You already have the code to do it. On-Demand TLS uses the HTTP challenge. The DNS challenge is only needed for wildcard certificates, or situations where your server is not reachable over public networks (i.e. you’re running an intranet but still want publicly trusted certificates signed by an ACME issuer).
Reading through the docs it looks like all I had to do is add the on_demand to enable it.
tls {
on_demaind
}
However, going to pm0.11bricks.com still shows as
This site can’t provide a secure connection
pm0.11bricks.com sent an invalid response.
Here is the full config for the custom domain block below
https:// {
encode gzip
tls {
on_demand
}
import ../security-headers.conf
import ../lucee.conf
handle_path /shared/* {
header Access-Control-Allow-Headers "Content-Type"
header Access-Control-Allow-Origin *
root * d:/web/honeystalk.io/shared
file_server
}
root * d:/web/honeystalk.io/account
import redirected
}
What am I forgetting or doing incorrectly?
What’s in your logs? Turn on the debug global option to see more.
Make the request with curl -v. What do you see?
Here is the output from the curl
$ curl -v https://pm0.11bricks.com
* Trying 216.239.185.222:443...
* Connected to pm0.11bricks.com (216.239.185.222) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: C:/Apps/git/mingw64/ssl/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Here is the caddy log
2022/01/26 21:16:01.255 INFO serving initial configuration
2022/01/26 21:16:33.294 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "pm0.11bricks.com"}
2022/01/26 21:16:33.314 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.11bricks.com"}
2022/01/26 21:16:33.315 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.com"}
2022/01/26 21:16:33.316 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*"}
2022/01/26 21:16:33.322 DEBUG tls.handshake choosing certificate {"identifier": "honeystalk.io", "num_choices": 1}
2022/01/26 21:16:33.323 DEBUG tls.handshake default certificate selection results {"identifier": "honeystalk.io", "subjects": ["*.honeystalk.io", "honeystalk.io"], "managed": false, "issuer_key": "", "hash": "d1babd3aa9eade49bf1aa2279af5f632967627815410f39e03f7a52e2d92098a"}
2022/01/26 21:16:33.324 DEBUG tls.handshake matched certificate in cache {"subjects": ["*.honeystalk.io", "honeystalk.io"], "managed": false, "expiration": "2022/09/13 23:59:59.000", "hash": "d1babd3aa9eade49bf1aa2279af5f632967627815410f39e03f7a52e2d92098a"}
2022/01/26 21:16:33.397 DEBUG http.handlers.rewrite rewrote request {"request": {"remote_addr": "10.0.0.172:51917", "proto": "HTTP/2.0", "method": "GET", "host": "honeystalk.io", "uri": "/api/v2/domaincheck?domain=pm0.11bricks.com", "headers": {"Accept-Encoding": ["gzip"], "User-Agent": ["Go-http-client/2.0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4867, "proto": "h2", "proto_mutual": true, "server_name": "honeystalk.io"}}, "method": "GET", "uri": "/index.cfm?domain=pm0.11bricks.com&path=%2Fapi%2Fv2%2Fdomaincheck"}
2022/01/26 21:16:33.398 DEBUG http.handlers.rewrite rewrote request {"request": {"remote_addr": "10.0.0.172:51917", "proto": "HTTP/2.0", "method": "GET", "host": "honeystalk.io", "uri": "/index.cfm?domain=pm0.11bricks.com&path=%2Fapi%2Fv2%2Fdomaincheck", "headers": {"Accept-Encoding": ["gzip"], "User-Agent": ["Go-http-client/2.0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4867, "proto": "h2", "proto_mutual": true, "server_name": "honeystalk.io"}}, "method": "GET", "uri": "/index.cfm?sub=&domain=pm0.11bricks.com&path=%2Fapi%2Fv2%2Fdomaincheck"}
2022/01/26 21:16:33.403 DEBUG http.handlers.reverse_proxy upstream roundtrip {"upstream": "127.0.0.1:8888", "duration": 0.0019116, "request": {"remote_addr": "10.0.0.172:51917", "proto": "HTTP/2.0", "method": "GET", "host": "honeystalk.io", "uri": "/index.cfm?sub=&domain=pm0.11bricks.com&path=%2Fapi%2Fv2%2Fdomaincheck", "headers": {"X-Forwarded-Host": ["honeystalk.io"], "Accept-Encoding": ["gzip"], "User-Agent": ["Go-http-client/2.0"], "X-Forwarded-For": ["10.0.0.172"], "X-Forwarded-Proto": ["https"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4867, "proto": "h2", "proto_mutual": true, "server_name": "honeystalk.io"}}, "headers": {"Content-Length": ["81"], "Date": ["Wed, 26 Jan 2022 21:16:33 GMT"], "Set-Cookie": ["CFID=9f8d7feb-2ea6-48c1-bb35-8c1bd893ab09;Path=/", "CFTOKEN=0;Path=/"], "P3p": ["CP=\"CAO PSA OUR\""], "X-Frame-Options": ["SAMEORIGIN"], "Access-Control-Allow-Origin": ["*"], "Content-Type": ["application/json;charset=UTF-8"]}, "status": 401}
2022/01/26 21:16:33.415 DEBUG http.stdlib http: TLS handshake error from 216.239.185.222:51916: certificate for hostname 'pm0.11bricks.com' not allowed; non-2xx status code 401 returned from https://honeystalk.io/api/v2/domaincheck
This is the problem. You didn’t tell Caddy that it’s allowed to get a certificate for that domain name!
Yes, you are absolutely correct. We had a security check not to allow any calls to the api w/out the api_key. So I had to add a provision for the domaincheck to be allowed! It worked like a charm after that!!!
Thank you!
1 Like
I have published a release for libdns/godaddy but when trying to register the package under my Caddy account I get this error
Sorry, something went wrong:
unable to scan modules in package github.com/caddy-dns/godaddy
Please include this error ID if reporting:
199f8114-9506-4053-b056-d04e74f2c0f8
What am I doing wrong?
@artknight Here’s the error in the logs:
go get: github.com/caddy-dns/godaddy@v0.0.0-20220126162451-b1743d4d9669: parsing go.mod:
module declares its path as: github.com/caddy-dns/caddy-godaddy
but was required as: github.com/caddy-dns/godaddy
Make sure your go.mod file is correct
That is already fixed and the module is available!
2 Likes
@matt @francislavoie You guys have been amazingly awesome!!! Thank you so much for putting up with the slew of my questions!!! Not only I learned a lot, but I am now an active developer to the Caddy community 
As a token of my appreciation, I would like to invite you guys to use our Project Management tools at Cogency ( https://cogency.io ) FOR FREE FOREVER!!!
We offer real-time collaboration services with the highest focus on privacy ( nothing tracked, ever! )
- HD Video Conferencing ( 256-bit end-to-end encryption )
- Chat
- Sketch ( whiteboarding )
- Boards ( kanban-style task management )
- Pages
- S3 File Storage ( if you have an existing S3 account, you can use yours )
All these services will of course be UNLIMITED to you guys!!!
@matt @francislavoie Please reach out to me to get you setup right away!!!
2 Likes
Glad to help!
I don’t think I’d have use for such a product myself, honestly. For my day job we already have everything set up to our liking, and Github’s covers our needs for the Caddy project.
The best way to give thanks and support the project would be to sponsor Matt on Github, since he works on Caddy essentially full-time. I just volunteer, and I have my own full-time job that pays me well. I rather see money go Matt’s way so the project can stay alive as long as possible.
I am pretty sure github does not offer real-time collaborative whiteboarding, nor hd video conferencing! However, if you ever change your mind and want to give Cogency a try… you can always ping me. This offer does not expire!
This topic was automatically closed after 30 days. New replies are no longer allowed.