Issue obtaining certificate?

PenroseSun · March 2, 2025, 1:45am

1. The problem I’m having:

I have been attempting to set up a variety of services in docker, using Caddy as a reverse proxy, but I’ve stalled out on my initial set-up test: I have a single other container that I created because it was very simple to set up and has a webpage to show, just so that I could confirm that my Caddy container was working as it should. Visiting the webpage yields “Error code: SSL_ERROR_INTERNAL_ERROR_ALERT”, and Caddy logs point to an issue obtaining a certificate. I’ve double checked the port forwarding on my router, and nmap lists 80/tcp as open and unfiltered, so I don’t think that it’s a firewall problem, but I’m also super new to all of this, so maybe I’m missing an obvious potential problem.

2. Error messages and/or full log output:

{"level":"info","ts":1740760539.5780056,"logger":"tls.obtain","msg":"lock acquired","identifier":"whoami.burtons.us"}
{"level":"info","ts":1740760539.5782576,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"whoami.burtons.us"}
{"level":"info","ts":1740760539.5804467,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["whoami.burtons.us"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1740760539.5804806,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["whoami.burtons.us"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1740760539.5805092,"logger":"http","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2255345955","account_contact":[]}
{"level":"info","ts":1740760540.2196825,"msg":"trying to solve challenge","identifier":"whoami.burtons.us","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1740760550.8493817,"msg":"challenge failed","identifier":"whoami.burtons.us","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:malformed","title":"","detail":"Unable to contact \"whoami.burtons.us\" at \"2601:152:5081:4030::5\", no IPv4 addresses to try as fallback","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1740760550.8494518,"msg":"validating authorization","identifier":"whoami.burtons.us","problem":{"type":"urn:ietf:params:acme:error:malformed","title":"","detail":"Unable to contact \"whoami.burtons.us\" at \"2601:152:5081:4030::5\", no IPv4 addresses to try as fallback","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2255345955/358889889995","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1740760550.8495,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"whoami.burtons.us","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:malformed - Unable to contact \"whoami.burtons.us\" at \"2601:152:5081:4030::5\", no IPv4 addresses to try as fallback"}
{"level":"error","ts":1740760550.8495255,"logger":"tls.obtain","msg":"will retry","error":"[whoami.burtons.us] Obtain: [whoami.burtons.us] solving challenge: whoami.burtons.us: [whoami.burtons.us] authorization failed: HTTP 400 urn:ietf:params:acme:error:malformed - Unable to contact \"whoami.burtons.us\" at \"2601:152:5081:4030::5\", no IPv4 addresses to try as fallback (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":11.271463133,"max_duration":2592000}
{"level":"info","ts":1740760610.8500183,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"whoami.burtons.us"}
{"level":"info","ts":1740760610.8505337,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/187246464","account_contact":[]}
{"level":"info","ts":1740760611.445376,"msg":"trying to solve challenge","identifier":"whoami.burtons.us","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1740760622.1442065,"msg":"challenge failed","identifier":"whoami.burtons.us","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2601:152:5081:4030::5: Fetching http://whoami.burtons.us/.well-known/acme-challenge/yYwgEQZ5yKTwt0qdq9gEVVECQ7hk50e51TfJ6bo659A: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1740760622.144317,"msg":"validating authorization","identifier":"whoami.burtons.us","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2601:152:5081:4030::5: Fetching http://whoami.burtons.us/.well-known/acme-challenge/yYwgEQZ5yKTwt0qdq9gEVVECQ7hk50e51TfJ6bo659A: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/187246464/22936546804","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}

3. Caddy version:

v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

I used Docker Compose.

a. System environment:

My OS is Debian Bookworm, and I am running Caddy in Docker.

b. Command:

sudo docker compose up -d

c. Service/unit/compose file:

services:

  caddy:
    image: caddy
    container_name: caddy
    hostname: caddy
    restart: unless-stopped
    env_file: .env
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./caddy_config:/config
      - ./caddy_data:/data

networks:
  default:
    name: $DOCKER_MY_NETWORK
    external: truenice.

d. My complete Caddy config:

whoami.{$MY_DOMAIN} {
	reverse_proxy whoami:80
}

5. Links to relevant resources:

TheRettom · March 4, 2025, 5:19am

Port forwarding is not the same as opening firewall ports. It’s timing out when trying to get the cert. It looks like Debian Bookworm is using nftables as the firewall, so you’d do the following:

sudo nft add rule ip filter input tcp dport 80 accept && sudo nft add rule ip filter input tcp dport 443 accept && sudo nft add rule ip filter input udp dport 443 accept && sudo nft list ruleset > /etc/nftables.conf

PenroseSun · March 7, 2025, 3:33am

Thank you for your help! I had completely misunderstood the firewall instruction - I had confirmed that the firewall on my router had those ports open, but not the one on my computer.

I followed your advice, with a few modifications, and ran:

sudo nft add rule inet filter input tcp dport 80 accept && sudo nft add rule inet filter input tcp dport 443 accept && sudo nft add rule inet filter input udp dport 443 accept && sudo sh -c “nft list ruleset > /etc/nftables.conf”

I got the following warning:

Warning: table ip nat is managed by iptables-nft, do not touch!
Warning: table ip filter is managed by iptables-nft, do not touch!
Warning: table ip6 nat is managed by iptables-nft, do not touch!

But when I took a look at the config file, the rules did appear to be there, along with a ton of Docker-specific stuff which I won’t pretend to even begin to understand.

The relevant part of the config file looks like this:

table inet filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport 80 accept
tcp dport 443 accept
udp dport 443 accept
tcp dport 80 accept
tcp dport 443 accept
udp dport 443 accept
tcp dport 80 accept
tcp dport 443 accept
udp dport 443 accept
tcp dport 80 accept
tcp dport 443 accept
udp dport 443 accept
}

I can post more of it if it seems relevant.

I restarted Caddy with high hopes, but unfortunately I am still having the same problem I was having before.

Just in case it would help, I also stopped Caddy and my test container, restarted Docker, and then started both of them back up again, but got the same result.

TheRettom · March 7, 2025, 8:11pm

That’s… interesting.

There are numerous duplicates in that file as you can see. Make sure you remove them. Otherwise, I’m not sure. I don’t know if IPv6 is any different than IPv4, but I saw there was no IPv4 fallback. Is it possible for you to configure that?

Based on what I’m seeing with dig, it looks like maybe your IPv6 address isn’t configured correctly.

system · April 6, 2025, 8:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.