Please explain auto tls failure

_lf1 · November 2, 2023, 4:37pm

1. The problem I’m having:

caddy auto tls fails
Can I do tls with a domain that points to a LAN address?

2. Error messages and/or full log output:

2023/11/02 16:16:20.875	debug	http.stdlib	http: TLS handshake error from 127.0.0.1:54466: EOF
2023/11/02 16:16:20.876	debug	tls.issuance.acme.acme_client	done waiting for solver	{"identifier": "git.debased.earth", "challenge_type": "tls-alpn-01"}
2023/11/02 16:16:20.925	debug	tls.issuance.acme.acme_client	http request	{"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/279926149426", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.5 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1392420186"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["801"],"Content-Type":["application/json"],"Date":["Thu, 02 Nov 2023 16:16:21 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["x2pLemUfA_76BmMjZuOiSrYKCh7YFFQK1tAOki2VPI8d0P2lIiE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/11/02 16:16:20.926	info	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "www.debased.earth", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/11/02 16:16:20.928	debug	tls.issuance.acme.acme_client	waiting for solver before continuing	{"identifier": "www.debased.earth", "challenge_type": "tls-alpn-01"}
2023/11/02 16:16:20.928	debug	http.stdlib	http: TLS handshake error from 127.0.0.1:54467: EOF

...

2023/11/02 16:16:23.060	error	tls.issuance.acme.acme_client	challenge failed	{"identifier": "git.debased.earth", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "123:777:666:bad:dad:dead:beef:cafe: Network unreachable", "instance": "", "subproblems": []}}
2023/11/02 16:16:23.060	error	tls.issuance.acme.acme_client	validating authorization	{"identifier": "git.debased.earth", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "123:456:789:12:345:dead:beef:cafe: Network unreachable", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1392420176/219408498536", "attempt": 1, "max_attempts": 3}

github gist (full log)

3. Caddy version:

v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=

4. How I installed and ran Caddy:

~/.go/bin/xcaddy.exe build v2.7.5 --with github.com/abiosoft/caddy-exec --with github.com/caddyserver/cache-handler --with github.com/aksdb/caddy-cgi/v2 --with github.com/greenpau/caddy-git --with github.com/Elegant996/scgi-transport

Also I’m using msys2-mingw64 and have verified that %APPDATA%\caddy folder exists

a. System environment:

b. Command:

./caddy.exe run -c caddyfile -a caddyfile

c. Service/unit/compose file:

n/a

d. My complete Caddy config:

{
	debug
	email <$MY_EMAIL>
	log default {
		output file ./access.log {
			roll_size 8MB
			roll_keep 5
			roll_keep_for 720h
		}
	}
	log other {
		output stdout
	}
	order cgi before respond
}
www.debased.earth {
	encode zstd gzip
	
	reverse_proxy /* 127.0.0.1:3000 {
	}
	@gaiastatic {
		path /static /static/*
	}
	handle @gaiastatic {
		encode zstd gzip
		file_server browse {
			root ...\\folder\\etc
		}
	}
}
git.debased.earth {
	encode zstd gzip
	reverse_proxy /* 127.0.0.1:3001 {
	}
}

5. Links to relevant resources:

DNS BIND

; A BIND file is a .TXT file that's used to export
; DNS records from one domain to another. BIND
; files are commonly used by lots of domain
; registrars, so they're a good choice if
; you're exporting resource records to a domain
; that's managed by a different registrar.

debased.earth. 3600 IN A 10.0.0.3
debased.earth. 3600 IN AAAA 123:456:789:012:345:dead:beef:cafe
debased.earth. 3600 IN MX 10 mail.debased.earth.
auth.debased.earth. 3600 IN CNAME debased.earth.
cdn.debased.earth. 3600 IN CNAME debased.earth.
ci.debased.earth. 3600 IN CNAME debased.earth.
error.debased.earth. 3600 IN CNAME debased.earth.
git.debased.earth. 3600 IN CNAME debased.earth.
id.debased.earth. 3600 IN CNAME debased.earth.
login.debased.earth. 3600 IN CNAME debased.earth.
mail.debased.earth. 3600 IN CNAME debased.earth.
ssl.debased.earth. 3600 IN CNAME debased.earth.
www.debased.earth. 3600 IN CNAME debased.earth.

francislavoie · November 2, 2023, 4:43pm

Not with the ACME HTTP or ACME TLS-ALPN challenges – those require that ports 80 and 443 are publicly accessible from the internet.

You can use the ACME DNS challenge though. See this article:

_lf1 · November 2, 2023, 4:52pm

Thankyou. I will just generate my own certs for the LAN. And I will read that information because there is probably a provider for google domains.

francislavoie · November 2, 2023, 5:00pm

FYI Google Domains is shutting down (being transferred to SquareSpace). I recommend moving to a different domain registrar tbh.

Also the Google Domains API is extremely limited. We’ve archived the plugin GitHub - caddy-dns/google-domains: Support for ACME DNS challenge through Google Domains because they’re shutting down.

system · December 2, 2023, 5:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.