1. The problem I’m having:
I’m migrating from a working Traefik / PowerDNS ACME challenge setup to Caddy a PowerDNS ACME challenge setup with own hosted PowerDNS servers.
I have installed the PowerDNS plugin and try to generate LetsEncrypt certificates with it but this errors in a strange way. When I start Caddy it tries to generate the certificates but it errors and cannot create the needed PowerDNS records because of a “unsupported protocol scheme”
2. Error messages and/or full log output:
Caddy:
| {"level":"error","ts":17135456667.9905512,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.domain.tld","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[*.domain.tld] solving challenges: presenting for challenge: adding temporary record for zone \"domain.tld.\": Get \"my.dns.tld:8081/api/v1/servers/localhost/zones?zone=domain.tld.\": unsupported protocol scheme \"my.dns.tld\" (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/168320304/52825046623) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
PowerDNS
Dec 09 02:11:04 Lua record monitoring declaring TCP/IP 111.111.111.111:443 DOWN: connecting to 111.111.111.111:443 failed: Connection refused
Dec 09 02:11:09 Lua record monitoring declaring TCP/IP 111.111.111.111;443 UP!
3. Caddy version:
2.7.5
4. How I installed and ran Caddy:
a. System environment:
Running in Docker on Ubuntu
b. Command:
docker stack deploy -c ./caddy/docker-compose.yml caddy
c. Service/unit/compose file:
FROM caddy:2.7.5-builder AS builder
RUN xcaddy build \
--with github.com/mholt/caddy-l4 \
--with github.com/caddy-dns/powerdns
FROM caddy:2.7.5
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
version: "3.7
services:
caddy:
image: myregistry/repo/caddy:2-staged
restart: always
deploy:
replicas: 3
placement:
constraints:
- node.role == manager
command: caddy run --config /config/caddy-config.json
ports:
- 80:80 # Needed for the ACME HTTP-01 challenge.
- 443:443
volumes:
- /caddy/config:/config
# - /caddy/config/Caddyfile:/etc/caddy/Caddyfile
- /caddy/config/caddy-config.json:/config/caddy-config.json
- /caddy/data:/data
d. My complete Caddy config:
{
"logging": {
"sink": {
"writer": {
"output": "stdout"
}
},
"logs": {
"": {
"writer": {
"output": "stderr"
},
"level": "DEBUG"
}
}
},
"apps": {
"tls": {
"certificates": {
"automate": [
"*.mydomainname.tld"
]
},
"automation": {
"policies": [
{
"issuers": [
{
"module": "acme",
"ca": "https://acme-staging-v02.api.letsencrypt.org/directory",
"challenges": {
"dns": {
"provider": {
"name": "powerdns",
"server_url": "123.123.1234.123:8081",
"api_token": "myapikey",
"debug": "stdout"
},
"resolvers": [
"123.123.1234.123:53"
],
"propagation_delay": 60000
},
"http": {
"disabled": true
},
"tls-alpn": {
"disabled": true
}
}
}
]
}
]
}
},
"layer4": {
"servers": {
"mydomainname.tld": {
"listen": [
":80",
":443"
],
"routes": [
{
"match": [
{
"ip": {
"ranges": [
"111.111.111.111"
]
},
"http": [
{
"host": [
"mydomainname.tld"
]
}
]
}
],
"handle": [
{
"handler": "proxy",
"upstreams": [
{
"dial": [
"nginx_nginx:80"
]
}
]
}
]
},
{
"match": [
{
"ip": {
"ranges": [
"111.111.111.111"
]
},
"tls": {
"sni": [
"mydomainname.tld"
]
}
}
],
"handle": [
{
"handler": "tls"
},
{
"handler": "proxy",
"proxy_protocol": "v1",
"upstreams": [
{
"dial": [
"nginx_nginx:80"
]
}
]
}
]
}
]
},
"secure-imap": {
"listen": [
"0.0.0.0:993"
],
"routes": [
{
"handle": [
{
"handler": "tls"
},
{
"handler": "proxy",
"proxy_protocol": "v1",
"upstreams": [
{
"dial": [
"mailserver_mailserver:143"
]
}
]
}
]
}
]
},
"normal-imap": {
"listen": [
"0.0.0.0:143"
],
"routes": [
{
"handle": [
{
"handler": "proxy_protocol"
},
{
"handler": "proxy",
"proxy_protocol": "v2",
"upstreams": [
{
"dial": [
"mailserver_mailserver:1143"
]
}
]
}
]
}
]
}
}
}
}
}
