web server unencrypted over HTTP. Redirect loops occur if your origin web server is configured to redirect all HTTP requests to HTTPS when using the Flexible SSL option.

—https://support.cloudflare.com/hc/en-us/articles/115000219871-Troubleshooting-redirect-loop-errors

Note that Caddy’s secure-by-default configuration is to upgrade HTTP requests to HTTPS. This includes requests from Cloudflare.

tetratheta · October 26, 2022, 6:33am

I changed CF SSL setting to ‘Full’ and I can now connect to my domain and see website without any visible problem.

Thank both of you for helping me. You are the best!

I want to mark multiple replies as answer because all of them helped me, but since I can’t, I will mark last reply as answer. I really appreciate all of your message!

system · November 23, 2022, 2:13pm

This topic was automatically closed after 30 days. New replies are no longer allowed.