1. The problem I’m having:
I created a new domain which is supposed to forward everything to another server: proxy0.mapcomplete.org
I restarted caddy, but it couldn’t get a certificate. Trying to connect to the domain gives an internal SSL-error:
2. Error messages and/or full log output:
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.9088569,"logger":"http","msg":"servers shutting down with eternal grace period"}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.909319,"logger":"tls.obtain","msg":"acquiring lock","identifier":"proxy0.mapcomplete.org"}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.909684,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.9104006,"logger":"admin.api","msg":"load complete"}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.911202,"logger":"tls.obtain","msg":"lock acquired","identifier":"proxy0.mapcomplete.org"}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.9113288,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"proxy0.mapcomplete.org"}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"debug","ts":1719232522.9113903,"logger":"events","msg":"event","name":"cert_obtaining","id":"38e06a97-56d1-4711-addf-2edc3df736d1","origin":"tls","data":{"identifier":"proxy0.mapcomplete.org"}}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"debug","ts":1719232522.9117339,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-v02.api.letsencrypt.org-directory"}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.9122386,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["proxy0.mapcomplete.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.9122853,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.912306,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["proxy0.mapcomplete.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"info","ts":1719232522.9123235,"logger":"http","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1792725067","account_contact":[]}
Jun 24 12:35:22 ubuntu-4gb-hel1-1 systemd[1]: Reloaded Caddy.
Jun 24 12:35:23 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"debug","ts":1719232523.3126297,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; arm64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["746"],"Content-Type":["application/json"],"Date":["Mon, 24 Jun 2024 12:35:23 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jun 24 12:35:23 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"debug","ts":1719232523.3131073,"logger":"http.acme_client","msg":"creating order","account":"https://acme-v02.api.letsencrypt.org/acme/acct/1792725067","identifiers":["proxy0.mapcomplete.org"]}
Jun 24 12:35:23 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"debug","ts":1719232523.4444542,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; arm64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 24 Jun 2024 12:35:23 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1VRjeNN9xRfzs-TQE5Jn2p2mOLOjqPtfZbcwQqahyCE7JnAR5NU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jun 24 12:35:23 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"debug","ts":1719232523.589652,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["1792725067"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["107"],"Content-Type":["application/problem+json"],"Date":["Mon, 24 Jun 2024 12:35:23 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1VRjeNN94ba0RU4x14LLEEFv7pV2OJ8QVa1xedNULN6fpUggPoc"],"Server":["nginx"]},"status_code":400}
Jun 24 12:35:23 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"error","ts":1719232523.5898173,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"proxy0.mapcomplete.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error"}
Jun 24 12:35:23 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"debug","ts":1719232523.5900552,"logger":"events","msg":"event","name":"cert_failed","id":"104b5187-1971-4cd5-913d-4673d579f224","origin":"tls","data":{"error":{},"identifier":"proxy0.mapcomplete.org","issuers":["acme-v02.api.letsencrypt.org-directory"],"renewal":false}}
Jun 24 12:35:23 ubuntu-4gb-hel1-1 caddy[768400]: {"level":"error","ts":1719232523.5902164,"logger":"tls.obtain","msg":"will retry","error":"[proxy0.mapcomplete.org] Obtain: [proxy0.mapcomplete.org] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":0.67898804,"max_duration":2592000}
3. Caddy version:
2.8.4
4. How I installed and ran Caddy:
a. System environment:
Ubuntu server 22.04.4 LTS, OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
b. Command:
systemctl reload caddy
d. My complete Caddy config:
{
debug
}
hosted.mapcomplete.org {
root * public/
file_server
header {
+Permissions-Policy "interest-cohort=()"
}
}
countrycoder.mapcomplete.org {
root * tiles/
file_server
header {
+Permissions-Policy "interest-cohort=()"
+Access-Control-Allow-Origin https://hosted.mapcomplete.org https://dev.mapcomplete.org https://mapcomplete.org
}
}
report.mapcomplete.org {
reverse_proxy {
to http://127.0.0.1:2348
}
}
studio.mapcomplete.org {
reverse_proxy {
to http://127.0.0.1:1235
}
}
lod.mapcomplete.org {
reverse_proxy /extractgraph {
to http://127.0.0.1:2346
}
}
ipinfo.mapcomplete.org {
reverse_proxy {
to 127.0.0.1:2347
}
}
proxy0.mapcomplete.org {
reverse_proxy {
to 109.128.57.178:2345
}
}