1. The problem I’m having:
Hi. I am trying to setup a WP Network and use caddy as the web server. I am not able to generate a TLS certificate for the primary domain of the WP Network.
2. Error messages and/or full log output:
systemctl status caddy.service:
● caddy.service - Caddy
Loaded: loaded (/etc/systemd/system/caddy.service; enabled; preset: enabled)
Active: active (running) since Mon 2023-05-15 13:06:01 IST; 3min 42s ago
Docs: https://caddyserver.com/docs/
Main PID: 32100 (caddy)
Tasks: 11 (limit: 7064)
Memory: 15.1M
CPU: 215ms
CGroup: /system.slice/caddy.service
└─32100 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
May 15 13:09:35 GreenCloud.1669629768 caddy[32100]: {"level":"debug","ts":1684136375.2817886,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["272"],"Content-Type":["application/json"],"Date":["Mon, 15 May 2023 07:39:35 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/t_7bedyXMYB8jDmliLH5bw"],"Replay-Nonce":["PJzuBRD6vn6ZfgMJBqDhl3rc2bJFmmjOXqcLhwFxY2k"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
May 15 13:09:35 GreenCloud.1669629768 caddy[32100]: {"level":"debug","ts":1684136375.4625182,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/R1o9ppRF1PyJ8conm5BnkA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["440"],"Content-Type":["application/json"],"Date":["Mon, 15 May 2023 07:39:35 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["2_JLc1B32Xh4NTZ0ebAmzd_uOXGLrA-E2n_hjw5x59w"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 15 13:09:35 GreenCloud.1669629768 caddy[32100]: {"level":"info","ts":1684136375.4628336,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"weblin.dev","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
May 15 13:09:35 GreenCloud.1669629768 caddy[32100]: {"level":"debug","ts":1684136375.5688963,"logger":"http.stdlib","msg":"http: TLS handshake error from 2.58.57.54:39524: EOF"}
May 15 13:09:36 GreenCloud.1669629768 caddy[32100]: {"level":"error","ts":1684136376.146983,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"weblin.dev","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.weblin.dev\" (usually OK if presenting also failed)"}
May 15 13:09:36 GreenCloud.1669629768 caddy[32100]: {"level":"debug","ts":1684136376.253052,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/R1o9ppRF1PyJ8conm5BnkA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["122"],"Content-Type":["application/json"],"Date":["Mon, 15 May 2023 07:39:36 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["alAMAlThtmWdCgXeTKtqB2CQ7ikH_OrBOUy-v_9bitI"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 15 13:09:36 GreenCloud.1669629768 caddy[32100]: {"level":"error","ts":1684136376.2532098,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"weblin.dev","issuer":"acme.zerossl.com-v2-DV90","error":"[weblin.dev] solving challenges: presenting for challenge: adding temporary record for zone \"weblin.dev.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/t_7bedyXMYB8jDmliLH5bw) (ca=https://acme.zerossl.com/v2/DV90)"}
May 15 13:09:36 GreenCloud.1669629768 caddy[32100]: {"level":"debug","ts":1684136376.2532947,"logger":"events","msg":"event","name":"cert_failed","id":"f52dafeb-a5c0-4c78-a421-1e7fa276d6d1","origin":"tls","data":{"error":{},"identifier":"weblin.dev","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
May 15 13:09:36 GreenCloud.1669629768 caddy[32100]: {"level":"error","ts":1684136376.2533288,"logger":"tls.obtain","msg":"will retry","error":"[weblin.dev] Obtain: [weblin.dev] solving challenges: presenting for challenge: adding temporary record for zone \"weblin.dev.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/t_7bedyXMYB8jDmliLH5bw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":4.390968123,"max_duration":2592000}
May 15 13:09:40 GreenCloud.1669629768 caddy[32100]: {"level":"debug","ts":1684136380.569087,"logger":"http.stdlib","msg":"http: TLS handshake error from 2.58.57.54:39534: EOF"}
3. Caddy version:
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
-
Downloaded caddy bin file combined with cloudflare module from your website. https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare
-
Moved it to /usr/bin/caddy with executable permission.
-
Copied the custom caddy.service file to /etc/systemd/system/
-
Copied the Caddyfile to /etc/caddy/
-
Added cloudflare auth token to environment file (~/.bashrc) - export CLOUDFLARE_AUTH_TOKEN=redacted
-
Created www directory and /var/lib/caddy/ with appropriate permissions. Owner & Group being www-data
-
Started Caddy Service and enabled it.
a. System environment:
OS: Debian 12 (Bookworm)
Architecture: x86-64
systemd. Not using docker.
b. Command:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
c. Service/unit/compose file:
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=www-data
Group=www-data
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=always
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
{
storage file_system /var/lib/caddy
admin off
email redacted
acme_dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
on_demand_tls {
interval 2m
burst 5
}
}
https:// {
tls {
on_demand
}
root * /var/www/html/htdocs/
php_fastcgi unix//run/php/php-fpm.sock
file_server {
precompressed br
}
encode gzip
header {
-Server
Cache-Control "max-age=14400"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "interest-cohort=()"
Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
X-Content-Type-Options "nosniff"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
@cache {
not header_regexp Cookie "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in"
not path_regexp "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(index)?.xml|[a-z0-9-]+-sitemap([0-9]+)?.xml)"
not method POST
not expression {query} != ''
}
route @cache {
try_files /wp-content/cache/cache-enabler/{host}{uri}/https-index.html /wp-content/cache/cache-enabler/{host}{uri}/index.html {path} {path}/index.php?{query}
}
@disallowed {
path /xmlrpc.php
path *.sql
path *.zip
path *.tar
path *.bak
path /wp-content/uploads/*.php
}
rewrite @disallowed '/index.php'
}
5. Links to relevant resources:
Cloudflare token permissions:
UFW Firewall Rules: