Letsencrypt issuance doesnt work with on_demand directive unless i mention acme_ca

1. The problem I’m having:

I am using on_demand directive under https:// block along with ask url. I am seeing zerossl certificate issuance instead of letsencrypt.
If i use acme_ca directive, Then things work absolutely fine and it starts providing letsencrypt certificates. But ones which were generated previously using zerossl dont load and new certificates via letsencrypt gets issued again.

Here is the acme_ca directive

acme_ca  https://acme-v02.api.letsencrypt.org/directory

How can we fix below error ?
How can we test whether on_demand failover is working ?
How can we ensure certificates issued by one CA doesn’t get generated by another CA ?
How can we force on_demand directive to issue zerossl first then letsencrypt ?

2. Error messages and/or full log output:

{"level":"error","ts":1690800598.3533516,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"test24.example.com","issuer":"-admin@example.com","error":"registering account [mailto:admin@example.com] with server: provisioning client: response Content-Type is text/html but target container is not io.Writer: *acme.Directory"}

Note: Domain not disclosed due to a nda

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

apt install caddy -y

a. System environment:

Ubuntu 22.04 on ec2

b. Command:

systemctl start caddy

c. Service/unit/compose file:

NA

d. My complete Caddy config:

{
debug

cert_issuer  acme example@example.com
cert_issuer  zerossl EXAMPLEKEY
log {
        output file /var/log/caddy/caddy.log
    }
email example@example.com
 storage redis {
        host          "127.0.0.1"
        port          6379
        address       "127.0.0.1:6379"
        username      ""
        password      "example"
        db            1
        key_prefix    "caddytls"
        value_prefix  "caddy-storage-redis"
        timeout       30
        tls_enabled   "false"
        tls_insecure  "true"
    }
  on_demand_tls {
    ask https://www.example.com/validator
    interval 2m
    burst 30
   }
  }
  
https:// 
{
tls {
on_demand
}
}

5. Links to relevant resources:

Your problem is that you specified an email address in place of where the ACME URL should go. See the docs: tls (Caddyfile directive) — Caddy Documentation

1 Like

Thanks francis for your help. Issue is resolved. I would also like to know how can i change on_demand priority where zerossl comes first and letsencrypt comes second.

Just reorder your cert_issuer lines so zerossl is first.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.