No certificate available for one of my domains

theolaa · October 9, 2024, 2:31am

1. The problem I’m having:

One of my domains is not getting certificates for some reason, returning an HTTP 525 error.

2. Error messages and/or full log output:

These are select lines from the log that reference the domain in question. They are from soon after restarting Caddy, and sending a request to the domain.

Oct 08 19:08:13 THEO-FILE-SERVER caddy[243744]: {"level":"error","ts":1728439693.769484,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"deluge.theolaa.ca","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3032::ac43:b475: Invalid response from http://deluge.theolaa.ca/.well-known/acme-challenge/eUQwyRxIWOwg-2BGI8PpCChZaSOO3D18HqEqrOesfho: 522","instance":"","subproblems":[]}}
Oct 08 19:08:13 THEO-FILE-SERVER caddy[243744]: {"level":"error","ts":1728439693.7695987,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"deluge.theolaa.ca","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3032::ac43:b475: Invalid response from http://deluge.theolaa.ca/.well-known/acme-challenge/eUQwyRxIWOwg-2BGI8PpCChZaSOO3D18HqEqrOesfho: 522","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1748087342/312004649637","attempt":1,"max_attempts":3}
Oct 08 19:08:14 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728439694.7700121,"logger":"tls.issuance.acme.acme_client","msg":"creating order","account":"https://acme-v02.api.letsencrypt.org/acme/acct/1748087342","identifiers":["deluge.theolaa.ca"]}
Oct 08 19:08:14 THEO-FILE-SERVER caddy[243744]: {"level":"error","ts":1728439694.9680963,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"deluge.theolaa.ca","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}
Oct 08 19:08:14 THEO-FILE-SERVER caddy[243744]: {"level":"info","ts":1728439694.9687476,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["deluge.theolaa.ca"],"ca":"https://acme.zerossl.com/v2/DV90","account":"theolaa@hotmail.ca"}
Oct 08 19:08:14 THEO-FILE-SERVER caddy[243744]: {"level":"info","ts":1728439694.9687583,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["deluge.theolaa.ca"],"ca":"https://acme.zerossl.com/v2/DV90","account":"theolaa@hotmail.ca"}
Oct 08 19:08:14 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728439694.968776,"logger":"tls.issuance.acme.acme_client","msg":"creating order","account":"https://acme.zerossl.com/v2/DV90/account/XuyaPUpM8U2_0LwaCUW4jw","identifiers":["deluge.theolaa.ca"]}
Oct 08 19:08:15 THEO-FILE-SERVER caddy[243744]: {"level":"info","ts":1728439695.465616,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"deluge.theolaa.ca","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
Oct 08 19:08:15 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728439695.4658437,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"deluge.theolaa.ca","challenge_type":"http-01"}
Oct 08 19:08:15 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728439695.4658508,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"deluge.theolaa.ca","challenge_type":"http-01"}
Oct 08 19:08:15 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728439695.6748602,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"deluge.theolaa.ca","challenge_type":"http-01"}
Oct 08 19:14:03 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728440043.430329,"logger":"events","msg":"event","name":"tls_get_certificate","id":"74edd1b4-be91-47f4-aa31-a88cb985bb4b","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"ServerName":"deluge.theolaa.ca","SupportedCurves":[29,23,24,25,25497,65074],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513,1539],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"172.71.147.112","Port":48408,"Zone":""},"LocalAddr":{"IP":"192.168.0.100","Port":443,"Zone":""}}}}
Oct 08 19:14:03 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728440043.4303548,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"deluge.theolaa.ca"}
Oct 08 19:14:03 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728440043.4303682,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.71.147.112","remote_port":"48408","server_name":"deluge.theolaa.ca","remote":"172.71.147.112:48408","identifier":"deluge.theolaa.ca","cipher_suites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"cert_cache_fill":0.0002,"load_or_obtain_if_necessary":true,"on_demand":false}
Oct 08 19:14:03 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728440043.430396,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.71.147.112:48408: no certificate available for 'deluge.theolaa.ca'"}
Oct 08 19:14:03 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728440043.5086558,"logger":"events","msg":"event","name":"tls_get_certificate","id":"8ffdcff7-9bc1-4d87-8bc2-199feb0f2649","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"ServerName":"deluge.theolaa.ca","SupportedCurves":[29,23,24,25,25497,65074],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513,1539],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"172.71.147.141","Port":20550,"Zone":""},"LocalAddr":{"IP":"192.168.0.100","Port":443,"Zone":""}}}}
Oct 08 19:14:03 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728440043.5086691,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"deluge.theolaa.ca"}
Oct 08 19:14:03 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728440043.508681,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.71.147.141","remote_port":"20550","server_name":"deluge.theolaa.ca","remote":"172.71.147.141:20550","identifier":"deluge.theolaa.ca","cipher_suites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"cert_cache_fill":0.0002,"load_or_obtain_if_necessary":true,"on_demand":false}
Oct 08 19:14:03 THEO-FILE-SERVER caddy[243744]: {"level":"debug","ts":1728440043.508706,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.71.147.141:20550: no certificate available for 'deluge.theolaa.ca'"}

3. Caddy version:

2.8.4

4. How I installed and ran Caddy:

It’s a systemd service that runs /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
When I make changes to the Caddyfile, I use caddy validate and caddy reload.

a. System environment:

Ubuntu 24.04.1 LTS
Kernel 6.8.0-45-generic

b. Command:

It’s a systemd service that runs /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
When I make changes to the Caddyfile, I use caddy validate and caddy reload.

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        email [REDACTED]
        debug
}

deluge.theolaa.ca {
        reverse_proxy 192.168.0.100:8112
        handle_errors {
                respond "Deluge: {err.status_code} {err.status_text}"
        }
}

5. Links to relevant resources:

theolaa · October 9, 2024, 2:46am

I’ve looked into the logs a little closer and I’m seeing the thing now about LetsEncrypt rate limiting my account. I dug around and found I hadn’t allow-listed port 80 in NordVPN which is running on that server, so I allow-listed it and I’ll try reloading Caddy again in an hour and see if it makes a difference.

EDIT: This was indeed the issue. I couldn’t get a certificate because LetsEncrypt couldn’t get through to my server - despite port forwarding 443 and 80 to it on my router - due to NordVPNs allowlist. If you are troubleshooting this same error, make sure your port forwarding is set up correctly, your firewall is configure to allow ports 443 & 80, and if you’re running a VPN, make sure that it isn’t blocking ports as well.

system · November 8, 2024, 2:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.