Subdomain - Invalid request IP

1. My Caddy version (caddy -version): Caddy v1.0.4

2. How I run Caddy:

a. System environment: FreeNas Jail - FreeBSD Version 11.2-RELEASE-p6

b. Command: service caddy start

d. My complete Caddyfile:

foo.site { 
	root /usr/local/www/foo.site
	tls {
		dns namecheap
	}
}
    
http://plex.foo.site { 
	proxy / 192.168.1.102:32400 { 
		transparent
	}
	tls {
		dns namecheap
	}
}

http://nextcloud.foo.site { 
	proxy / 192.168.1.103 { 
		transparent
	}
	tls {
		dns namecheap
	}
}

http://shinobi.foo.site { 
	proxy / 192.168.1.104:8080 { 
		transparent 
		websocket
	}
	tls {
		dns namecheap
	}	
}

3. The problem I’m having:

I am successfully hosting Caddy inside a FreeNas jail. I’m able to run a locally served file system website at the address “foo.site”. Caddy is able to successfully register an SSL certificate for this site. I also reverse proxy to three other sites, which are subdomains of “foo.site”. However, when attempting to remove “http://” from the Caddy file to initiate the SSL certificate registration and creation process, I receive an error in caddy.log file:

4. Error messages and/or full log output:

2020/01/08 07:36:27 [INFO] [shinobi.foo.site] acme: Obtaining bundled SAN certificate
2020/01/08 07:36:27 [INFO] [shinobi.foo.site] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2176895688
2020/01/08 07:36:27 [INFO] [shinobi.foo.site] acme: Could not find solver for: tls-alpn-01
2020/01/08 07:36:27 [INFO] [shinobi.foo.site] acme: Could not find solver for: http-01
2020/01/08 07:36:27 [INFO] [shinobi.foo.site] acme: use dns-01 solver
2020/01/08 07:36:27 [INFO] [shinobi.foo.site] acme: Preparing to solve DNS-01
2020/01/08 07:36:27 [INFO] [shinobi.foo.site] acme: Cleaning DNS-01 challenge
2020/01/08 07:36:28 [WARN] [shinobi.foo.site] acme: error cleaning up: namecheap: Invalid request IP: 70.110.180.2 [1011150] 
2020/01/08 07:36:28 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2176895688
2020/01/08 07:36:28 [ERROR][shinobi.foo.site] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[shinobi.foo.site] [shinobi.foo.site] acme: error presenting token: namecheap: Invalid request IP: 70.110.180.2 [1011150] (attempt 3/3; challenge=dns-01)
2020/01/08 07:36:29 failed to obtain certificate: acme: Error -> One or more domains had a problem:
[shinobi.foo.site] [shinobi.foo.site] acme: error presenting token: namecheap: Invalid request IP: 70.110.180.2 [1011150]

5. What I already tried:

Since the root domain for the locally hosted site is working properly, I know that both Caddy and the included NameCheap plugin are working correctly.

I believe my local network’s DNS server is providing the correct DNS record to Caddy:

nslookup shinobi.foo.site
Server:  DD-WRT
Address:  192.168.1.1

 Name:    shinobi.foo.site
 Address:  70.110.180.2

In addition, I believe my NameCheap “Advanced DNS” configuration has been set up properly. I have no problems accessing any of the sites when outside of my local network:

Type		Host		Value			TTL

A Record	@			70.110.180.2	Automatic

A Record	nextcloud	70.110.180.2	Automatic

A Record	plex		70.110.180.2	Automatic

A Record	shinobi		70.110.180.2	Automatic

Ideally, I’d prefer it if I could configure Caddy to register a Wild Card Certificate for foo.site, and then have that used to secure all of the *.foo.site subdomains… but I have no idea if this is possible.

Any guidance or assistance anyone can provide will be greatly appreciated. Thanks very much!

Hey @ecomstock

Have you tried to remove the use of the namecheap plugin? I’ve been tooling around with Caddy 1.0.4 on 12.1-STABLE in a jail. Besides figuring out the pf rules, I finally got it working the other night. Granted this was for a subdomain (stage.jaredwolff.com)

Not sure about the wildcard certs. That may be something you have to do manually yourself if you want to go that far. I’ve used other reverse proxies (that shall not be named!) which generates a cert per domain/sub-domain as far as I can tell.

Yeah, you can get a wildcard certificate (but only when using the DNS challenge): https://caddyserver.com/v1/docs/automatic-https#wildcards

I’m not sure what’s going on with the error you’re seeing though, I don’t enough experience with the DNS challenge to help in that area.

Jared, thanks for the reply.

I did actually create a completely separate jail with a new Caddy installation, and all of the site routing and reverse proxying works just fine without the namecheap plugin. In the original jail with the namecheap plugin installed the reverse proxy also work fine as long as I register the subdomain in the Caddyfile starting with “http://”. So, the issue definitely lies somewhere in the subdomain/SSL registration flow.

One thing I haven’t tried is to remove the root “@” A Record from Namecheap and attempt to register only the sub domains. That may be a good experiment.

I haven’t looked at this for over two weeks, so I’ll reply to this thread when I have time to experiment more.

Francis, thanks for the pointer. I’ll be looking into that soon. I think I’m going to see if the source code for namecheap plugin is available online. If I can find it, I may be able to determine the correct order of operations.

1 Like

The code for the namecheap plugin is here: https://github.com/caddyserver/dnsproviders/blob/master/namecheap/namecheap.go

1 Like

That error:

Invalid request IP: 70.110.180.2

Appears to originate from Namecheap, maybe a misconfigured API? (Could also be a bug or something not well documented in the Namecheap provider)