No certificate created for long domain name

1. Caddy version (caddy version): 2.4.1

2. How I run Caddy:

a. System environment:

$ docker-compose version
docker-compose version 1.24.0, build 0aa59064
docker-py version: 3.7.2
CPython version: 3.6.8
OpenSSL version: OpenSSL 1.1.0j  20 Nov 2018

$ docker version
Client:
 Version:           18.09.5
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        e8ff056
 Built:             Thu Apr 11 04:43:57 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.5
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.8
  Git commit:       e8ff056
  Built:            Thu Apr 11 04:10:53 2019
  OS/Arch:          linux/amd64
  Experimental:     false

On Ubuntu 18.04

b. Command:

env DOMAIN=adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com docker-compose -f docker-compose.yml -f docker-compose.azurevm-highperf-caddy.yml

Note: The domain name is NOT fake. It exists for real.

c. Service/unit/compose file:

docker-compose.yml:

version: "2"

services:
  elasticsearch:
    build:
      context: elasticsearch/
    volumes:
      - elasticsearch-data:/usr/share/elasticsearch/data
      - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
    environment:
      node.name: elasticsearch
      cluster.initial_master_nodes: elasticsearch
      ES_CLUSTER_NAME: search-cluster
      ES_DATA_DIR: /usr/share/elasticsearch/data
    networks:
      - elk

  kibana:
    build:
      context: kibana/
    volumes:
      - kibana-data:/usr/share/kibana/data
      - ./kibana/config/:/usr/share/kibana/config:ro
    environment:
      KB_DATA_DIR: /usr/share/kibana/data
      KB_ELASTICSEARCH_URL: http://elasticsearch:9200
      KB_SERVER_NAME: kibana
    networks:
      - elk
    depends_on:
      - elasticsearch

volumes:
  elasticsearch-data:
    driver: local
  kibana-data:
    driver: local

networks:
  elk:
    driver: bridge

docker-compose.azurevm-highperf-caddy.yml:

version: "2"

services:
  elasticsearch:
    restart: always
    environment:
      ES_JAVA_OPTS: "-Xmx4000m -Xms4000m"

  kibana:
    restart: always
    environment:
      KB_BASE_PATH: /kibana

  caddy:
    image: caddy:2.4.1
    container_name: caddy
    restart: always
    volumes:
      - caddy-config:/config
      - caddy-data:/data
      - ./caddy:/etc/caddy
    ports:
      - 80:80
      - 443:443
    networks:
      - elk
    depends_on:
      - elasticsearch

volumes:
  caddy-config:
    driver: local
  caddy-data:
    driver: local

d. My complete Caddyfile or JSON config:

{
        email alexander@skwar.me
        debug
}

{$DOMAIN}:443

encode zstd gzip

log {
        level DEBUG
        output file /data/access.log {
                roll_size 10MB
                roll_keep 10
        }
}

handle_path /elasticsearch* {
        basicauth bcrypt Elasticsearch {
                import elasticsearch.auth.*
        }

        reverse_proxy http://elasticsearch:9200
}

handle_path /kibana* {
        basicauth bcrypt kibana {
                import kibana.auth.*
        }

        reverse_proxy http://kibana:5601
}

3. The problem I’m having:

When I try to connect to the system with https and curl (or any browser, for that matter), I get an error:

* Rebuilt URL to: https://adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com/
*   Trying 20.101.68.227...
* TCP_NODELAY set
* Connected to adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com (20.101.68.227) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, Server hello (2):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

I see that there’s no cert in /data/caddy/certificates/acme.zerossl.com-v2-dv90.

Is it because the domain name adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com is too long for ZeroSSL and/or Let’s Encrypt?

4. Error messages and/or full log output:

{"level":"info","ts":1623251413.3436744,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1623251413.348185,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"warn","ts":1623251413.3529522,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1623251413.3551383,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1623251413.356343,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1623251413.3653204,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002da000"}
{"level":"info","ts":1623251417.9922957,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1623251417.9952114,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1623251418.0029197,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"debug","ts":1623251418.0043166,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"info","ts":1623251418.004423,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"]}
{"level":"info","ts":1623251418.0209818,"logger":"tls.obtain","msg":"acquiring lock","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"}
{"level":"info","ts":1623251418.0235019,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1623251418.0235305,"msg":"serving initial configuration"}
{"level":"info","ts":1623251418.045598,"logger":"tls.obtain","msg":"lock acquired","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"}
{"level":"info","ts":1623251418.0796387,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"]}
{"level":"info","ts":1623251418.0797331,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"]}
{"level":"debug","ts":1623251418.6768203,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:10:18 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251419.0241773,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Wed, 09 Jun 2021 15:10:19 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["UNtYSeE2UiSqJ6MyMxFCEZ0q0L-2WM9rRoMJxvy4o3o"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251419.4353087,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:10:19 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/vLuglW6wgqbaAY5GMg056A"],"Replay-Nonce":["kyqWJQWXtJAdG3TAEnazrJLSQfPBrP9LUCoNt1bS8UU"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251419.8020031,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/YPJsz7mUhtAO0EcpuOvrlg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["508"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:10:19 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ESLv60XpXGTHcUTpsXgShqcOUSZTlRMTA-RSnFe07xk"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251419.8037128,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1623251419.8037598,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1623251420.1927032,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/GcQ7ewfLTWeS6bDKkjTO_Q","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:10:20 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/YPJsz7mUhtAO0EcpuOvrlg>;rel=\"up\""],"Replay-Nonce":["f4fAsVfc1MV_4GIg6FVmvLcmmRBu3TBRKcIhHAXryys"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251420.1932778,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01"}
{"level":"info","ts":1623251420.439978,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge":"http-01","remote":"91.199.212.132:51396","distributed":false}
{"level":"debug","ts":1623251420.8062305,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/YPJsz7mUhtAO0EcpuOvrlg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["378"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:10:20 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["SFqHMxycRmY039PERJZ375A958BbaPPWeRiUAoRCVYQ"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"info","ts":1623251420.8078237,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/vLuglW6wgqbaAY5GMg056A"}
{"level":"debug","ts":1623251421.2598224,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/vLuglW6wgqbaAY5GMg056A/finalize","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["343"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:10:21 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/vLuglW6wgqbaAY5GMg056A"],"Replay-Nonce":["xThiYUSIBqrRBI5B3A7_f3UlwmRcohsHiBWbIfQUZG8"],"Retry-After":["15"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251436.7821586,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/vLuglW6wgqbaAY5GMg056A","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:10:36 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/vLuglW6wgqbaAY5GMg056A"],"Replay-Nonce":["3GbgAGcSAPAJlU9oyq10JRPUEPq6eHtJiy44zxT9kU8"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"error","ts":1623251436.7836578,"logger":"tls.obtain","msg":"will retry","error":"[adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] Obtain: [adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] finalizing order https://acme.zerossl.com/v2/DV90/order/vLuglW6wgqbaAY5GMg056A: final order is invalid: <nil> (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":18.738007623,"max_duration":2592000}
{"level":"debug","ts":1623251497.2347658,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Wed, 09 Jun 2021 15:11:37 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["GPO5vssmfrsZb8NsphHaT9sFalVbQyEuvQrWbiIdKQ8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251497.6922028,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:11:37 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/oIru4wG4GACkgQ4_I3V8pw"],"Replay-Nonce":["p6Wp8uNX5zq9IX7XkVeYT0YcACoyJvwB9rTDF3xJLkE"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251498.1034775,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/G6F1wLcxp43YxFjU0slxJw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["508"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:11:38 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["y95Fq-oMO6hF8-HAgDKqpZcLfZrPuWmwl2rjEU0OUFU"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251498.103671,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1623251498.103697,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1623251498.5154495,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/0JuFrZ7i6hCBS-PYA8gAiQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:11:38 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/G6F1wLcxp43YxFjU0slxJw>;rel=\"up\""],"Replay-Nonce":["kvevl5mbu_7xobZ5wLq_s4Wd-E5HI7anlvwmnaT4lSw"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251498.515614,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01"}
{"level":"info","ts":1623251498.6413262,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge":"http-01","remote":"91.199.212.132:46022","distributed":false}
{"level":"debug","ts":1623251499.1502078,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/G6F1wLcxp43YxFjU0slxJw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["378"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:11:39 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["QT-YAt3LB8zt66JGl3NE7X2SMjjWVtHoqZHMECRfFNk"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"info","ts":1623251499.1505473,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/oIru4wG4GACkgQ4_I3V8pw"}
{"level":"debug","ts":1623251499.5651095,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/oIru4wG4GACkgQ4_I3V8pw/finalize","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["343"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:11:39 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/oIru4wG4GACkgQ4_I3V8pw"],"Replay-Nonce":["kTZi_0M7xwDQNnJuPtuPQmSs-fLN-OZXpb-U2fAH-eo"],"Retry-After":["15"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251514.974668,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/oIru4wG4GACkgQ4_I3V8pw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:11:54 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/oIru4wG4GACkgQ4_I3V8pw"],"Replay-Nonce":["AQl3duWUCvv5UiqL88WB3noBe1i_Irfn2NW467rT0Yo"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"error","ts":1623251514.9749296,"logger":"tls.obtain","msg":"will retry","error":"[adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] Obtain: [adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] finalizing order https://acme.zerossl.com/v2/DV90/order/oIru4wG4GACkgQ4_I3V8pw: final order is invalid: <nil> (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":96.929279498,"max_duration":2592000}
{"level":"debug","ts":1623251635.4839494,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Wed, 09 Jun 2021 15:13:55 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["QfA9R7e-hu4p7rAzIgiNosQYb81UQyR_2GD26T3s7RE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251635.9609659,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:13:55 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/C-vf9C90DqIZfxfRUTXwLw"],"Replay-Nonce":["kQg9cHXPMRSiM8FPi2bMtgz6pKNYNk3eRn9I2FHYy-A"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251636.5822463,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/8mFa-ieQRTAE0IpP3M23lg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["508"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:13:56 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["NOCpU2M56caLzkVJHti-QDucR2bsFjkQeXIAMoVOlCM"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251636.582459,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1623251636.582493,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1623251637.2832394,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/KX3uYKYah4316Cap7_csZQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:13:57 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/8mFa-ieQRTAE0IpP3M23lg>;rel=\"up\""],"Replay-Nonce":["tBgAnetCokdbp53m8Krz8pLF0UDo0ewEb5PeFhVKD5A"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251637.283376,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01"}
{"level":"info","ts":1623251637.3965962,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge":"http-01","remote":"91.199.212.132:51794","distributed":false}
{"level":"debug","ts":1623251638.4777198,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/8mFa-ieQRTAE0IpP3M23lg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["378"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:13:58 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["TlekZQMjC_xhRRpRGIBnbFbfen02W-VEn92oYs5CU6g"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"info","ts":1623251638.4780781,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/C-vf9C90DqIZfxfRUTXwLw"}
{"level":"debug","ts":1623251639.1042376,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/C-vf9C90DqIZfxfRUTXwLw/finalize","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["343"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:13:59 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/C-vf9C90DqIZfxfRUTXwLw"],"Replay-Nonce":["kQf3YfcYdir-R9bQBotemIi-mTy-hgN_W35-NfxLHXA"],"Retry-After":["15"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251654.50661,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/C-vf9C90DqIZfxfRUTXwLw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:14:14 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/C-vf9C90DqIZfxfRUTXwLw"],"Replay-Nonce":["6Q2v1N783g8S-IdF4IieJCOlRKA-M7TJrxUEDUg-_j0"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"error","ts":1623251654.5068607,"logger":"tls.obtain","msg":"will retry","error":"[adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] Obtain: [adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] finalizing order https://acme.zerossl.com/v2/DV90/order/C-vf9C90DqIZfxfRUTXwLw: final order is invalid: <nil> (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":236.461209967,"max_duration":2592000}
{"level":"debug","ts":1623251774.9379306,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Wed, 09 Jun 2021 15:16:14 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["Gcs_lFpdjyz3yO-VMmSDRyDAADlrfJ-g8jrLlj_pZFE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251775.3569002,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:16:15 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/QAUpeO__DiyuYFffVu7OlA"],"Replay-Nonce":["7-m_LsDTaTNTjHPCuRD-ck68ZCoq0WPTRqv-BAQ0cIk"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}

5. What I already tried:

6. Links to relevant resources:

Logs part 2:

{"level":"debug","ts":1623251775.7105982,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/ye2cafWuLKdx6sbOXkBaCw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["508"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:16:15 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ID_nzU0jl7kulsmh1VQyeGp88YeKnrR9jRBwUOlwQVk"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251775.710979,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1623251775.7110102,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1623251776.075386,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/510wEZA8ZQBh2NWzqRdQMg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:16:16 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/ye2cafWuLKdx6sbOXkBaCw>;rel=\"up\""],"Replay-Nonce":["LebNvakBQv2TXPATIVO0DOhi5_aO40ce7aDhFYT4z2U"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251776.0755193,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01"}
{"level":"info","ts":1623251776.2374177,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge":"http-01","remote":"91.199.212.132:60524","distributed":false}
{"level":"debug","ts":1623251776.6981292,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/ye2cafWuLKdx6sbOXkBaCw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["378"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:16:16 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ACtQ1unPyA_pMbmw6X_1sbEk6W10WOMYDI0naVgpMsA"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"info","ts":1623251776.698543,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/QAUpeO__DiyuYFffVu7OlA"}
{"level":"debug","ts":1623251777.0798335,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/QAUpeO__DiyuYFffVu7OlA/finalize","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["343"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:16:17 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/QAUpeO__DiyuYFffVu7OlA"],"Replay-Nonce":["_HwtoHfxbiyb1k0_PGpsNU8liwiBpwxZF-rtfd62Jq4"],"Retry-After":["15"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623251793.1192217,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/QAUpeO__DiyuYFffVu7OlA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:16:33 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/QAUpeO__DiyuYFffVu7OlA"],"Replay-Nonce":["eE572a9B3vwOgNc4jI2uV61_hSrt2Gjaig_-frqTXcs"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"error","ts":1623251793.1194627,"logger":"tls.obtain","msg":"will retry","error":"[adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] Obtain: [adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] finalizing order https://acme.zerossl.com/v2/DV90/order/QAUpeO__DiyuYFffVu7OlA: final order is invalid: <nil> (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":375.073811141,"max_duration":2592000}
{"level":"debug","ts":1623251973.8867247,"logger":"http.stdlib","msg":"http: TLS handshake error from 159.89.152.193:54350: no certificate available for 'adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com'"}
{"level":"debug","ts":1623252007.4840112,"logger":"http.stdlib","msg":"http: TLS handshake error from 20.101.68.227:34214: no certificate available for 'adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com'"}
{"level":"debug","ts":1623252093.7114303,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Wed, 09 Jun 2021 15:21:33 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["fijylNGYgZPgb_YlNCU_XJ3k8CxIjXujS-Z8oH3saEg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623252094.2400632,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:21:34 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/LFpA9EEZ_12EGIVk74yBGg"],"Replay-Nonce":["afQhoIIw6NvzR1Ai5JTfjDcpGKjsX-pWqk39krSojro"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623252094.654953,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/TtM2VlsQR6lrYVbj1ABQvA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["508"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:21:34 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["s06O6qmMGzG9HuCKWnUgrC3KvwOstYz8gT0nGIq5Gao"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623252094.6552207,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1623252094.6552482,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1623252095.0252342,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/JA0cG69HWUM1fRMNPQP6ew","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:21:35 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/TtM2VlsQR6lrYVbj1ABQvA>;rel=\"up\""],"Replay-Nonce":["7gFN69pFOSzAdfxoMA3zbZ8pfMo1SVQuyrLwV3ArOYU"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623252095.0259476,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01"}
{"level":"info","ts":1623252095.4391644,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge":"http-01","remote":"91.199.212.132:38010","distributed":false}
{"level":"debug","ts":1623252095.6591296,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/TtM2VlsQR6lrYVbj1ABQvA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["378"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:21:35 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["4SL1isZvdsj_H40r3uxNx9WVEF740-jWSVxMPpJwD78"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"info","ts":1623252095.6595094,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/LFpA9EEZ_12EGIVk74yBGg"}
{"level":"debug","ts":1623252096.0508852,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/LFpA9EEZ_12EGIVk74yBGg/finalize","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["343"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:21:36 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/LFpA9EEZ_12EGIVk74yBGg"],"Replay-Nonce":["kvdUpcQv0mAfUbWDrCxDnU2_0lCnIUCXKFc6MZ4oa_U"],"Retry-After":["15"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623252111.4320643,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/LFpA9EEZ_12EGIVk74yBGg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:21:51 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/LFpA9EEZ_12EGIVk74yBGg"],"Replay-Nonce":["UhkBTKHgkK6zg_iJPQL46KonuApeEi5Cvo1SDiQClHk"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"error","ts":1623252111.4323277,"logger":"tls.obtain","msg":"will retry","error":"[adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] Obtain: [adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] finalizing order https://acme.zerossl.com/v2/DV90/order/LFpA9EEZ_12EGIVk74yBGg: final order is invalid: <nil> (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":693.386677707,"max_duration":2592000}

Hi Alexander,

I just asked ZeroSSL about this, and apparently it’s a known issue they’re working on fixing for long domain names.

In the meantime you can probably get a cert from Let’s Encrypt.

It is a bit peculiar that it goes straight to ZeroSSL though, I think it should still be trying LE first. :thinking:

1 Like

I forced it to use ZeroSSL, by setting the acme_ca domain.

Regarding Let’s Encrypt: just 3 years ago, it didn’t work there, according to A certificate for a 63-character domain - Help - Let's Encrypt Community Support

Going to give it a try now. Maybe things have changed since then.

Really? Where? I must be blind because I don’t see that in your config.

Oh.
Copy and paste mistake.

Caddyfile:

{
        acme_ca https://acme.zerossl.com/v2/DV90
        email alexander@skwar.me
        admin off
        debug
}

{$DOMAIN}:443

encode zstd gzip

log {
        level INFO
        output file /data/access.log {
                roll_size 10MB
                roll_keep 10
        }
}

handle_path /elasticsearch* {
        basicauth bcrypt Elasticsearch {
                import elasticsearch.auth.*
        }

        reverse_proxy http://elasticsearch:9200
}

handle_path /kibana* {
        basicauth bcrypt kibana {
                import kibana.auth.*
        }

        reverse_proxy http://kibana:5601
}

It also fails with Let’s Encrypt - I now really have removed the acme_ca line, so that Caddy tries both CAs:

{"level":"info","ts":1623253668.8010874,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1623253668.8098752,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"warn","ts":1623253668.8117285,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1623253668.8131232,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1623253668.8131697,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1623253668.828571,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000334310"}
{"level":"debug","ts":1623253673.4997709,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"debug","ts":1623253673.5049827,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"info","ts":1623253673.505014,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"]}
{"level":"info","ts":1623253673.5059257,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1623253673.5059454,"msg":"serving initial configuration"}
{"level":"info","ts":1623253673.5060015,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1623253673.5197163,"logger":"tls.obtain","msg":"acquiring lock","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"}
{"level":"info","ts":1623253673.521489,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1623253673.5372322,"logger":"tls.obtain","msg":"lock acquired","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"}
{"level":"debug","ts":1623253674.3535638,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["658"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:47:54 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1623253674.489307,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 09 Jun 2021 15:47:54 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0004K-YgLVu9sC4niZIc8-HSQyQ7QYp24ZV4FDYPKgMWXY0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1623253674.704439,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Boulder-Requester":["126527652"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["315"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:47:54 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/126527652"],"Replay-Nonce":["0003HphF0pYQRtd7uS0-ancJy-p8LQcLGs8nLNvrakfx5JU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"info","ts":1623253674.705236,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"]}
{"level":"info","ts":1623253674.7052631,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"]}
{"level":"debug","ts":1623253674.854176,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":400,"response_headers":{"Boulder-Requester":["126527652"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["158"],"Content-Type":["application/problem+json"],"Date":["Wed, 09 Jun 2021 15:47:54 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0003wcSmbzUxD0_JI-CPLWJt-dXD8FYjT7P3Pz4ncbK2p_0"],"Server":["nginx"]}}
{"level":"info","ts":1623253674.8565454,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"]}
{"level":"info","ts":1623253674.856609,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com"]}
{"level":"debug","ts":1623253675.3146286,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:47:55 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623253675.6621923,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Wed, 09 Jun 2021 15:47:55 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ERuqBNO-YIwTk8gbXXmU6gWTtz0o_eRRNYvel1YtiME"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623253676.0828393,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:47:56 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/0uPS-q6gGrBVghd-7QLXKw"],"Replay-Nonce":["RGtg6f4OHqszt9H9kHvqVKX37Ewo3tRP8_jk5Xmk9Og"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623253676.443431,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/Ng7v8lMNiQatZsQblaUxZg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["508"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:47:56 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["IhcRRg459geY6BymQvo_vLH6Iduh6OmLqzLOsvMQ8eU"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623253676.4447467,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1623253676.4454005,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1623253676.8152056,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/HiPBJ7HLTFqOdjDVHOkK-g","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:47:56 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/Ng7v8lMNiQatZsQblaUxZg>;rel=\"up\""],"Replay-Nonce":["FuuH0Xr8C0pvTB600p2KlExOPcXPfuTqQbyJgQQFxQY"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623253676.8165672,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge_type":"http-01"}
{"level":"info","ts":1623253676.9626443,"logger":"tls.issuance.acme","msg":"served key authentication","identifier":"adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com","challenge":"http-01","remote":"91.199.212.132:35666","distributed":false}
{"level":"debug","ts":1623253677.449481,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/Ng7v8lMNiQatZsQblaUxZg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["378"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:47:57 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["WAcY_CXFZu3GRMgfCzwygLFct_tvRn7w7Q6VWGFWyWs"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"info","ts":1623253677.4508212,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/0uPS-q6gGrBVghd-7QLXKw"}
{"level":"debug","ts":1623253677.8380468,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/0uPS-q6gGrBVghd-7QLXKw/finalize","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["343"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:47:57 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/0uPS-q6gGrBVghd-7QLXKw"],"Replay-Nonce":["1ZXzr3_T-PuPhMNcjF6DNP3O9kpe9LqgoJ7VgUhyBgE"],"Retry-After":["15"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"debug","ts":1623253693.2315218,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/0uPS-q6gGrBVghd-7QLXKw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.1 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Wed, 09 Jun 2021 15:48:13 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/0uPS-q6gGrBVghd-7QLXKw"],"Replay-Nonce":["SSKtOKuMMrQ_UPwRjiFsw9CPszhPwF14_H_1fykuLbE"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
{"level":"error","ts":1623253693.2326405,"logger":"tls.obtain","msg":"will retry","error":"[adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] Obtain: [adv-shr-this-is-a-very-long-name-with-many-chars.westeurope.cloudapp.azure.com] finalizing order https://acme.zerossl.com/v2/DV90/order/0uPS-q6gGrBVghd-7QLXKw: final order is invalid: <nil> (ca=https://acme.zerossl.com/v2/DV90)","attempt"

Ok, so I did confirm that Let’s Encrypt also won’t issue certificates for such long DNS names, because they are too long for the CN field (which is deprecated, I’m not sure why they still fill that out):

HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - NewOrder request did not include a SAN short enough to fit in CN

That is the same reason ZeroSSL fails, but ZeroSSL doesn’t return an error until finalizing the order, whereas Let’s Encrypt returns an error while creating the order.

Due to an oversight in error handling, the error message from the first CA tried was not printed out.

Looks like you’ll have to use a shorter domain name – you can file bugs with the CAs to have that fixed – and in the meantime I’ll improve the error logging in this weird edge case.

Edit: Error logging is fixed in Log errors between issuer attempts · caddyserver/certmagic@388f3ed · GitHub.

2 Likes

This is a rare case, so we may be able to report it to ZeroSSL. However, due to bad timing, ZeroSSL is currently having problems with the API response for a few days, so it is possible that it is not returning a reply. We will be able to confirm this issue when we encounter the same issue.
https://status.zerossl.com/8200003/2021/06

1 Like

Just as supporting reference to Matt’s statement, this is pointed out in public CA documentation, such as here:

https://docs.digicert.com/manage-certificates/public-certificates-data-entries-that/#64character-maximum-limit-violation

2 Likes

Just as a bit more context to understand (for the CN at least) its not a bug.
Its RFC, as discussed here: V4/RFC 2818 certificate compliance - FreeIPA

" RFC 5280 defines the maximum length of the CN to be 64 characters "

(although not directly, its buried in the discussion)

2 Likes

Thanks for clarifying and linking this.

Since CommonName is deprecated, I imagine the solution (for the CAs to implement) will be to leave it empty when the subject names are long…

All I can find is what looks a modification to the RFC in discussion on cabforum.org, with the proposal being that it should be unlimited for the dns value entry:

Probably clarifying non definition previously? Its attached to this dated conversation (correction - I forgot to add the convo link) . I have no idea where it ended up as far as ratification/publication. However, from the doc to the discussion, as far as limitation on subjectAlternative Name dns values, its already “none”. There might be implementation specific variance as historically its not well defined… So yeah nuke CN evaluation/presentation/generation and limit to subjectAlternativeName handling within the request/CA extensions.
“how” at the code implementation level against the underlying libs… Not sure.