Is it possible to get certs for custom TLD?

Help
1

1. The problem I’m having:

I’m trying to get certs for a custom TLD which I use locally. Caddy is unable to generate certs for it.

2. Error messages and/or full log output:

Oct 11 22:42:21 dungeon-of-data systemd[1]: Started Caddy web server.
Oct 11 22:42:21 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666741.2529066,"logger":"tls.obtain","msg":"acquiring lock","identifier":"khazad.dum"}
Oct 11 22:42:21 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666741.255158,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy","instance":"d16f0c46-f3d3-4132-9ab5-b859582884f1","try_again":1728753141.2551558,"try_again_in":86399.99999968}
Oct 11 22:42:21 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666741.2751532,"logger":"tls","msg":"finished cleaning storage units"}
Oct 11 22:42:21 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666741.2767837,"logger":"tls.obtain","msg":"lock acquired","identifier":"khazad.dum"}
Oct 11 22:42:21 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666741.276879,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"khazad.dum"}
Oct 11 22:42:21 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666741.2783911,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["khazad.dum"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Oct 11 22:42:21 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666741.2784066,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["khazad.dum"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Oct 11 22:42:21 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666741.278432,"logger":"http","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/715329607","account_contact":[]}
Oct 11 22:42:22 dungeon-of-data caddy[3674231]: {"level":"error","ts":1728666742.6861641,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"khazad.dum","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for \"khazad.dum\": Domain name does not end with a valid public suffix (TLD)"}
Oct 11 22:42:22 dungeon-of-data caddy[3674231]: {"level":"error","ts":1728666742.686231,"logger":"tls.obtain","msg":"will retry","error":"[khazad.dum] Obtain: [khazad.dum] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for \"khazad.dum\": Domain name does not end with a valid public suffix (TLD) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":1.409430959,"max_duration":2592000}
Oct 11 22:43:22 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666802.6873968,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"khazad.dum"}
Oct 11 22:43:24 dungeon-of-data caddy[3674231]: {"level":"info","ts":1728666804.1177218,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/166797983","account_contact":[]}
Oct 11 22:43:24 dungeon-of-data caddy[3674231]: {"level":"error","ts":1728666804.3911793,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"khazad.dum","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for \"khazad.dum\": Domain name does not end with a valid public suffix (TLD)"}
Oct 11 22:43:24 dungeon-of-data caddy[3674231]: {"level":"error","ts":1728666804.3912413,"logger":"tls.obtain","msg":"will retry","error":"[khazad.dum] Obtain: [khazad.dum] creating new order: attempt 1: https://acme-staging-v02.api.letsencrypt.org/acme/new-order: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for \"khazad.dum\": Domain name does not end with a valid public suffix (TLD) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":63.114441238,"max_duration":2592000}

3. Caddy version:

v2.8.4

4. How I installed and ran Caddy:

Installed from official Arch repos and ran via systemctl enable --now caddy.

a. System environment:

OS: Arch

b. Command:

systemctl start caddy

c. Service/unit/compose file:

d. My complete Caddy config:

{
	admin "unix//run/caddy/admin.socket"
}

http:// {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server
}

khazad.dum {
	root * /srv/http
	file_server
}

5. Links to relevant resources:

2

Hi @txtsd,

Not from Let’s Encrypt as the certificate issuer.

1 Like
3

I don’t mind whatever the alternative is, as long as I don’t have to manually generate the certs. What are my options?

4

Managed to get it done with tls internal!

5

Yes, but no publicly-trusted CA will issue certs for non-public domains. So those certs will not be trusted unless the root is installed into each clients’ trust stores.

1 Like
6

Got it. Thanks!

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.