Not getting SSL certificate for a domain

1. The problem I’m having:

My server has hundreds of domains served by Caddy, most of them are working with the same container But while trying to generate new SSL for a few domains I am not getting any response from the server. Here is the response for curl -vL


* Trying _IP_:80...

* Connected to my_domain.com (_IP_) port 80 (#0)

> GET / HTTP/1.1

> Host: my_domain.com

> User-Agent: curl/7.87.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 308 Permanent Redirect

< Connection: close

< Location: https://my_domain.com/

< Server: Caddy

< Date: Mon, 25 Sep 2023 07:47:26 GMT

< Content-Length: 0

<

* Closing connection 0

* Clear auth, redirects to port from 80 to 443

* Issue another request to this URL: 'https://my_domain.com/'

* Trying _IP_:443...

* Connected to my_domain.com (_IP_) port 443 (#1)

* ALPN: offers h2

* ALPN: offers http/1.1

* CAfile: /etc/ssl/cert.pem

* CApath: none

* [CONN-1-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1):

* LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error

* Closing connection 1

curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error

2. Error messages and/or full log output:


September 25, 2023 at 13:17 (UTC+6:00) {"level":"error","ts":1695626275.7299428,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0 - "} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"error","ts":1695626275.729994,"logger":"tls.obtain","msg":"will retry","error":"[my_domain.com] Obtain: [my_domain.com] solving challenge: my_domain.com: [my_domain.com] authorization failed: HTTP 0 - (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":8.357221408,"max_duration":2592000} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"error","ts":1695626275.7298734,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"error","ts":1695626275.729901,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/XQpE7GvsQYeHSks9Ewbv0Q","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626269.0301588,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626267.46211,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626267.462128,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"error","ts":1695626267.4598653,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626267.3751533,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626267.3751729,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626267.3727584,"logger":"tls.obtain","msg":"lock acquired","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626267.3729002,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626267.3644357,"logger":"tls.obtain","msg":"acquiring lock","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:17 (UTC+6:00) {"level":"info","ts":1695626267.348337,"logger":"tls.on_demand","msg":"obtaining new certificate","remote_ip":"172.31.11.23","remote_port":"60635","server_name":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:13 (UTC+6:00) {"level":"info","ts":1695626023.3740292,"logger":"tls.obtain","msg":"releasing lock","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625932.3429382,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625932.34297,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/reyhwvQajuumtYsfu75HVQ","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625932.3430219,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0 - "} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625932.3430552,"logger":"tls.obtain","msg":"will retry","error":"[my_domain.com] Obtain: [my_domain.com] solving challenge: my_domain.com: [my_domain.com] authorization failed: HTTP 0 - (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":88.94668508,"max_duration":2592000} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"info","ts":1695625926.1257765,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625923.5119567,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"2607:f1c0:100f:f000::200: remote error: tls: internal error","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/119620704/11158728244","attempt":2,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625923.5120888,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:tls - 2607:f1c0:100f:f000::200: remote error: tls: internal error"} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625923.5119298,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"2607:f1c0:100f:f000::200: remote error: tls: internal error","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"info","ts":1695625923.1251845,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625921.9704664,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"During secondary validation: 2607:f1c0:100f:f000::200: Invalid response from http://my_domain.com/.well-known/acme-challenge/TiJ3R2G9qmSa5MrWO6nrb326bR6CclMA2ctvOlun50o: 204","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"error","ts":1695625921.9705007,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"During secondary validation: 2607:f1c0:100f:f000::200: Invalid response from http://my_domain.com/.well-known/acme-challenge/TiJ3R2G9qmSa5MrWO6nrb326bR6CclMA2ctvOlun50o: 204","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/119620704/11158725734","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:12 (UTC+6:00) {"level":"info","ts":1695625921.5665612,"logger":"http","msg":"served key authentication","identifier":"my_domain.com","challenge":"http-01","remote":"172.31.11.23:35873","distributed":false} AWS_Container_Name

September 25, 2023 at 13:11 (UTC+6:00) {"level":"info","ts":1695625911.3410606,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"} AWS_Container_Name

September 25, 2023 at 13:11 (UTC+6:00) {"level":"info","ts":1695625911.097326,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"error","ts":1695625851.0967505,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"error","ts":1695625851.0967743,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/KApu-vTHvh03xlYQUjeBMA","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"error","ts":1695625851.0968137,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0 - "} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"error","ts":1695625851.096843,"logger":"tls.obtain","msg":"will retry","error":"[my_domain.com] Obtain: [my_domain.com] solving challenge: my_domain.com: [my_domain.com] authorization failed: HTTP 0 - (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":7.700472476,"max_duration":2592000} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625844.4842079,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625843.4867053,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625843.4867234,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"error","ts":1695625843.4845135,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625843.3988261,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625843.3988464,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625843.3963556,"logger":"tls.obtain","msg":"lock acquired","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625843.3965535,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625843.3885856,"logger":"tls.obtain","msg":"acquiring lock","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625843.3737776,"logger":"tls.on_demand","msg":"obtaining new certificate","remote_ip":"172.31.11.23","remote_port":"50096","server_name":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:10 (UTC+6:00) {"level":"info","ts":1695625841.5974255,"logger":"tls.obtain","msg":"releasing lock","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625759.8352935,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625759.8353305,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/087m1WlVtaV_jOImnCsl4g","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625759.8353527,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0 - "} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625759.8354037,"logger":"tls.obtain","msg":"will retry","error":"[my_domain.com] Obtain: [my_domain.com] solving challenge: my_domain.com: [my_domain.com] authorization failed: HTTP 0 - (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":98.216991917,"max_duration":2592000} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"info","ts":1695625753.1223297,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625751.6174326,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2607:f1c0:100f:f000::200: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625751.617463,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2607:f1c0:100f:f000::200: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/119620704/11158680554","attempt":2,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625751.6175275,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 2607:f1c0:100f:f000::200: Timeout during connect (likely firewall problem)"} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"info","ts":1695625741.3400323,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625740.199508,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"During secondary validation: 2607:f1c0:100f:f000::200: Invalid response from http://my_domain.com/.well-known/acme-challenge/aDFO0CVSHSbE1V0idaYDbsYmPlosQjmSxvKztnpFGeA: 204","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:09 (UTC+6:00) {"level":"error","ts":1695625740.1995387,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"During secondary validation: 2607:f1c0:100f:f000::200: Invalid response from http://my_domain.com/.well-known/acme-challenge/aDFO0CVSHSbE1V0idaYDbsYmPlosQjmSxvKztnpFGeA: 204","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/119620704/11158678304","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:08 (UTC+6:00) {"level":"info","ts":1695625739.8922217,"logger":"http","msg":"served key authentication","identifier":"my_domain.com","challenge":"http-01","remote":"172.31.11.23:22232","distributed":false} AWS_Container_Name

September 25, 2023 at 13:08 (UTC+6:00) {"level":"info","ts":1695625729.620095,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"} AWS_Container_Name

September 25, 2023 at 13:08 (UTC+6:00) {"level":"info","ts":1695625729.4015415,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"error","ts":1695625669.4008195,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"error","ts":1695625669.400846,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/k4DR5txzMubUau1lG_J9cg","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"error","ts":1695625669.4008863,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0 - "} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"error","ts":1695625669.4009566,"logger":"tls.obtain","msg":"will retry","error":"[my_domain.com] Obtain: [my_domain.com] solving challenge: my_domain.com: [my_domain.com] authorization failed: HTTP 0 - (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":7.782545341,"max_duration":2592000} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625662.836062,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625661.7310488,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625661.731068,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"error","ts":1695625661.7287855,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625661.6207051,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625661.6207237,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["my_domain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ssl@dorik.io"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625661.618398,"logger":"tls.obtain","msg":"lock acquired","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625661.6185513,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625661.6101143,"logger":"tls.obtain","msg":"acquiring lock","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625661.5966525,"logger":"tls.on_demand","msg":"obtaining new certificate","remote_ip":"172.31.11.23","remote_port":"30104","server_name":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:07 (UTC+6:00) {"level":"info","ts":1695625660.9201775,"logger":"tls.obtain","msg":"releasing lock","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:06 (UTC+6:00) {"level":"error","ts":1695625568.7546008,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:06 (UTC+6:00) {"level":"error","ts":1695625568.7546287,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/dpXXo69nMz7AYkVNss7aSw","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:06 (UTC+6:00) {"level":"error","ts":1695625568.7546508,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0 - "} AWS_Container_Name

September 25, 2023 at 13:06 (UTC+6:00) {"level":"error","ts":1695625568.7546806,"logger":"tls.obtain","msg":"will retry","error":"[my_domain.com] Obtain: [my_domain.com] solving challenge: my_domain.com: [my_domain.com] authorization failed: HTTP 0 - (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":87.812552467,"max_duration":2592000} AWS_Container_Name

September 25, 2023 at 13:06 (UTC+6:00) {"level":"info","ts":1695625562.1225314,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"} AWS_Container_Name

September 25, 2023 at 13:06 (UTC+6:00) {"level":"error","ts":1695625560.891384,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2607:f1c0:100f:f000::200: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:06 (UTC+6:00) {"level":"error","ts":1695625560.891419,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2607:f1c0:100f:f000::200: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/119620704/11158622824","attempt":2,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:06 (UTC+6:00) {"level":"error","ts":1695625560.89156,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my_domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 2607:f1c0:100f:f000::200: Timeout during connect (likely firewall problem)"} AWS_Container_Name

September 25, 2023 at 13:05 (UTC+6:00) {"level":"info","ts":1695625550.559079,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"} AWS_Container_Name

September 25, 2023 at 13:05 (UTC+6:00) {"level":"error","ts":1695625549.4018588,"logger":"http.acme_client","msg":"challenge failed","identifier":"my_domain.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2607:f1c0:100f:f000::200: Invalid response from http://my_domain.com/.well-known/acme-challenge/dsbglY0FyghFwJ7pehrL0N69GyoEvzCWaGUqZoqbe-A: 204","instance":"","subproblems":[]}} AWS_Container_Name

September 25, 2023 at 13:05 (UTC+6:00) {"level":"error","ts":1695625549.4018843,"logger":"http.acme_client","msg":"validating authorization","identifier":"my_domain.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2607:f1c0:100f:f000::200: Invalid response from http://my_domain.com/.well-known/acme-challenge/dsbglY0FyghFwJ7pehrL0N69GyoEvzCWaGUqZoqbe-A: 204","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/119620704/11158622194","attempt":1,"max_attempts":3} AWS_Container_Name

September 25, 2023 at 13:05 (UTC+6:00) {"level":"info","ts":1695625548.7095897,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"my_domain.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"} AWS_Container_Name

September 25, 2023 at 13:05 (UTC+6:00) {"level":"info","ts":1695625548.499928,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"my_domain.com"} AWS_Container_Name

September 25, 2023 at 13:05 (UTC+6:00) {"level":"error","ts":1695625513.1203272,"logger":"http","msg":"looking up info for HTTP challenge","host":"my_domain.com","remote_addr":"172.31.11.23:24794","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36","error":"no information found to solve challenge for identifier: my_domain.com"}

3. Caddy version:

caddy:2.7.4

4. How I installed and ran Caddy:

a. System environment:

Using Docker I built an image then ran than image from AWS ECS (Fargate)

b. Command:

Running my image would run Caddy


PASTE OVER THIS, BETWEEN THE ``` LINES.

Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

Dockerfile


FROM caddy:2.7.4

COPY Caddyfile /etc/caddy/Caddyfile

ENV Email ${Email}

ENV SslValidation ${SslValidation}

ENV ViewerEndpoint ${ViewerEndpoint}

ENV DashboardEndpoint ${DashboardEndpoint}

EXPOSE 80

EXPOSE 443

d. My complete Caddy config:


{

email {$Email}

on_demand_tls {

ask {$SslValidation}

}

}

:443 {

header Server "Server"

header -x-powered-by

@trailing_slash path_regexp no_slash (.+)\/$

@domain header_regexp domain host ^www\.(.+)$

redir @domain https://{http.regexp.domain.1}{uri}

redir @trailing_slash {re.no_slash.1} 308

tls {

on_demand

}

handle_path /dashboard* {

reverse_proxy {$DashboardEndpoint}

}

handle {

reverse_proxy {$ViewerEndpoint}

}

}

5. Links to relevant resources:

Do you have some load balancer or proxy in front of Caddy? If you do then it’s probably intercepting the requests before they reach Caddy, so it can’t solve ACME challenges.

Also, please mind your post’s formatting. All indentation of your config was lost, so it’s hard to read. It seems like however you copied the text, it doubled all the line breaks.

Thanks for your comment.

I don’t understand why my LB is not forwarding the request to Caddy server when the initial request with HTTP / 80 port went through. Only the request for https / 443 port could not get the certificate. Moreover, we have hundreds of domains, most of them could get the certificate except a few of them, I have checked the DNS setup, and it is set up correctly. I will investigate more on the load balancer side.

And, I will bear the indentation in mind for the next time I post something.

I could not find why the request may not be reaching the Caddy server. I am running it behind AWS NLB and all the traffic coming to it is being forwarded to the container using TCP listeners (80 and 443). I would really appreciate it if anyone could help. :slight_smile:

Make sure your load balancer is in TCP mode, not in HTTP mode, otherwise it might try to terminate the TLS connection before it reaches Caddy.

Yes, It is in TCP mode still some of my customers are not getting SSL for their domains (Most of them are getting SSL), I have checked the error message and discovered the error messages I attached in the post body. I am wondering what could have gone wrong for them?

Are you sure that the DNS for those customer domains is directly pointing to your servers, and not going through some proxy like Cloudflare? If they have proxying enabled for those domains, it won’t work as expected.

Yes, we have ensured that the DNS A record is directly pointed to our IP address and not going through any proxy/load balancer (cloudflare or some other proxy).

There is another issue I’d like to address here, some of the domain are facing rate limit with the message of too many failed authorizations recently. Can you suggest what I can do to eliminate this? Please check my Caddyfile and suggest the best practice for SSL generation if I am not following.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.