Privacy activation process

I still need help with the privacy process.
I got an error message and I don’t understand it’s meaning:

failed to get certificate: acme:
Error 400 - urn:acme:error:malformed - Error creating new authz :
: DNS name does not have enough labels

Any advise will be appreciated

You most likely have a problem in your Caddyfile… Can you post it here or link to it as a gist, please?

DNS name does not have enough labels

A “label” here is a part of a domain name. In, the labels are www, example, and com.

This error would occur if you tried to acquire a certificate for an internal DNS name like myrouter for example.

LetsEncrypt and Caddy’s Automatic HTTPS can only work for publically-accessible domain names (,, etc.).

Thanks Jon and Matthew,
I inserted only Internet existing DNS names and my Caddyfile is very simple:

localhost:8080 {
tls off
} {
root /www/
} {
root /www/

Do I miss something in the caddyfile?

Well, for one thing, your last closing bracket is a close-parenthesis rather than a curly brace.

But even if I replace that with a curly brace, I can’t reproduce the error. This Caddyfile doesn’t have any sites in it using HTTPS, so it will not attempt to acquire LetsEncrypt certs. Can you post the real one, or something closer to it?

If you don’t want to do that, carefully check that you don’t have anything outside of curly braces except for site names. For example, if you had something like the following, gzip would be interpreted as a third site, not as a directive, and it would produce the error you’re seeing. {
  root /foo
} {
  root /bar

Sorry, the curly brace issue is a typing mistake, as I did not “cut & paste” from the caddyfile.
But, it looks that your advise help. I deleted spaces I had after the curly brace and I don’t have this error any more.
Thank you.
How can I check that the privacy process passed, just enter the site with https://?
What is the default location for the certificate?

Yes, and you’ll see where the certificate is saved in the process log (-log).

Thank you all.
Matt, I checked the logfile. I got there:

scanning for stale OCSP staples
done checking OCSP staples
and I dont see https.
(and of course that I cant access https).
I suspect that it is my router / firewall issue. I opened port 443 and marked port forwarding to my server ports 443 and 80.
Should I open another port that caddy is using?

I have to say that I am very satisfied with caddy . I believe that after solving the https issue it will be the perfect webserver for me…

By the way: what happened to the donation page?

Hey, that’s not what I wrote, where does this discussion note came from???

What’s your entire, unchanged Caddyfile, ben?

localhost:8080 {
} {
root /www/
} {
root //www/
} {
root /www/
} {
root //www/

I wrote the domains 2nd time with www after I saw that trying to enter with www the server return with an error message
that site does not exist on port 80

I’m not sure I understand; if you want HTTPS, why are you disabling it by forcing http:// (and :80 which is redundant) in your Caddyfile?

matt, I am not sure that I understood, I am sorry buy from my age I am better in DOS / UNIX and assembly :slight_smile:
I tried to add another line with :443 but I gor an error message and caddy didn’t startup.
What should I do? delete the :80 and caddy will handle the ports?


Try this Caddyfile:

localhost:8080 {
} {
    root /www/
} {
    root //www/  # did you mean to have double "//" here?
} {
    root /www/
} {
    root //www/  # (and here?)

The scheme http:// and port :80 in your site labels are explicitly instructing Caddy not to fetch certificates and enable HTTPS. Take them out for all sites, like in @matt’s example, and Caddy will serve both HTTP and HTTPS, redirecting people to upgrade.

Since your www and apex domain share configuration, you can also double up labels for Caddy to serve the same site to both. Like so:

localhost:8080 {
}, {
  root /www/
}, {
  root /www/

Thanks, I understand the concept now, it worked but raised new problems:slight_smile:

  1. the first site got certificate, the 2nd not (got en error message). I read that there is a problem in getting certificates for several domains with the same IP on the same server, but Matt wrote me :“HTTPS just works, don’t even think about it”
    so I assume that it should work…
  2. after the certificate process, trying to access the first site http is automatically replaced by https. I assume that it should be, but there is no access to the site. I suspect that now is a firewall / router probem, but I don’t know yet how to solve it. Any tip will be appreciated.
  3. Is there a way to temporary cancel this http-https replacement to allow the site to be online till I solve it?

What error are you getting with that second site? Maybe the error message could tell us something about what’s going wrong.

With really old server software that doesn’t support SNI, this was the case. It hasn’t been this way for a long time. Nowadays you can have as many certificates on a single IP address as you like because the client tells the server which domain it’s asking for, so the server knows which certificate to use for the handshake.

Can you elaborate? Do you get an error of some kind? A blank page with no data? What’s it look like after you get to HTTPS?

Yep - put http:// before each site name (like, and Caddy won’t serve HTTPS or force upgrades for those sites in particular. You can mix and match some HTTPS and some non-HTTPS sites in the same Caddyfile this way.

I am glad to hear it. So it should work but I still got the error: Here are the details:

terminal message:
Activating privacy features…2017/04/24 10:22:45 []
failed to get certificate: acme: Error 400 - urn:acme:error:connection -
Failed to connect to for tls-sni-01 challenge
Error detail:
validation for
Resolved to:

2017/04/24 10:22:30 [INFO][] acme: Obtaining bundled SAN certificate
2017/04/24 10:22:30 [INFO][] acme: Could not find solver for: dns-01
2017/04/24 10:22:30 [INFO][] acme: Trying to solve HTTP-01
2017/04/24 10:22:31 [INFO][] Served key authentication
2017/04/24 10:22:32 [INFO][] The server validated our request
2017/04/24 10:22:32 [INFO][] acme: Validations succeeded; requesting certificates
2017/04/24 10:22:33 [INFO] acme: Requesting issuer cert from
2017/04/24 10:22:33 [INFO][] Server responded with a certificate.
2017/04/24 10:22:34 [INFO][] acme: Obtaining bundled SAN certificate
2017/04/24 10:22:34 [INFO][] acme: Trying to solve HTTP-01
2017/04/24 10:22:35 [INFO][] Served key authentication
2017/04/24 10:22:36 [INFO][] The server validated our request
2017/04/24 10:22:36 [INFO][] acme: Validations succeeded; requesting certificates
2017/04/24 10:22:37 [INFO] acme: Requesting issuer cert from
2017/04/24 10:22:37 [INFO][] Server responded with a certificate.
2017/04/24 10:22:38 [INFO][] acme: Obtaining bundled SAN certificate
2017/04/24 10:22:38 [INFO][] acme: Trying to solve TLS-SNI-01

browser can not find the site. After a long delay I got the message: “This web page is not available”.