Struggling with wildcard certificates

gstester · October 24, 2020, 7:21am

1. Caddy version:

v2.2.1

2. How I run Caddy:

Hi! - I am attempting to setup a reverse-proxy using Caddy on Windows to replace an existing IIS reverse-proxy. I run the executable from an elevated command prompt. I got the executable from caddyserver.com by choosing Windows amd64 from the drop-down menu, adding a check-mark to the box for dns.providers.route53, and then clicking the download button.

a. System environment:

Microsoft Windows Server 2016 [Version 10.0.14393]

b. Command:

C:\Server\Caddy>caddy_windows_amd64_custom.exe run

d. My complete Caddyfile or JSON config:

*.qualgs.com {
	tls {
		dns route53
	}
	respond "It works!"
	log {
		output file C:\Server\Caddy\logs\qualgs_com_access.log {
			roll true               # Rotate logs, enabled by default
			roll_size_mb 5          # Set max size 5 MB
			roll_gzip true          # Whether to compress rolled files
			roll_local_time true    # Use localhost time
			roll_keep 2             # Keep at most 2 log files
			roll_keep_days 7        # Keep log files for 7 days
		}
	}
	header {
		Strict-Transport-Security max-age=31536000;
	}
}

3. The problem I’m having:

When I run the executable, Caddy seems to be unable to acquire a wildcard SSL certificate from letsencrypt.org

4. Error messages and/or full log output:

C:\Server\Caddy>caddy_windows_amd64_custom.exe run
2020/10/24 07:04:10.354 e[34mINFOe[0m   using adjacent Caddyfile
2020/10/24 07:04:10.361 e[34mINFOe[0m   admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/10/24 07:04:10.362 e[34mINFOe[0m   http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/10/24 07:04:10.362 e[34mINFOe[0m   http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/10/24 07:04:10.363 e[34mINFOe[0m   http    enabling automatic TLS certificate management   {"domains": ["*.qualgs.com"]}
2020/10/24 07:04:10.370 e[34mINFOe[0m   autosaved config        {"file": "C:\\Users\\Administrator\\AppData\\Roaming\\Caddy\\autosave.json"}
2020/10/24 07:04:10.456 e[34mINFOe[0m   serving initial configuration
2020/10/24 07:04:10.382 e[34mINFOe[0m   tls     cleaned up storage units
2020/10/24 07:04:10.377 e[34mINFOe[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00045c700"}
2020/10/24 07:04:10.497 e[34mINFOe[0m   tls.obtain      acquiring lock  {"identifier": "*.qualgs.com"}
2020/10/24 07:04:10.565 e[34mINFOe[0m   tls.obtain      lock acquired   {"identifier": "*.qualgs.com"}
2020/10/24 07:04:10.569 e[34mINFOe[0m   tls.issuance.acme       waiting on internal rate limiter    {"identifiers": ["*.qualgs.com"]}
2020/10/24 07:04:10.569 e[34mINFOe[0m   tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["*.qualgs.com"]}
2020/10/24 07:04:11.231 e[34mINFOe[0m   tls.issuance.acme.acme_client   trying to solve challenge   {"identifier": "*.qualgs.com", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2020/10/24 07:04:11.483 e[31mERRORe[0m  tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "*.qualgs.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for qualgs.com (probably OK if presenting failed)"}
2020/10/24 07:04:11.575 e[31mERRORe[0m  tls.obtain      will retry      {"error": "[*.qualgs.com] Obtain: [*.qualgs.com] solving challenges: presenting for challenge: adding temporary record for zone qualgs.com.: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors (order=https://acme-v02.api.letsencrypt.org/acme/order/99695345/5845534623) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 1.0065555, "max_duration": 2592000}
2020/10/24 07:04:16.771 e[34mINFOe[0m   shutting down   {"signal": "SIGINT"}
2020/10/24 07:04:16.773 e[34mINFOe[0m   tls.cache.maintenance   stopped background certificate maintenance      {"cache": "0xc00045c700"}
2020/10/24 07:04:16.774 e[34mINFOe[0m   tls.obtain      releasing lock  {"identifier": "*.qualgs.com"}
2020/10/24 07:04:16.776 e[31mERRORe[0m  tls.obtain      unable to unlock        {"identifier": "*.qualgs.com", "lock_key": "cert_acme_*.qualgs.com_acme-v02.api.letsencrypt.org-directory", "error": "remove C:\\Users\\Administrator\\AppData\\Roaming\\Caddy\\locks\\cert_acme_wildcard_.qualgs.com_acme-v02.api.letsencrypt.org-directory.lock: The system cannot find the file specified."}
2020/10/24 07:04:16.777 e[31mERRORe[0m  tls     job failed      {"error": "*.qualgs.com: obtaining certificate: context canceled"}
2020/10/24 07:04:16.779 e[34mINFOe[0m   admin   stopped previous server
2020/10/24 07:04:16.782 e[34mINFOe[0m   shutdown done   {"signal": "SIGINT"}

5. What I already tried:

If I replace the wildcard domain (*.qualgs.com) with the naked domain (qualgs.com) in the Caddyfile, then a certificate is issued successfully. I suspect I have miss-configured the Caddyfile, but my attempts at googling and trial-and-error have not discovered the problem.

francislavoie · October 24, 2020, 8:02am

Hmm. You didn’t specify your API key for it (unless you omitted it), you’re meant to pass that as the next argument beside dns route53 in your Caddyfile. I think that’s what the NoCredentialProviders error is trying to tell you.

system · November 23, 2020, 7:21am

This topic was automatically closed after 30 days. New replies are no longer allowed.