now I’m mixed up entirely. So, I decided to run the caddy command from the terminal in userspace with sudo just to see what I’d get. I added the -disable-tls-alpn-challenge
flag that you suggested to another user with this error on this thread, @Whitestrake – TLS handshake errors out of nowhere - #3 by Whitestrake
That got me somewhere entirely different. STDOUT had this to say:
Activating privacy features... 2019/06/24 19:30:00 [INFO] [example.com] acme: Obtaining bundled SAN certificate 2019/06/24 19:30:00 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/giE8r629uZA8TQjpG_EXAMPLE 2019/06/24 19:30:00 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01 2019/06/24 19:30:00 [INFO] [example.com] acme: use http-01 solver 2019/06/24 19:30:00 [INFO] [example.com] acme: Trying to solve HTTP-01 2019/06/24 19:38:40 [example.com] failed to obtain certificate: acme: Error -> One or more domains had a problem: [example.com] the server didn't respond to our request
I went to the URL and saw the challenges:
{ "identifier": { "type": "dns", "value": "example.com" }, "status": "pending", "expires": "2019-07-02T00:30:00Z", "challenges": [ { "type": "http-01", "status": "pending",
Then, I tried again, and I got this as the last output:
failed to obtain certificate: acme: Error -> One or more domains had a problem: [example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://example.com/.well-known/acme-challenge/EzX3lfYwbVlRlBi2mJd-EXAMPLE [199.195.144.46]: "<!DOCTYPE html>\r\n<html lang=\"en-US\">\r\n<head>\r\n\t\t<!--[if lt IE 9]>\r\n\t<script src=\"https://example.com/wp-content/themes/wp-theme-0319/j", url:
That tell me that the backup apache is serving up the wordpress, and wordpress is giving a 404 – it’s the wordpress theme on example.com’s html document coming up as a 404 - but I think it is actually denying the filetype (no extension) under the htaccess rules/wordpress security rewrite rules.
So, I guess I need to either figure out how to get htaccess to pass this request, to figure out what is blocking TLS discussions between caddy and acme. It’s just the weirdest thing to me that caddy never had trouble before for two years. update to 11.5 on homebrew, and this. Now, running 1.0 in a clean HOME for caddy and TLS won’t work here either – but is does for homebrew certbot.
I was not able to find any ACL entries on the caddy executable, and the binary has the following permissions (which should easily enable it to bind to a privileged port:
-rwsr-sr-x@ 1 root staff 20903376 Jun 7 14:44 caddy
I’m totally stumped.