Ionos http tls challenges not working

PabloRuizCuevas · January 29, 2023, 9:05pm

1. Caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I installed, and run Caddy:

ubuntu sudo apt recommended

a. System environment:

Ubuntu

b. Command:

caddy run

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddy config:

pruiz.eu {
    respond "test"
}

3. The problem I’m having:

All challenges for getting the ssl certificate fail, I saw that i can install something for the dns challenge:

I just wanted to know if it is mandatory to install the plugging and in general to know why the first two challenges fail and if there is anything I can do for them not to fail, I’m very new using this tool and servers in general.

4. Error messages and/or full log output:

 ERROR   http.acme_client        challenge failed        {"identifier": "pruiz.eu", "challenge_type": "http-01", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems": []}}
2023/01/29 17:24:51.402 ERROR   http.acme_client        validating authorization        {"identifier": "pruiz.eu", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems": []}, "order": "https://acme.zerossl.com/v2/DV90/order/pOV_IBbdhlBxU0gFLQEu9w", "attempt": 1, "max_attempts": 3}
2023/01/29 17:24:51.402 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "pruiz.eu", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 0  - "}
2023/01/29 17:24:51.402 ERROR   tls.obtain      will retry      {"error": "[pruiz.eu] Obtain: [pruiz.eu] solving challenge: pruiz.eu: [pruiz.eu] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 10, "retrying_in": 3600, "elapsed": 7407.086602906, "max_duration": 2592000}

5. What I already tried:

I tried to configue the A register in Ionos to point to the IP, make sure the ports are open.

6. Links to relevant resources:

I guess these links may contain the solution for the dns challenge, I just wanted to know why the first two challenges “http” and “tls” doesn’t work and if wanted to know if is the normal/expected behavior.

francislavoie · January 30, 2023, 12:03am

Is that all you have in your logs? There’s not much information in those log lines. See if you have more logs which might have more details.

It should only be necessary if you’re using a wildcard domain, or if your server is not publicly accessible on ports 80 and 443.

From that screenshot, you configured the www subdomain, not your apex domain (i.e. @) so that might explain it. You asked Caddy to get a certificate for your apex domain (i.e. pruiz.eu) and not www.pruiz.eu.

PabloRuizCuevas · January 30, 2023, 9:41am

Thanks for your detailed response, was very helpful, thought is not yet working, I added the @pruiz.eu at ionos and let’s see if that changes something in the next hours.

(I think it may take some time to update the changes right?)

The full logs now looks like this:

pablo@Pablo-hosting:~/caddy$ sudo caddy run
[sudo] password for pablo:
2023/01/30 09:31:13.811 INFO    using adjacent Caddyfile
2023/01/30 09:31:13.814 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/01/30 09:31:13.815 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/01/30 09:31:13.816 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/01/30 09:31:13.815 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00026f2d0"}
2023/01/30 09:31:13.828 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2023/01/30 09:31:13.828 INFO    tls     finished cleaning storage units
2023/01/30 09:31:13.851 WARN    pki.ca.local    installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
2023/01/30 09:31:13.853 INFO    Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
2023/01/30 09:31:13.854 INFO    define JAVA_HOME environment variable to use the Java trust
2023/01/30 09:31:14.871 INFO    certificate installed properly in linux trusts
2023/01/30 09:31:14.872 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2023/01/30 09:31:14.873 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/01/30 09:31:14.873 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/01/30 09:31:14.874 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/01/30 09:31:14.874 INFO    http    enabling automatic TLS certificate management   {"domains": ["pruiz.eu", "localhost"]}
2023/01/30 09:31:14.874 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2023/01/30 09:31:14.876 INFO    serving initial configuration
2023/01/30 09:31:14.875 INFO    tls.obtain      acquiring lock  {"identifier": "localhost"}
2023/01/30 09:31:14.875 INFO    tls.obtain      acquiring lock  {"identifier": "pruiz.eu"}
2023/01/30 09:31:14.879 INFO    tls.obtain      lock acquired   {"identifier": "pruiz.eu"}
2023/01/30 09:31:14.879 INFO    tls.obtain      obtaining certificate   {"identifier": "pruiz.eu"}
2023/01/30 09:31:14.880 INFO    tls.obtain      lock acquired   {"identifier": "localhost"}
2023/01/30 09:31:14.880 INFO    tls.obtain      obtaining certificate   {"identifier": "localhost"}
2023/01/30 09:31:14.886 INFO    tls.obtain      certificate obtained successfully       {"identifier": "localhost"}
2023/01/30 09:31:14.888 INFO    tls.obtain      releasing lock  {"identifier": "localhost"}
2023/01/30 09:31:14.889 WARN    tls     stapling OCSP   {"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate", "identifiers": ["localhost"]}
2023/01/30 09:31:15.655 INFO    http    waiting on internal rate limiter        {"identifiers": ["pruiz.eu"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/01/30 09:31:15.657 INFO    http    done waiting on internal rate limiter   {"identifiers": ["pruiz.eu"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/01/30 09:31:15.987 INFO    http.acme_client        trying to solve challenge       {"identifier": "pruiz.eu", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/01/30 09:31:27.012 ERROR   http.acme_client        challenge failed        {"identifier": "pruiz.eu", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "217.160.44.69: Fetching http://pruiz.eu/.well-known/acme-challenge/X6ilQfXBm3r92cT59dzhzvDs7xMnfIHPTQTIcCmBUs8: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2023/01/30 09:31:27.018 ERROR   http.acme_client        validating authorization        {"identifier": "pruiz.eu", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "217.160.44.69: Fetching http://pruiz.eu/.well-known/acme-challenge/X6ilQfXBm3r92cT59dzhzvDs7xMnfIHPTQTIcCmBUs8: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/940206547/161846226527", "attempt": 1, "max_attempts": 3}
2023/01/30 09:31:28.380 INFO    http.acme_client        trying to solve challenge       {"identifier": "pruiz.eu", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/01/30 09:31:39.387 ERROR   http.acme_client        challenge failed        {"identifier": "pruiz.eu", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "217.160.44.69: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2023/01/30 09:31:39.388 ERROR   http.acme_client        validating authorization        {"identifier": "pruiz.eu", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "217.160.44.69: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/940206547/161846250757", "attempt": 2, "max_attempts": 3}
2023/01/30 09:31:39.389 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "pruiz.eu", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 217.160.44.69: Timeout during connect (likely firewall problem)"}
2023/01/30 09:31:39.390 WARN    http    missing email address for ZeroSSL; it is strongly recommended to set one for next time
2023/01/30 09:31:50.331 INFO    http    generated EAB credentials       {"key_id": "pD6Yg57GqowZTxexLqrsgQ"}
2023/01/30 09:32:13.217 INFO    http    waiting on internal rate limiter        {"identifiers": ["pruiz.eu"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2023/01/30 09:32:13.217 INFO    http    done waiting on internal rate limiter   {"identifiers": ["pruiz.eu"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2023/01/30 09:32:33.900 INFO    http.acme_client        trying to solve challenge      {"identifier": "pruiz.eu", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/01/30 09:33:02.126 ERROR   http.acme_client        challenge failed        {"identifier": "pruiz.eu", "challenge_type": "http-01", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems": []}}
2023/01/30 09:33:02.126 ERROR   http.acme_client        validating authorization        {"identifier": "pruiz.eu", "problem": {"type": "", "title": "", "detail": "", "instance": "", "subproblems": []}, "order": "https://acme.zerossl.com/v2/DV90/order/HzcWlkne_YwoMIGfrCkV2A", "attempt": 1, "max_attempts": 3}
2023/01/30 09:33:02.126 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "pruiz.eu", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 0  - "}
2023/01/30 09:33:02.126 ERROR   tls.obtain      will retry      {"error": "[pruiz.eu] Obtain: [pruiz.eu] solving challenge: pruiz.eu: [pruiz.eu] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 107.247109963, "max_duration": 2592000}

I installed libnss3-tools as stated in the logs (no change)

PabloRuizCuevas · January 30, 2023, 2:47pm

Issue solved!

On top of having the ip bad configured in Ionos. I was unaware that my server had ufw active, so even-thought I ensured that the Ionos firewall was already off, the internal ufw firewall was there ruining everything, the logs were very clear with the issue, but I as a total newbie still didn’t got it .

Many thanks for support and guidance :)!

francislavoie · January 30, 2023, 4:18pm

Don’t run Caddy with sudo caddy run if you installed it using the apt repo. You should instead let Caddy run as a systemd service.

Great! Glad to hear it

PabloRuizCuevas · January 31, 2023, 8:06am

Sure, thanks for the tip

system · March 2, 2023, 8:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.