Log error for unable to issue certificate to a domain that already has one

Help
1

1. The problem I’m having:

I am facing an issue where Caddy tries to request a certificate for a domain, even though I am explicitly directing it to use the certificate I’ve provided (by specifying the directory path). I want to prevent the unnecessary request for the domain while allowing another domain within the Caddyfile to have a Let’s Encrypt certificate.

It’s not a critical error, as the domains function properly, but it’s an error in the log that shouldn’t appear.

Note: The domain names are real. I am using the machine’s hostname as a domain to internally consume the information of node exporter. I have not modified my log file or caddyfile for this post, but they come from a test server.

Another point to clarify: The reason for auto_https ignore_loaded_certs is that without setting it this way, Caddy uses the self-signed certificate for the domain helloworld.0xanto.dev (which indeed needs a Let’s Encrypt domain).

2. Error messages and/or full log output:

caddy | {"level":"error","ts":1691503068.6744905,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"caddy-test","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [caddy-test]"}
caddy | {"level":"error","ts":1691503068.6754205,"logger":"tls.obtain","msg":"will retry","error":"[caddy-test] Obtain: [caddy-test] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [caddy-test] (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":611.188483961,"max_duration":2592000}
caddy | {"level":"info","ts":1691503668.6767552,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"caddy-test"}
caddy | {"level":"error","ts":1691503669.27204,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"caddy-test","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"caddy-test\": Domain name needs at least one dot"}

3. Caddy version:

caddy 2.6.4

4. How I installed and ran Caddy:

a. System environment:

  • OS: Ubuntu 22.04.2 LTS
  • Using Docker 24.0.5

b. Command:

docker compose up -d

c. Service/unit/compose file:

version: '3.3'

services:
  caddy:
    image: caddy:2.6.4@sha256:5acae6b87b26a591d6d14ec2704b7f2cd94b888ad62af16a02356d3124198ede
    restart: always
    container_name: caddy
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./caddy/site:/srv
      - ./caddy/caddy_data:/data
      - ./caddy/caddy_config:/config
      - /etc/ssl/certs/selfsigned_certificate.pem:/etc/ssl/certs/selfsigned_certificate.pem
      - /etc/ssl/private/selfsigned_certificate.pem:/etc/ssl/private/selfsigned_certificate.pem
    network_mode: host

d. My complete Caddy config:

{
    auto_https ignore_loaded_certs
}

# Node Exporter
CADDY-TEST:8000 {
    reverse_proxy 127.0.0.1:9100
    tls /etc/ssl/certs/selfsigned_certificate.pem /etc/ssl/private/selfsigned_certificate.pem
}

# Public helloworld website
helloworld.0xanto.dev {
    respond "Hello, world!"
}
2

What SANs does your certificate have? If it doesn’t include caddy-test, then Caddy can’t use it for that site. The certificate needs to match the configured domains.

1 Like
3

Specifically, what is the output of openssl x509 -text -noout -in /etc/ssl/certs/selfsigned_certificate.pem?

4

Hello, first of all, thank you both for your response.

This is the output of the command openssl x509 -text -noout -in /etc/ssl/certs/selfsigned_certificate.pem:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            59:5b:34:71:a3:b1:b9:11:4b:aa:33:fc:b4:8e:36:2e
        Signature Algorithm: ecdsa-with-SHA512
        Issuer: CN = Stakely
        Validity
            Not Before: Apr 11 19:45:26 2023 GMT
            Not After : Apr  8 19:45:26 2033 GMT
        Subject: C = ES, ST = Spain, L = Madrid, O = Stakely, OU = Stakely, CN = stakely, emailAddress = admin@stakely.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d7:72:6b:66:4e:18:99:c7:f6:bc:b4:6a:c3:d7:
                    ad:e1:b7:41:8a:e3:af:cf:c6:a7:da:f3:31:02:d1:
                    54:b7:db:ac:e1:10:e6:ee:ee:94:f9:b6:bd:7b:96:
                    f4:5b:98:e6:a3:42:96:f8:ad:ff:8f:1d:41:06:ec:
                    27:e7:af:09:74:82:27:39:76:14:a3:78:a0:ee:a1:
                    7f:8d:5a:95:06:8e:d4:d9:4b:1e:aa:6b:4f:75:08:
                    fb:aa:7b:76:8b:9b:2e:f2:e3:d6:59:60:8d:09:48:
                    01:1c:f3:2c:61:8d:c8:d3:9d:79:fb:d4:49:ea:7a:
                    34:49:9f:08:bf:73:1c:7c:b4:d4:c0:f4:b9:ec:3a:
                    28:b5:32:4f:72:34:46:67:72:fc:47:f3:70:cc:41:
                    08:34:c6:70:85:39:c9:81:74:9e:8b:d1:41:93:a1:
                    16:b7:25:22:26:29:4e:a4:e4:82:e4:b8:7f:c6:53:
                    22:14:61:cf:f4:fc:69:b8:92:72:c2:4d:f0:e9:f6:
                    4b:49:fd:77:e7:66:02:48:ab:e4:15:f1:fe:0a:eb:
                    00:0b:de:e5:43:17:9f:13:81:77:2a:0f:09:4f:b3:
                    ce:ee:e3:e2:17:8e:c6:65:79:15:51:ff:43:88:37:
                    11:e1:84:e8:77:82:21:1c:35:13:f7:05:b5:5c:24:
                    89:91
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                E7:1B:03:10:8F:AA:12:D8:9E:27:CE:CA:14:F0:7F:66:FE:AD:E4:8E
            X509v3 Authority Key Identifier: 
                keyid:D7:4D:76:AA:2A:49:C5:0F:02:0F:7D:1C:5D:75:A8:50:A6:1B:FE:F6
                DirName:/CN=Stakely
                serial:4B:6D:B6:F4:A3:D7:E8:7F:87:BD:96:96:CB:35:7C:79:98:DA:E3:03
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:stakely
    Signature Algorithm: ecdsa-with-SHA512
    Signature Value:
        30:65:02:30:03:43:ee:29:97:a5:61:a3:ff:a6:73:c7:f5:a3:
        56:cc:98:c7:a5:06:0e:bf:d7:0d:d6:62:ae:5e:10:34:d6:76:
        ea:14:ae:1e:ec:32:36:4e:da:dc:44:cc:54:6a:0d:7a:02:31:
        00:c1:62:a0:f6:8a:c8:68:f6:3a:09:39:8c:49:10:71:82:a9:
        db:fc:55:a7:28:3a:8d:93:96:e8:fa:47:9c:3e:5f:8f:32:d7:
        00:06:80:15:69:41:90:72:da:ee:b1:3a:63

To clarify that the CADDY-TEST domain works correctly (obviously an error comes out from the client because it is a self signed domain), but it is for internal use and we assume this warning, however the connection is encrypted by SSL which is our purpose.

1 Like
5

The cert has the SAN stakely, not caddy-test. That won’t work.

1 Like
6

But Caddy really does use this certificate for this domain, regardless of the DNS. Even though it tries to issue another certificate, I understand it attempts to do so because, as you mention, the DNS doesn’t match. But it doesn’t add up for me because, in my view, the two possible scenarios would be:

A) Caddy doesn’t accept the certificate and doesn’t use it, it tries to issue a certificate with Let’s Encrypt.

B) Caddy accepts the certificate and therefore doesn’t try to issue a certificate with Let’s Encrypt.

The case that’s happening: Caddy accepts the certificate, but still tries to issue a new one with Let’s Encrypt.

Maybe I’m missing something or not understanding, but isn’t it possible to disable the “integration” with Let’s Encrypt (or Zero SSL) for a domain (only one)? That way I would avoid the error in the log.

Really, the only issue I’m facing is the error in the log, but other than that, everything works perfectly.

Caddy using the self signed certificate:

image

7

That’s why :slight_smile:

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.