1. The problem I’m having:
I am using on_demand directive under https:// block along with ask url. I am seeing zerossl certificate issuance instead of letsencrypt.
If i use acme_ca directive, Then things work absolutely fine and it starts providing letsencrypt certificates. But ones which were generated previously using zerossl dont load and new certificates via letsencrypt gets issued again.
Here is the acme_ca directive
acme_ca https://acme-v02.api.letsencrypt.org/directory
How can we fix below error ?
How can we test whether on_demand failover is working ?
How can we ensure certificates issued by one CA doesn’t get generated by another CA ?
How can we force on_demand directive to issue zerossl first then letsencrypt ?
2. Error messages and/or full log output:
{"level":"error","ts":1690800598.3533516,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"test24.example.com","issuer":"-admin@example.com","error":"registering account [mailto:admin@example.com] with server: provisioning client: response Content-Type is text/html but target container is not io.Writer: *acme.Directory"}
Note: Domain not disclosed due to a nda
3. Caddy version:
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
apt install caddy -y
a. System environment:
Ubuntu 22.04 on ec2
b. Command:
systemctl start caddy
c. Service/unit/compose file:
NA
d. My complete Caddy config:
{
debug
cert_issuer acme example@example.com
cert_issuer zerossl EXAMPLEKEY
log {
output file /var/log/caddy/caddy.log
}
email example@example.com
storage redis {
host "127.0.0.1"
port 6379
address "127.0.0.1:6379"
username ""
password "example"
db 1
key_prefix "caddytls"
value_prefix "caddy-storage-redis"
timeout 30
tls_enabled "false"
tls_insecure "true"
}
on_demand_tls {
ask https://www.example.com/validator
interval 2m
burst 30
}
}
https://
{
tls {
on_demand
}
}