No way to get SSL DuckDNS

Help
1

1. The problem I’m having:

Hello Experts!
I use reverse Proxy to get HTTPS from duckdns subdomain to my local servers.
caddy+duckDns did run smoothly on W11 for a while now, but it suddenly stop working some days ago.

I don’t know what I’m supposed to do to make it work again:

  • tried multiple time renewing certificate: KO
  • tried with deactivated firewall: KO
  • updated to last caddy version 2.7.6 +duckdns 0.4.0: KO
  • cleaned everything a restarted from scratch: KO
  • renewed my duckdns token: KO

I’m somehow out of option and miss network basic knowledge to figure it out what’s going on without your guidance. Thanks a lot for your help!

2. Error messages and/or full log output:

2024/03/21 23:35:08.453 INFO    using adjacent Caddyfile
2024/03/21 23:35:08.462 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/03/21 23:35:08.462 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00040a100"}
2024/03/21 23:35:08.462 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS   {"server_name": "srv0", "https_port": 443}
2024/03/21 23:35:08.462 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/03/21 23:35:08.462 DEBUG   http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["site.myserver.duckdns.org"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:8096"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2024/03/21 23:35:08.462 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2024/03/21 23:35:08.463 DEBUG   http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2024/03/21 23:35:08.463 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/03/21 23:35:08.463 DEBUG   http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2024/03/21 23:35:08.463 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/03/21 23:35:08.463 INFO    http    enabling automatic TLS certificate management   {"domains": ["site.myserver.duckdns.org"]}
2024/03/21 23:35:08.463 INFO    autosaved config (load with --resume flag)      {"file": "C:\\Users\\myself\\AppData\\Roaming\\Caddy\\autosave.json"}
2024/03/21 23:35:08.463 INFO    serving initial configuration
2024/03/21 23:35:08.463 WARN    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\myself\\AppData\\Roaming\\Caddy", "instance": "4980a706-1e0b-4e3c-8848-d9811afd8c28", "try_again": "2024/03/22 23:35:08.463", "try_again_in": 86400}
2024/03/21 23:35:08.463 INFO    tls     finished cleaning storage units
2024/03/21 23:35:08.463 INFO    tls.obtain      acquiring lock  {"identifier": "site.myserver.duckdns.org"}
2024/03/21 23:35:08.463 INFO    tls.obtain      lock acquired   {"identifier": "site.myserver.duckdns.org"}
2024/03/21 23:35:08.463 INFO    tls.obtain      obtaining certificate   {"identifier": "site.myserver.duckdns.org"}
2024/03/21 23:35:08.463 DEBUG   events  event   {"name": "cert_obtaining", "id": "4a5e2dbf-9532-4a43-8284-c10a1dac0b4d", "origin": "tls", "data": {"identifier":"site.myserver.duckdns.org"}}
2024/03/21 23:35:08.473 DEBUG   tls.obtain      trying issuer 1/2       {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2024/03/21 23:35:08.473 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["site.myserver.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/03/21 23:35:08.473 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["site.myserver.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/03/21 23:35:08.986 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["752"],"Content-Type":["application/json"],"Date":["Thu, 21 Mar 2024 23:35:08 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2024/03/21 23:35:09.136 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 21 Mar 2024 23:35:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["m9Z1lv7vN_bFofkIUbkBAecy3mViL-zRvxqkT3kYM1CTOoqgIO0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2024/03/21 23:35:09.324 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1630967757"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["352"],"Content-Type":["application/json"],"Date":["Thu, 21 Mar 2024 23:35:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1630967757/254301135887"],"Replay-Nonce":["Wej4SY7DGrm6NKF8V2eVnLnhoOoE7msB7cxgjiurAjtDuEKgDN8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2024/03/21 23:35:09.497 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/329112809947", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1630967757"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["810"],"Content-Type":["application/json"],"Date":["Thu, 21 Mar 2024 23:35:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["m9Z1lv7vqb0uIzbxEj29Ote3KPhvif9CfzylKHYl2c0VQPSoGWk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2024/03/21 23:35:09.499 DEBUG   tls.issuance.acme.acme_client   no solver configured    {"challenge_type": "tls-alpn-01"}
2024/03/21 23:35:09.500 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "site.myserver.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/03/21 23:35:11.779 ERROR   tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "site.myserver.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.site.myserver.duckdns.org\" (usually OK if presenting also failed)"}
2024/03/21 23:35:11.942 DEBUG   tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/329112809947", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1630967757"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["814"],"Content-Type":["application/json"],"Date":["Thu, 21 Mar 2024 23:35:11 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["m9Z1lv7v_n8QbV-MTYvTd56YXfZLLIIxxd5zafeKrhjGDySzD1M"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2024/03/21 23:35:11.946 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "site.myserver.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[site.myserver.duckdns.org] solving challenges: presenting for challenge: adding temporary record for zone \"duckdns.org.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=myserver.duckdns.org&token=&txt=XInbkCERp4YndBeT3wAfenpKt3WBKw5ryFeBv5eFxd4&verbose=true], body: KO (order=https://acme-v02.api.letsencrypt.org/acme/order/1630967757/254301135887) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

3. Caddy version:

Now under:
caddy version 2.7.6 + duckdns 0.4.0

4. How I installed and ran Caddy:

I downloaded windows amd64 version from caddyserver.com:
Download Caddy

a. System environment:

Windows 11 Family 23H2

b. Command:

simply execute from cmd:
caddy_windows_amd64_custom.exe run

c. Service/unit/compose file:

d. My complete Caddy config:

{
	debug
}

site.myserver.duckdns.org {
	reverse_proxy 127.0.0.1:8090
	tls {
		dns duckdns {env.MyToken0-0000-0000-0000-MyTokenEndSt}
	}
}

5. Links to relevant resources:

2

Not sure if this will help, but here are a few links that may have helpful information

  1. DNS Challenge with DuckDNS
  2. Automatic HTTPS — Caddy Documentation
  3. GitHub - caddy-dns/duckdns: Caddy module: dns.providers.duckdns
  4. Renewing certificate - Help - Let's Encrypt Community Support
  5. Troubles with DNS-01 challenge using DuckDNS
1 Like
3

That looks weird. If you’re using {env.*}, this is a placeholder to be replaced with an environment variable. If you’re not using environment variables, your actual token should appear after dns duckdns with no additional formatting.

2 Likes
4

Thanks for your answer, I appreciate.
I did remove the “env.” (while keeping curly brackets), but it unfortunately did not change a thing.

5

OK,
Tanks to Francis (for pointing out the env.) and Bruce forcing me to RTFM,
I managed to make it work by removing brackets and inverting tls auth. (not sure the last point changed something):

site.myserver.duckdns.org {
	tls {
		dns duckdns MyToken0-0000-0000-0000-MyTokenEndSt
	}
	reverse_proxy 127.0.0.1:8090
}

Now challenge is accepted.
Thank you guys!

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.