Issues on existing certificate


(loweel@gmx.de) #1

HI Everybody,

I’m experiencing a strange issue with my caddy server: caddy was able to get a certificate from letsencrypt, but now seems not able to answer back to challenges. The version is 0.10.10.

First , the schema:

INTERNET -> HAPROXY -> Caddy

using this configuration, caddy was able to obtain a certificate. Now the certificate is there, but looking at the logs I see that several times I have

192.168.X.X - - [24/Dec/2017:18:25:06 +0000] "GET /.well-known/acme-challenge/lalalalalalalala HTTP/1.1" 404 8662 "http://www.lalalla.lala/.well-known/acme-challenge/lalalala" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Now, I can’t see why caddy was able to get a certificate, while seems not able to respond properly to challenges. Is it a way to get a debug, or some way to understand what is going on?

What I am afraid is that someone is trying to hijack my certificate, just running another caddy pretending to be my domain, so that the let’s encrypt is requesting non-existing challenges. If so, what happens when my server answers back with 404? Or, is there a way the haproxy can interfer with caddy?

regards, and Merry Xmas

L.


(Matt Holt) #2

What are in your Caddy logs? And not just the access logs, but the process log (caddy -log).

And Merry Christmas to you too!


(loweel@gmx.de) #3

Hi Matt

thanks for your answer. Actually I understood what it was: haproxy had a setup to probe the backend, which was probing the certificate. During the TLS SNI challenge the probe was failing because of invalid certificate or something.(haproxy is very choosy on that). So haproxy was putting the backend offline just when caddy needed it.

So the lesson learnt is not to verify the tls certificate when probing the caddy as a backend.

Now the setup works, and the certificate is being renewed… the funny thing is that this is being renewed every day…is there a reason for that?

L.


(Matt Holt) #4

What’s in your caddy process logs (caddy -log)?