No valid A records found when starting Caddy

Pottypotsworth · April 19, 2022, 7:12pm

1. Caddy version (`caddy version`): v2.4.6

2. How I run Caddy:

a. System environment: Windows 10 x64

b. Command:

Caddy Start

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

{
	email me@email.co.uk
}
home.chewie.co.uk {
	encode gzip
	log {
		output file C:\Caddy\logs\access.log {
			roll true # Rotate logs, enabled by default
			roll_size_mb 5 # Set max size 5 MB
			roll_gzip true # Whether to compress rolled files
			roll_local_time true # Use localhost time
			roll_keep 2 # Keep at most 2 log files
			roll_keep_days 7 # Keep log files for 7 days
		}
	}

	# https://radarr.media/
	reverse_proxy /radarr* 127.0.0.1:7878

	# https://sonarr.tv/
	reverse_proxy /sonarr* 127.0.0.1:8989

	# https://bazarr.media
	reverse_proxy /bazarr* 127.0.0.1:6767

	# https://nzbget.net/
	reverse_proxy /nzbget* 127.0.0.1:6789

	# https://transmissionbt.com/
	#reverse_proxy /transmission* 127.0.0.1:9091/gui

	# https://tautulli.com/
	reverse_proxy /tautulli* 127.0.0.1:8181

	# https://hoobs.org
	#reverse_proxy /hoobs* 192.168.0.10:8080

	# https://www.qbittorrent.org
	#reverse_proxy /qbit* 127.0.0.1:8081
}

3. The problem I’m having:

Caddy is fully accessible on my network and I can successfully access each of the services above from any device on my network
Caddy is NOT accessible from outside my network
When running caddy start I get an error stating…

2022/04/19 18:55:20.588 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "home.chewie.co.uk", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}}

2022/04/19 18:55:20.588 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "home.chewie.co.uk", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/105195964/81561771440", "attempt": 1, "max_attempts": 3}

However, I can see that the A record is updated on my Dynamic DNS service

I do have port 80 and port 443 redirected on my Load Balancer Router, but I am not convinced it is working correctly, or perhaps there is a conflict?

The reason i think there may be a conflict is because whilst both my WAN modems are in bridge mode, the IP address that is shown for them on my load balancer dashboard is never the same “internet IP address” that is shown when I do “What’s my IP etc” in Google.

Screenshot 2022-04-20 at 03.16.12

I have tried to set the Dynamic DNS to both the two Wan IP addresses, and the “internet IP address” but nothing has worked.
I even set the Windows machine running Caddy into the router DMZ but it didn’t help
I have QBit Torrent running the web GUI and I can’t access that using the home.chewie.co.uk:8081 remotely, but it works internally. This makes me suspect a Dynamic DNS / routing error instead of a Caddy specific error
Pinging home.chewie.co.uk remotely also results in a timeout error.
Curl - v also isn’t looking great?

curl -v home.chewie.co.uk/radarr
*   Trying 100.77.138.223:80...
* Connected to home.chewie.co.uk (100.77.138.223) port 80 (#0)
> GET /radarr HTTP/1.1
> Host: home.chewie.co.uk
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://home.chewie.co.uk/radarr
< Server: Caddy
< Date: Tue, 19 Apr 2022 18:56:07 GMT
< Content-Length: 0
< 
* Closing connection 0

4. Error messages and/or full log output:

C:\Caddy>caddy start
2022/04/19 18:55:17.865 ←[34mINFO←[0m   using adjacent Caddyfile
2022/04/19 18:55:17.871 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2022/04/19 18:55:17.872 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0003e42a0"}
2022/04/19 18:55:17.872 ←[34mINFO←[0m   http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2022/04/19 18:55:17.872 ←[34mINFO←[0m   http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2022/04/19 18:55:17.873 ←[34mINFO←[0m   tls     cleaning storage unit   {"description": "FileStorage:C:\\Users\\Chewie\\AppData\\Roaming\\Caddy"}
2022/04/19 18:55:17.874 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["home.chewie.co.uk"]}
2022/04/19 18:55:17.878 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\Chewie\\AppData\\Roaming\\Caddy\\autosave.json"}
2022/04/19 18:55:17.878 ←[34mINFO←[0m   serving initial configuration
Successfully started Caddy (pid=12908) - Caddy is running in the background
2022/04/19 18:55:17.880 ←[34mINFO←[0m   tls     finished cleaning storage units

C:\Caddy>2022/04/19 18:55:17.887        INFO    tls.renew       acquiring lock  {"identifier": "home.chewie.co.uk"}
2022/04/19 18:55:17.912 INFO    tls.renew       lock acquired   {"identifier": "home.chewie.co.uk"}
2022/04/19 18:55:17.912 INFO    tls.renew       renewing certificate    {"identifier": "home.chewie.co.uk", "remaining": 2555737.0871992}
2022/04/19 18:55:17.913 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["home.chewie.co.uk"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "dean@chewie.co.uk"}
2022/04/19 18:55:17.913 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["home.chewie.co.uk"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "dean@chewie.co.uk"}
2022/04/19 18:55:19.379 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "home.chewie.co.uk", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/04/19 18:55:20.588 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "home.chewie.co.uk", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}}
2022/04/19 18:55:20.588 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "home.chewie.co.uk", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/105195964/81561771440", "attempt": 1, "max_attempts": 3}
2022/04/19 18:55:22.230 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "home.chewie.co.uk", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/04/19 18:55:23.386 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "home.chewie.co.uk", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}}
2022/04/19 18:55:23.388 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "home.chewie.co.uk", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/105195964/81561780730", "attempt": 2, "max_attempts": 3}
2022/04/19 18:55:24.698 ERROR   tls.renew       could not get certificate from issuer   {"identifier": "home.chewie.co.uk", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/"}
2022/04/19 18:55:24.700 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["home.chewie.co.uk"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "dean@chewie.co.uk"}
2022/04/19 18:55:24.701 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["home.chewie.co.uk"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "dean@chewie.co.uk"}
2022/04/19 18:55:30.213 ERROR   http.handlers.reverse_proxy     aborting with incomplete response       {"error": "http2: stream closed"}
2022/04/19 18:55:30.217 ERROR   http.handlers.reverse_proxy     aborting with incomplete response       {"error": "context canceled"}
2022/04/19 18:55:30.232 ERROR   http.handlers.reverse_proxy     aborting with incomplete response       {"error": "context canceled"}
2022/04/19 18:55:30.251 ERROR   http.handlers.reverse_proxy     aborting with incomplete response       {"error": "context canceled"}
2022/04/19 18:55:32.172 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "home.chewie.co.uk", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2022/04/19 19:00:39.206 ERROR   tls.renew       could not get certificate from issuer   {"identifier": "home.chewie.co.uk", "issuer": "acme.zerossl.com-v2-DV90", "error": "[home.chewie.co.uk] solving challenges: [home.chewie.co.uk] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/FOxWQflCs18J1Zp226oYgg) (ca=https://acme.zerossl.com/v2/DV90)"}
2022/04/19 19:00:39.206 ERROR   tls.renew       will retry      {"error": "[home.chewie.co.uk] Renew: [home.chewie.co.uk] solving challenges: [home.chewie.co.uk] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/FOxWQflCs18J1Zp226oYgg) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 321.2946833, "max_duration": 2592000}
2022/04/19 19:01:39.229 INFO    tls.renew       renewing certificate    {"identifier": "home.chewie.co.uk", "remaining": 2555355.7706677}
2022/04/19 19:01:40.838 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "home.chewie.co.uk", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2022/04/19 19:01:42.151 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "home.chewie.co.uk", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}}
2022/04/19 19:01:42.151 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "home.chewie.co.uk", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/16955219/2353910214", "attempt": 1, "max_attempts": 3}
2022/04/19 19:01:43.713 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "home.chewie.co.uk", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2022/04/19 19:01:44.503 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "home.chewie.co.uk", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}}
2022/04/19 19:01:44.503 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "home.chewie.co.uk", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/16955219/2353910374", "attempt": 2, "max_attempts": 3}
2022/04/19 19:01:46.324 ERROR   tls.renew       could not get certificate from issuer   {"identifier": "home.chewie.co.uk", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[home.chewie.co.uk] solving challenges: home.chewie.co.uk: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/16955219/2353910594) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}

5. What I already tried:

Upgraded Caddy to v2.4.6
Changed multiple settings on the router to utilize a single WAN
Rechecked port forwarding
Tried machine in DMZ
Changed settings in dynamic DNS on the router to use “internet IP” instead of “Wan IP”
Searched the form for previous related posts
It is also worth noting that before switching over to Caddy a couple of years back, i was able to access all the services such as Sonarr etc directly from remote machines. I just don’t think it has worked properly with remote access since switching to Caddy.

Any help or advice is appreciated. Thanks

6. Links to relevant resources:

francislavoie · April 19, 2022, 7:34pm

I strongly recommend running Caddy as a windows service instead of using caddy start. You can follow these instructions to set it up:

Pottypotsworth:

2022/04/19 18:55:20.588 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "home.chewie.co.uk", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for home.chewie.co.uk; no valid AAAA records found for home.chewie.co.uk", "instance": "", "subproblems": []}}

This error is coming from Let’s Encrypt. It seems like your IP address is part of some blocklist, according to this:

francislavoie · April 19, 2022, 7:38pm

Ah, right – your IP address is one reserved for CG-NAT:

The allocated address block is 100.64.0.0/10, i.e. IP addresses from 100.64.0.0 to 100.127.255.255.

This is because your ISP doesn’t own enough IP addresses to serve all its customers, so they use CG-NAT as a workaround.

This means your network cannot be made publicly accessible via typical means. You’ll need to use some service like Cloudflare Tunnels get a VPS and use Wireguard, or something.

Pottypotsworth · April 19, 2022, 7:44pm

Thanks for the reply…

I do actually run caddy as a service using NSSM. For this purpose of testing i was stopping and starting it manually to get the feedback.

The Let’s Debug is odd. I did run it earlier in the day (I forgot to add this) and it did run successfully. I guess the new IP addresses I have been given on both WANs with different IP’s have this issue since I testing the Dynamic DNS with both

If i change the Dynamic DNS to use the “internet IP” instead of the “Wan IP” then we get a different error…

I am not sure if that changes anything in regards to your second post about the CG-NAT? But it does 100% seem that both ISPs are using CG-NAT.

Thanks

Pottypotsworth · April 25, 2022, 7:15am

So, I managed to solve this issue by using ngrok.com to create a HTTP tunnel on port 80 and then have caddy listen on that port.

Steps are…

Sign up to ngrok.com - if you use their pro plan you can use a custom domain.
Make a new cname alias on your domain that points to the unique ngrok subdomain they assign you
Create a ngrok config file that creates that tunnel e.g

version: 2
authtoken: Your-Auth-Token
region: us
tunnels:
  media:
    proto: http
    hostname: remote.yourdomain.com
    addr: 127.0.0.1:80

Edit the caddyfile to listen on port 80, e.g

:80 {
	encode gzip
	}

	# https://radarr.media/
	reverse_proxy /radarr* 127.0.0.1:7878
}

Start caddy and it’ll fail with the SSL but still run
Start ngrok with ngrok start --all

You can then access the entries in caddy such as https://remote.yourdomain.com/radarr and it should load. Although, in my case I had to give it about 48 hours for the ngrok certificate to propagate so I didn’t get the browser warning.

Thanks again to @francislavoie for the initial help about the cg-nat issues causing this

system · May 19, 2022, 7:12pm

This topic was automatically closed after 30 days. New replies are no longer allowed.