Below config used to work flawlessly 2 months ago.
Okay so I downloaded the Caddy module for Duckdns for Linux AMD 64 from website.
I use Duckdns for giving https to my local ip 192.168.1.197 with domain: adguardcad.duckdns.org
And my API key for DuckDNS is token01-ford-apli1-lane-8c21055d2331
Now I use caddy for doing it, where my CaddyFile is
adguardcad.duckdns.org:443 {
# Use the ACME DNS-01 challenge to get a cert for the configured domain.
tls {
dns duckdns token01-ford-apli1-lane-8c21055d2331
}
# This setting may have compatibility issues with some browsers
# (e.g., attachment downloading on Firefox). Try disabling this
# if you encounter issues.
encode gzip
reverse_proxy adguardhome:80
reverse_proxy /notifications/hub/ adguardhome:3012
# Proxy everything else to Rocket
}
I have also tried ping 1.1.1.1 from inside the container and it works:
root@omv:~# docker exec -it adguardcaddy /bin/sh
/srv # ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=51 time=14.364 ms
64 bytes from 1.1.1.1: seq=1 ttl=51 time=14.050 ms
64 bytes from 1.1.1.1: seq=2 ttl=51 time=14.132 ms
64 bytes from 1.1.1.1: seq=4 ttl=51 time=14.134 ms
64 bytes from 1.1.1.1: seq=5 ttl=51 time=14.052 ms
64 bytes from 1.1.1.1: seq=6 ttl=51 time=13.622 ms
64 bytes from 1.1.1.1: seq=7 ttl=51 time=13.499 ms
64 bytes from 1.1.1.1: seq=9 ttl=51 time=13.405 ms
Let’s Encrypt added more remote perspectives from different geos, on their community forum there have be several instances of firewalls blocking the new geos, and therefor failing now when in the past they were successful.
But for me it is now failing in both Let’s Encrypt and ZeroSSL, and I with my limited knowledge is trying to solve this for 3 days now without any luck
As part of the DNS challenge issuance, Caddy does “propagation checks”, i.e. it tries to do DNS queries to verify that the TXT record was correctly written to your DNS.
It seems like when trying to do that, the DNS queries Caddy is making are failing. I assume 35.183.157.249 is your ISP’s DNS server (DNS is performed on port 53).
You can try to configure resolvers 1.1.1.1 in your tls config to tell Caddy to use a different DNS server (e.g. Cloudflare’s).
@fedonr I strongly suggest getting new (or regenerate) and different DuckDNS API Tokens!
And this too
Never post Private Keys, Credentials, nor secret API keys.
Editing them out is nice, but they are still loose in the wild for bad actors to get and use.
Now Public Keys are just that; anyone can and should be able to see them, so posting them is OK.
Still facing the issues, I tried to do some trial and error. Where I did factory reset on my router and it worked for the first time, so I kept on it for 3 days trying to delete certs and restart container every 5 hours after deleting caddy data and config files. It’s working 1 out of 4 times in a day.
INF ts=xxx logger=tls.issuance.zerossl.acme_client msg=trying to solve challenge identifier=gharnas.duckdns.org challenge_type=dns-01 ca=https://acme.zerossl.com/v2/DV90
ERR ts=xxx logger=tls.issuance.zerossl.acme_client msg=cleaning up solver identifier=*.gharnas.duckdns.org challenge_type=dns-01 error=no memory of presenting a DNS record for "_acme-challenge.gharnas.duckdns.org" (usually OK if presenting also failed)
ERR ts=xxx logger=tls.issuance.zerossl.acme_client msg=cleaning up solver identifier=gharnas.duckdns.org challenge_type=dns-01 error=no memory of presenting a DNS record for "_acme-challenge.gharnas.duckdns.org" (usually OK if presenting also failed)
ERR ts=xxx logger=tls.obtain msg=could not get certificate from issuer identifier=*.gharnas.duckdns.org issuer=acme.zerossl.com-v2-DV90 error=[*.gharnas.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.gharnas.duckdns.org": unexpected response code 'SERVFAIL' for gharnas.duckdns.org. (order=https://acme.zerossl.com/v2/DV90/order/KqujzNEER2dkJKK5RpFzvg) (ca=https://acme.zerossl.com/v2/DV90)
ERR ts=xxx logger=tls.obtain msg=will retry error=[*.gharnas.duckdns.org] Obtain: [*.gharnas.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.gharnas.duckdns.org": unexpected response code 'SERVFAIL' for gharnas.duckdns.org. (order=https://acme.zerossl.com/v2/DV90/order/KqujzNEER2dkJKK5RpFzvg) (ca=https://acme.zerossl.com/v2/DV90) attempt=1 retrying_in=60 elapsed=10.854302968 max_duration=2592000
ERR ts=xxx logger=tls.obtain msg=could not get certificate from issuer identifier=gharnas.duckdns.org issuer=acme.zerossl.com-v2-DV90 error=[gharnas.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.gharnas.duckdns.org": unexpected response code 'SERVFAIL' for _acme-challenge.gharnas.duckdns.org. (order=https://acme.zerossl.com/v2/DV90/order/ODv6ymYqrO5Z9lkO9-MRCg) (ca=https://acme.zerossl.com/v2/DV90)
ERR ts=xxx logger=tls.obtain msg=will retry error=[gharnas.duckdns.org] Obtain: [gharnas.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.gharnas.duckdns.org": unexpected response code 'SERVFAIL' for _acme-challenge.gharnas.duckdns.org. (order=https://acme.zerossl.com/v2/DV90/order/ODv6ymYqrO5Z9lkO9-MRCg) (ca=https://acme.zerossl.com/v2/DV90) attempt=1 retrying_in=60 elapsed=10.85496946 max_duration=2592000
This just looks like DuckDNS having a short amount of downtime:
Caddy tries to renew when the cert has 30 days remaining of lifetime (of its total 90 days), and it continually retries. So intermittent errors like this are fine.
Thank you, but I realized this issue when I URLs stopped working completely. That is when I posted this thread after 2 to 3 days of it.
That’s when I witnessed such errors in logs.
Can this be the case?
Jio block tcp and udp requests for dns
Jio, a major Indian ISP, has been observed to employ various methods to block certain websites and services. According to the search results, Jio is using a technique called SNI (Server Name Indication) inspection to block websites for its users. This method involves inspecting the SNI field in the TLS protocol to determine the intended destination of a connection and block it if necessary.
Additionally, Jio has also been reported to block UDP ports required for Cloudflare Warp, a service that provides a secure and fast way to access the internet. This blocking of UDP ports is likely done to prevent users from accessing certain websites or services that Jio may deem inappropriate.
It’s also worth noting that Jio has been known to change its public IP addresses frequently to maintain efficiency and manage its network resources. This can cause issues for users who rely on static IP addresses or have specific configurations that rely on a specific IP address.
In summary, Jio has been observed to block TCP and UDP requests for DNS, as well as block specific ports and services, in order to manage its network and block certain websites or services.
It is resolved now, as I had to change the resolver to google 8.8.8.8
As cloudflare and controld didn’t work.
So, for the solution was resetting router and change resolver to Google.
Initially all google, cloudflare and controld but after resetting the router Google started working.
Still I do have a question, why suddenly cloudflare stopped working it worked for more than a year for me. And why do some resolvers work while others don’t?
Well you suggested it could have to do with your ISP. If that’s the case and they’re blocking Cloudflare for whatever reason, that would be an explanation.
