1. The problem I’m having:
New to Caddy, I hope this explanation is ok.
Signed up for a domain with Gandi.net and when I try to run Caddy with the Gandi DNS provider module I get a REFUSED
message from Gandhi.net’s name server in the log file.
...
checking DNS propagation of "_acme-challenge.proxmox.3743578.xyz": NS ns-216-b.gandi.net. returned REFUSED for _acme-challenge.proxmox.3743578.xyz
...
The API key is correct, as if I change the key I get an unauthorized error instead in the log.
Any ideas? I saw older posts that there were some issues with DNS providers but were resolved in Caddy v2.4.
2. Error messages and/or full log output:
caddy | 2023-05-29T05:05:04.399583802Z {"level":"info","ts":1685336704.3990104,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy | 2023-05-29T05:05:04.402852017Z {"level":"warn","ts":1685336704.402663,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy | 2023-05-29T05:05:04.404656154Z {"level":"info","ts":1685336704.4044702,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy | 2023-05-29T05:05:04.405705335Z {"level":"info","ts":1685336704.405592,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy | 2023-05-29T05:05:04.405917434Z {"level":"info","ts":1685336704.4058552,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy | 2023-05-29T05:05:04.406701117Z {"level":"info","ts":1685336704.4066064,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy | 2023-05-29T05:05:04.407113699Z {"level":"info","ts":1685336704.4070182,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
caddy | 2023-05-29T05:05:04.407724209Z {"level":"debug","ts":1685336704.4075978,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
caddy | 2023-05-29T05:05:04.407971353Z {"level":"info","ts":1685336704.40785,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy | 2023-05-29T05:05:04.408178190Z {"level":"debug","ts":1685336704.4081073,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy | 2023-05-29T05:05:04.408320374Z {"level":"info","ts":1685336704.4082484,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy | 2023-05-29T05:05:04.408441056Z {"level":"info","ts":1685336704.4083805,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["proxmox.3743578.xyz"]}
caddy | 2023-05-29T05:05:04.408912950Z {"level":"info","ts":1685336704.4088473,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy | 2023-05-29T05:05:04.409003727Z {"level":"info","ts":1685336704.4089506,"msg":"serving initial configuration"}
caddy | 2023-05-29T05:05:04.409796548Z {"level":"info","ts":1685336704.4097135,"logger":"tls.obtain","msg":"acquiring lock","identifier":"proxmox.3743578.xyz"}
caddy | 2023-05-29T05:05:04.411488803Z {"level":"info","ts":1685336704.411382,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0008773b0"}
caddy | 2023-05-29T05:05:04.411761795Z {"level":"info","ts":1685336704.411694,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
caddy | 2023-05-29T05:05:04.411952272Z {"level":"info","ts":1685336704.4118857,"logger":"tls","msg":"finished cleaning storage units"}
caddy | 2023-05-29T05:05:04.419972833Z {"level":"info","ts":1685336704.419877,"logger":"tls.obtain","msg":"lock acquired","identifier":"proxmox.3743578.xyz"}
caddy | 2023-05-29T05:05:04.420259787Z {"level":"info","ts":1685336704.4202044,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"proxmox.3743578.xyz"}
caddy | 2023-05-29T05:05:04.421046572Z {"level":"debug","ts":1685336704.4209383,"logger":"events","msg":"event","name":"cert_obtaining","id":"c113b15f-ace3-4267-ac2c-560ba07f470d","origin":"tls","data":{"identifier":"proxmox.3743578.xyz"}}
caddy | 2023-05-29T05:05:04.421976586Z {"level":"debug","ts":1685336704.4219046,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
caddy | 2023-05-29T05:05:04.422726919Z {"level":"info","ts":1685336704.4226408,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["proxmox.3743578.xyz"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
caddy | 2023-05-29T05:05:04.422864484Z {"level":"info","ts":1685336704.4228187,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["proxmox.3743578.xyz"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
caddy | 2023-05-29T05:05:04.634539583Z {"level":"debug","ts":1685336704.6343741,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["752"],"Content-Type":["application/json"],"Date":["Mon, 29 May 2023 05:05:04 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy | 2023-05-29T05:05:04.672272911Z {"level":"debug","ts":1685336704.6721375,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 29 May 2023 05:05:04 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["20F6SEpYe3e89U2KsHr8y7y4vaQwCPtiQFhDjT0RFfFaLdk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy | 2023-05-29T05:05:04.759183527Z {"level":"debug","ts":1685336704.759046,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1132699647"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Mon, 29 May 2023 05:05:04 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1132699647/185190966387"],"Replay-Nonce":["20F6SRjnOZsjVbZOtWSylgeT41CEhYZ_QY9VYcG39roGxxg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
caddy | 2023-05-29T05:05:04.801354441Z {"level":"debug","ts":1685336704.8012402,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/232026734007","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1132699647"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Mon, 29 May 2023 05:05:04 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["20F6dZBmX64ZCQWVZ1q1soW0U1_gFEkmxq4s4Qk1BB6fy6E"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy | 2023-05-29T05:05:04.801750828Z {"level":"debug","ts":1685336704.8016834,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
caddy | 2023-05-29T05:05:04.801899845Z {"level":"info","ts":1685336704.8018198,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"proxmox.3743578.xyz","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy | 2023-05-29T05:05:06.266432951Z {"level":"debug","ts":1685336706.2662926,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"proxmox.3743578.xyz","challenge_type":"dns-01"}
caddy | 2023-05-29T05:05:08.430081963Z {"level":"debug","ts":1685336708.4299748,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"proxmox.3743578.xyz","challenge_type":"dns-01"}
caddy | 2023-05-29T05:05:09.512579569Z {"level":"debug","ts":1685336709.5124447,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/232026734007","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1132699647"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["807"],"Content-Type":["application/json"],"Date":["Mon, 29 May 2023 05:05:09 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["20F6Zvw9EXTS-daS0xkhJ5Vd3V8Xmu5nGSffjzm_xWjbZgo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy | 2023-05-29T05:05:09.512823868Z {"level":"error","ts":1685336709.5127532,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"proxmox.3743578.xyz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[proxmox.3743578.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.proxmox.3743578.xyz\": NS ns-216-b.gandi.net. returned REFUSED for _acme-challenge.proxmox.3743578.xyz. (order=https://acme-v02.api.letsencrypt.org/acme/order/1132699647/185190966387) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
caddy | 2023-05-29T05:05:09.512948888Z {"level":"debug","ts":1685336709.5128894,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
caddy | 2023-05-29T05:05:09.513575534Z {"level":"info","ts":1685336709.5135007,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["proxmox.3743578.xyz"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
caddy | 2023-05-29T05:05:09.513681979Z {"level":"info","ts":1685336709.5136197,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["proxmox.3743578.xyz"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
caddy | 2023-05-29T05:05:10.147517014Z {"level":"debug","ts":1685336710.1472254,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 29 May 2023 05:05:10 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy | 2023-05-29T05:05:10.776453888Z {"level":"debug","ts":1685336710.7757702,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Mon, 29 May 2023 05:05:10 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["vx0O0X4NQFY9gThqNBmKZttHfh79htGb_BfH777JmbE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy | 2023-05-29T05:05:11.641158485Z {"level":"debug","ts":1685336711.640674,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["281"],"Content-Type":["application/json"],"Date":["Mon, 29 May 2023 05:05:11 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/gWrBCSSNLgLHZfai-yh3rw"],"Replay-Nonce":["VsNocMW6CDPk6Bon065xnrWzyqjbt8wG7_IUIoDk6VM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
caddy | 2023-05-29T05:05:12.149606971Z {"level":"debug","ts":1685336712.1494665,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/JXpsEDYmi9DHOTLC17-1nQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["449"],"Content-Type":["application/json"],"Date":["Mon, 29 May 2023 05:05:12 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["HHLGYEfnnTPFi_h9Ke7uqbtOSwuVZn6u0UzIOGYdm2s"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy | 2023-05-29T05:05:12.149877462Z {"level":"info","ts":1685336712.1497831,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"proxmox.3743578.xyz","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddy | 2023-05-29T05:05:13.490475674Z {"level":"debug","ts":1685336713.4903579,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"proxmox.3743578.xyz","challenge_type":"dns-01"}
caddy | 2023-05-29T05:05:15.494937588Z {"level":"debug","ts":1685336715.49484,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"proxmox.3743578.xyz","challenge_type":"dns-01"}
caddy | 2023-05-29T05:05:17.021507945Z {"level":"debug","ts":1685336717.0213108,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/JXpsEDYmi9DHOTLC17-1nQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["131"],"Content-Type":["application/json"],"Date":["Mon, 29 May 2023 05:05:16 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["DR5LSoMt_RGCsWH01uaQH6nz9RXV3q2dhy9fQRyRxU0"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy | 2023-05-29T05:05:17.021779251Z {"level":"error","ts":1685336717.021691,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"proxmox.3743578.xyz","issuer":"acme.zerossl.com-v2-DV90","error":"[proxmox.3743578.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.proxmox.3743578.xyz\": NS ns-103-a.gandi.net. returned REFUSED for _acme-challenge.proxmox.3743578.xyz. (order=https://acme.zerossl.com/v2/DV90/order/gWrBCSSNLgLHZfai-yh3rw) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy | 2023-05-29T05:05:17.022000159Z {"level":"debug","ts":1685336717.0218644,"logger":"events","msg":"event","name":"cert_failed","id":"1e90ef83-eb19-4fbe-9fdc-0682bae080fd","origin":"tls","data":{"error":{},"identifier":"proxmox.3743578.xyz","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
caddy | 2023-05-29T05:05:17.022202285Z {"level":"error","ts":1685336717.0220828,"logger":"tls.obtain","msg":"will retry","error":"[proxmox.3743578.xyz] Obtain: [proxmox.3743578.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.proxmox.3743578.xyz\": NS ns-103-a.gandi.net. returned REFUSED for _acme-challenge.proxmox.3743578.xyz. (order=https://acme.zerossl.com/v2/DV90/order/gWrBCSSNLgLHZfai-yh3rw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":12.602032169,"max_duration":2592000}
3. Caddy version:
v2.6.4
4. How I installed and ran Caddy:
Installed and ran via Docker
a. System environment:
Proxmox 7.4
LXC container running Debian 11
Caddy runs via Docker; here is the Dockerfile I used to build the image
ARG VERSION=2
FROM caddy:${VERSION}-builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/gandi
FROM caddy:${VERSION}
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
b. Command:
docker compose up -d
c. Service/unit/compose file:
version: "3.9"
services:
caddy:
build: ./dockerfile-dns
container_name: caddy
hostname: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
networks:
- caddynet
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./data:/data
- ./config:/config
networks:
caddynet:
attachable: true
driver: bridge
d. My complete Caddy config:
{
debug
}
proxmox.3743578.xyz {
tls {
dns gandi REDACTED
}
respond "Hello, world!"
}