Note: this is a question not about something which does not work, but rather about something that does - but I do not know why.
1. Caddy version (caddy version
):
v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
2. How I run Caddy:
Docker container with official image. Relevant Caddyfile:
{
admin 0.0.0.0:2015
email m@mymail
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
(lan) {
log {
level ERROR
format single_field common_log
}
@internet {
not remote_ip 192.168.10.0/24 192.168.20.0/24 172.19.0.0/16
}
@local {
remote_ip 192.168.10.0/24 192.168.20.0/24 172.19.0.0/16
}
reverse_proxy @local {args.0}
respond @internet 200
}
https://nifi.my.domain {
import lan nifi:8080
}
3. The problem Iâm having:
When requesting a new certificate (after adding a site and restarting caddy) I always get the same scenario, as shown in the log below
2020/08/28 12:32:09 [INFO][nifi.my.domain] Obtain certificate; acquiring lock...
2020/08/28 12:32:09 [INFO][nifi.my.domain] Obtain: Lock acquired; proceeding...
2020/08/28 12:32:09 [INFO] [nifi.my.domain] acme: Obtaining bundled SAN certificate given a CSR
2020/08/28 12:32:09 [INFO][nifi.my.domain] Waiting on rate limiter...
2020/08/28 12:32:09 [INFO][nifi.my.domain] Done waiting
2020/08/28 12:32:11 [INFO] [nifi.my.domain] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6827782498
2020/08/28 12:32:11 [INFO] [nifi.my.domain] acme: Could not find solver for: tls-alpn-01
2020/08/28 12:32:11 [INFO] [nifi.my.domain] acme: use http-01 solver
2020/08/28 12:32:11 [INFO] [nifi.my.domain] acme: Trying to solve HTTP-01
2020/08/28 12:32:26 [ERROR] error: one or more domains had a problem:
[nifi.my.domain] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://nifi.my.domain/.well-known/acme-challenge/N...redacted...r0: Timeout during connect (likely firewall problem), url:
(challenge=http-01 remaining=[tls-alpn-01])
2020/08/28 12:32:29 [INFO][nifi.my.domain] Served key authentication certificate (TLS-ALPN challenge)
2020/08/28 12:32:30 [INFO][nifi.my.domain] Served key authentication certificate (TLS-ALPN challenge)
2020/08/28 12:32:30 [INFO][nifi.my.domain] Served key authentication certificate (TLS-ALPN challenge)
2020/08/28 12:32:30 [INFO][nifi.my.domain] Served key authentication certificate (TLS-ALPN challenge)
2020/08/28 12:32:33 [INFO] [nifi.my.domain] The server validated our request
2020/08/28 12:32:33 [INFO] [nifi.my.domain] acme: Validations succeeded; requesting certificates
2020/08/28 12:32:35 [INFO] [nifi.my.domain] Server responded with a certificate.
2020/08/28 12:32:35 [INFO][nifi.my.domain] Certificate obtained successfully
2020/08/28 12:32:35 [INFO][nifi.my.domain] Obtain: Releasing lock
This is always the same sequence, with the same error and with, systematically, a successful retrieval afterwards.
I have a hard time understanding the sequence when choosing the solver, comparing it with the documentation at https://caddyserver.com/docs/automatic-https:
- first
Could not find solver for: tls-alpn-01
â I do not understand this point, it looks like there is nothing to configure (short of making port443
available to LE) - then
use http-01 solver
â this one fails, and this is OK, port80
is not exposed (I do not know, though, how to disable that challenge so that it does not show up in the logs) - and then a sequence of successful, TLS-ALPN based messages which end up with a LE cert.
My questions:
- what does
Could not find solver for: tls-alpn-01
mean? - how to disable the HTTP challenge?