Testing new Let's Encrypt IP Certificates

rodrigoaddor · July 22, 2025, 2:08pm

1. The problem I’m having:

Hello, I’ve been trying to test the new Let’s Encrypt IP certificates using Caddy.

So far, I managed to generate the certificates, by building Caddy with the updated certmagic module, but it looks like Caddy is failing to find the certificate it just generated, instead trying to find a certificate for a private IP address (10.10.0.155).

I imagine the issue is a wrong or missing configuration in my Caddyfile, but I couldn’t figure out what it could be.

2. Error messages and/or full log output:

2025/07/22 13:54:25.978 INFO    maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined
2025/07/22 13:54:25.978 INFO    GOMEMLIMIT is updated   {"package": "github.com/KimMachineGun/automemlimit/memlimit", "GOMEMLIMIT": 22652618342, "previous": 9223372036854775807}
2025/07/22 13:54:25.978 INFO    using adjacent Caddyfile
2025/07/22 13:54:25.979 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2025/07/22 13:54:25.980 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/07/22 13:54:25.980 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2025/07/22 13:54:25.980 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0x400065e900"}
2025/07/22 13:54:25.980 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2025/07/22 13:54:25.980 DEBUG   http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["167.234.234.130"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"hello world","handler":"static_response"}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2025/07/22 13:54:25.981 DEBUG   http    starting server loop    {"address": "[::]:443", "tls": true, "http3": false}
2025/07/22 13:54:25.981 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2025/07/22 13:54:25.981 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2025/07/22 13:54:25.981 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/07/22 13:54:25.981 DEBUG   http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2025/07/22 13:54:25.981 WARN    http    HTTP/2 skipped because it requires TLS  {"network": "tcp", "addr": ":80"}
2025/07/22 13:54:25.981 WARN    http    HTTP/3 skipped because it requires TLS  {"network": "tcp", "addr": ":80"}
2025/07/22 13:54:25.981 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2025/07/22 13:54:25.981 INFO    http    enabling automatic TLS certificate management   {"domains": ["167.234.234.130"]}
2025/07/22 13:54:25.981 DEBUG   events  event   {"name": "started", "id": "1df322a4-94c1-4a02-8772-78f1d2737899", "origin": "", "data": null}
2025/07/22 13:54:25.982 INFO    autosaved config (load with --resume flag)      {"file": "/home/rodri/.config/caddy/autosave.json"}
2025/07/22 13:54:25.982 INFO    serving initial configuration
2025/07/22 13:54:25.985 INFO    tls     cleaning storage unit   {"storage": "FileStorage:/home/rodri/.local/share/caddy"}
2025/07/22 13:54:25.987 INFO    tls.obtain      acquiring lock  {"identifier": "167.234.234.130"}
2025/07/22 13:54:25.987 INFO    tls     finished cleaning storage units
2025/07/22 13:54:25.989 INFO    tls.obtain      lock acquired   {"identifier": "167.234.234.130"}
2025/07/22 13:54:25.989 INFO    tls.obtain      obtaining certificate   {"identifier": "167.234.234.130"}
2025/07/22 13:54:25.989 DEBUG   events  event   {"name": "cert_obtaining", "id": "39fb66c5-32e4-4b29-a586-a2493b1031c0", "origin": "tls", "data": {"identifier":"167.234.234.130"}}
2025/07/22 13:54:25.989 DEBUG   tls     created CSR     {"identifiers": ["167.234.234.130"], "san_dns_names": [], "san_emails": [], "common_name": "", "extra_extensions": 0}
2025/07/22 13:54:25.990 DEBUG   tls.obtain      trying issuer 1/1       {"issuer": "acme-staging-v02.api.letsencrypt.org-directory"}
2025/07/22 13:54:25.990 INFO    tls.issuance.acme       creating new account because no account for configured email is known to us     {"email": "<MY_EMAIL>@gmail.com", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory", "error": "open /home/rodri/.local/share/caddy/acme/acme-staging-v02.api.letsencrypt.org-directory/users/<MY_EMAIL>@gmail.com/<MY_EMAIL>.json: no such file or directory"}
2025/07/22 13:54:25.990 INFO    tls.issuance.acme       ACME account has empty status; registering account with ACME server     {"contact": ["mailto:<MY_EMAIL>@gmail.com"], "location": ""}
2025/07/22 13:54:25.992 INFO    tls.issuance.acme       creating new account because no account for configured email is known to us     {"email": "<MY_EMAIL>@gmail.com", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory", "error": "open /home/rodri/.local/share/caddy/acme/acme-staging-v02.api.letsencrypt.org-directory/users/<MY_EMAIL>@gmail.com/<MY_EMAIL>.json: no such file or directory"}
2025/07/22 13:54:26.495 DEBUG   http request    {"method": "GET", "url": "https://acme-staging-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["1069"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:26 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:26.655 DEBUG   http request    {"method": "HEAD", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 22 Jul 2025 13:54:26 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["WqSL1hmcw246fP_gnwi7mpGDRBphSq241AIVgdtmVAsjLLd7RQs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:26.823 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Boulder-Requester":["214924654"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["236"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:26 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/acct/214924654"],"Replay-Nonce":["WqSL1hmcdcJz27syrJBDl_XyhA3l-MTYfcIZ7ene2qeYf6kvXsU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2025/07/22 13:54:26.823 INFO    tls.issuance.acme       new ACME account registered     {"contact": ["mailto:<MY_EMAIL>@gmail.com"], "status": "valid"}
2025/07/22 13:54:26.828 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["167.234.234.130"], "ca": "https://acme-staging-v02.api.letsencrypt.org/directory", "account": "<MY_EMAIL>@gmail.com"}
2025/07/22 13:54:26.828 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["167.234.234.130"], "ca": "https://acme-staging-v02.api.letsencrypt.org/directory", "account": "<MY_EMAIL>@gmail.com"}
2025/07/22 13:54:26.828 INFO    tls.issuance.acme       using ACME account      {"account_id": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/214924654", "account_contact": ["mailto:<MY_EMAIL>@gmail.com"]}
2025/07/22 13:54:26.828 DEBUG   creating order  {"account": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/214924654", "identifiers": ["167.234.234.130"]}
2025/07/22 13:54:26.998 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Boulder-Requester":["214924654"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["387"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:26 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/214924654/26213468404"],"Replay-Nonce":["8JsvQDukBOlWXQn0eYKlNo1g_B26NOaV10ZNAbBw9zQ_LTmA_GI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2025/07/22 13:54:27.161 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz/214924654/18616207644", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Boulder-Requester":["214924654"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["614"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:27 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["WqSL1hmcJ3ydUQaWW6m5Q5G4_rO9HmiKIg37zbA8pNfbjuDUSGU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:27.161 DEBUG   no solver configured    {"challenge_type": "tls-alpn-01"}
2025/07/22 13:54:27.161 INFO    trying to solve challenge       {"identifier": "167.234.234.130", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2025/07/22 13:54:27.164 DEBUG   waiting for solver before continuing    {"identifier": "167.234.234.130", "challenge_type": "http-01"}
2025/07/22 13:54:27.164 DEBUG   done waiting for solver {"identifier": "167.234.234.130", "challenge_type": "http-01"}
2025/07/22 13:54:27.327 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/214924654/18616207644/WdfcSA", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Boulder-Requester":["214924654"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["201"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:27 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/authz/214924654/18616207644>;rel=\"up\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/chall/214924654/18616207644/WdfcSA"],"Replay-Nonce":["WqSL1hmcgm384WIX_YlooRYhcouEoe0SsjBuNN7HTRD4V6Kcge4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:27.327 DEBUG   challenge accepted      {"identifier": "167.234.234.130", "challenge_type": "http-01"}
2025/07/22 13:54:27.489 INFO    tls.issuance.acme       served key authentication       {"identifier": "167.234.234.130", "challenge": "http-01", "remote": "66.133.109.36:40299", "distributed": false}
2025/07/22 13:54:27.741 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz/214924654/18616207644", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Boulder-Requester":["214924654"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["614"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:27 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["8JsvQDukTB-PYpt7T7wuGa-DCshBtxYNr-z26EUa4AmMC2CSwGs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:27.808 INFO    tls.issuance.acme       served key authentication       {"identifier": "167.234.234.130", "challenge": "http-01", "remote": "3.128.29.203:56486", "distributed": false}
2025/07/22 13:54:27.872 INFO    tls.issuance.acme       served key authentication       {"identifier": "167.234.234.130", "challenge": "http-01", "remote": "54.71.102.18:21190", "distributed": false}
2025/07/22 13:54:27.960 INFO    tls.issuance.acme       served key authentication       {"identifier": "167.234.234.130", "challenge": "http-01", "remote": "13.51.47.159:29978", "distributed": false}
2025/07/22 13:54:28.154 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz/214924654/18616207644", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Boulder-Requester":["214924654"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["614"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:28 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["WqSL1hmccSrqccZvrWhNh7VyS30bbHu96-VJHZmh3gbtXZVXpVI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:28.188 INFO    tls.issuance.acme       served key authentication       {"identifier": "167.234.234.130", "challenge": "http-01", "remote": "13.250.21.201:22114", "distributed": false}
2025/07/22 13:54:28.566 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz/214924654/18616207644", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Boulder-Requester":["214924654"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["777"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:28 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["WqSL1hmcHo7VHCrnNy4GQesfkpgy4cX9uf12rg69tbSWaIUSzxU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:28.567 INFO    authorization finalized {"identifier": "167.234.234.130", "authz_status": "valid"}
2025/07/22 13:54:28.567 INFO    validations succeeded; finalizing order {"order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/214924654/26213468404"}
2025/07/22 13:54:28.733 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/214924654/26213468404", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Boulder-Requester":["214924654"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["390"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:28 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/214924654/26213468404"],"Replay-Nonce":["WqSL1hmcLEnWvuyhH4M4tFLoOjo3V-a0sLTxCV1LhRZsXkaCcoY"],"Retry-After":["3"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:31.895 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/order/214924654/26213468404", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["497"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:31 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/214924654/26213468404"],"Replay-Nonce":["WqSL1hmcrFFSnzvRVpq2Y94e3WQb0vP7D8HF5bTO3u8hZ8lVcAQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:32.058 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/2cf681f03ecceb78f7f623e3503ef6c3e4d9", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2905"],"Content-Type":["application/pem-certificate-chain"],"Date":["Tue, 22 Jul 2025 13:54:31 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/cert/2cf681f03ecceb78f7f623e3503ef6c3e4d9/1>;rel=\"alternate\""],"Replay-Nonce":["8JsvQDukBeKGsQUd43sFwGHZ_LlQdUUGfvo-TLebpVIw3b6S04Q"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:32.058 DEBUG   getting renewal info    {"names": []}
2025/07/22 13:54:32.222 DEBUG   http request    {"method": "GET", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/renewal-info/oXQaBm1Qt4YtSizBfrSNiElszRY.LPaB8D7M63j39iPjUD72w-TZ", "headers": {"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:32.222 INFO    got renewal info        {"names": [], "window_start": "2025/07/25 19:49:48.000", "window_end": "2025/07/25 23:00:37.000", "selected_time": "2025/07/25 20:47:01.000", "recheck_after": "2025/07/22 19:54:32.222", "explanation_url": ""}
2025/07/22 13:54:32.385 DEBUG   http request    {"method": "POST", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/2cf681f03ecceb78f7f623e3503ef6c3e4d9/1", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2348"],"Content-Type":["application/pem-certificate-chain"],"Date":["Tue, 22 Jul 2025 13:54:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-staging-v02.api.letsencrypt.org/acme/cert/2cf681f03ecceb78f7f623e3503ef6c3e4d9/0>;rel=\"alternate\""],"Replay-Nonce":["WqSL1hmc5z4tMnk2OJWL5mVYblfYW1dOhIZe3VpJtXLO_IOe4Os"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:32.385 DEBUG   getting renewal info    {"names": []}
2025/07/22 13:54:32.547 DEBUG   http request    {"method": "GET", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/renewal-info/oXQaBm1Qt4YtSizBfrSNiElszRY.LPaB8D7M63j39iPjUD72w-TZ", "headers": {"User-Agent":["Caddy/8ba7eefd-20250720 CertMagic acmez (linux; arm64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Tue, 22 Jul 2025 13:54:32 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/07/22 13:54:32.548 INFO    got renewal info        {"names": [], "window_start": "2025/07/25 19:49:48.000", "window_end": "2025/07/25 23:00:37.000", "selected_time": "2025/07/25 21:35:07.000", "recheck_after": "2025/07/22 19:54:32.548", "explanation_url": ""}
2025/07/22 13:54:32.548 INFO    successfully downloaded available certificate chains    {"count": 2, "first_url": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/2cf681f03ecceb78f7f623e3503ef6c3e4d9"}
2025/07/22 13:54:32.548 DEBUG   tls.issuance.acme       selected certificate chain      {"url": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/2cf681f03ecceb78f7f623e3503ef6c3e4d9"}
2025/07/22 13:54:32.555 INFO    tls.obtain      certificate obtained successfully       {"identifier": "167.234.234.130", "issuer": "acme-staging-v02.api.letsencrypt.org-directory"}
2025/07/22 13:54:32.555 DEBUG   events  event   {"name": "cert_obtained", "id": "fd526262-7b20-4eec-8de1-d48521a1c165", "origin": "tls", "data": {"certificate_path":"certificates/acme-staging-v02.api.letsencrypt.org-directory/167.234.234.130/167.234.234.130.crt","csr_pem":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIY01JR0VBZ0VBTUFBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRNDNWVU9VMjlacGVvdApPWXBpbXdGdjY5SjJFRGRhZFZ0cGpsUURKZEFDZ05laHh0cWhoR0M5a1pKVUkzeTYxTUdtV0h0cnI3RDI4bFlZCkJlQXBveFRFb0NJd0lBWUpLb1pJaHZjTkFRa09NUk13RVRBUEJnTlZIUkVFQ0RBR2h3U242dXFDTUFvR0NDcUcKU000OUJBTUNBMGNBTUVRQ0lIY0ZFOG84UkF3dmpqM3I1VWltczU5aWtjM3pxVkZYMURTZjRGenZWZnhjQWlBUAowT09oWmx4RjNISUt2SitKOGp6N0lLYTdWVnNTYWx5aC9NcmFndFY1S3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K","identifier":"167.234.234.130","issuer":"acme-staging-v02.api.letsencrypt.org-directory","metadata_path":"certificates/acme-staging-v02.api.letsencrypt.org-directory/167.234.234.130/167.234.234.130.json","private_key_path":"certificates/acme-staging-v02.api.letsencrypt.org-directory/167.234.234.130/167.234.234.130.key","renewal":false,"storage_path":"certificates/acme-staging-v02.api.letsencrypt.org-directory/167.234.234.130"}}
2025/07/22 13:54:32.556 INFO    tls.obtain      releasing lock  {"identifier": "167.234.234.130"}
2025/07/22 13:54:32.556 WARN    tls     stapling OCSP   {"identifiers": ["167.234.234.130"]}
2025/07/22 13:54:32.556 DEBUG   tls.cache       added certificate to cache      {"subjects": ["167.234.234.130"], "expiration": "2025/07/29 04:55:58.000", "managed": true, "issuer_key": "acme-staging-v02.api.letsencrypt.org-directory", "hash": "48f50113d3fd044198fae6dacc372d7b2001dcbdcba660874456041050bf5f30", "cache_size": 1, "cache_capacity": 10000}
2025/07/22 13:54:32.556 DEBUG   events  event   {"name": "cached_managed_cert", "id": "d9d00530-5b10-4834-91ef-ae2cc3597b58", "origin": "tls", "data": {"sans":["167.234.234.130"]}}


2025/07/22 13:54:38.528 DEBUG   events  event   {"name": "tls_get_certificate", "id": "a4593fd5-6339-46f9-8d0f-bfdd3dd266b1", "origin": "tls", "data": {"client_hello":{"CipherSuites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"","SupportedCurves":[64250,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[43690,772,771],"RemoteAddr":{"IP":"<MY_IP>","Port":55493,"Zone":""},"LocalAddr":{"IP":"10.10.0.155","Port":443,"Zone":""}}}}
2025/07/22 13:54:38.528 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "10.10.0.155"}
2025/07/22 13:54:38.528 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "<MY_IP>", "remote_port": "55493", "server_name": "", "remote": "<MY_IP>:55493", "identifier": "10.10.0.155", "cipher_suites": [51914, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2025/07/22 13:54:38.528 DEBUG   http.stdlib     http: TLS handshake error from <MY_IP>:55493: no certificate available for '10.10.0.155'
2025/07/22 13:54:38.561 DEBUG   events  event   {"name": "tls_get_certificate", "id": "bcb0b351-001c-4f2c-a327-09e18c7c51e7", "origin": "tls", "data": {"client_hello":{"CipherSuites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"","SupportedCurves":[10794,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[19018,772,771],"RemoteAddr":{"IP":"<MY_IP>","Port":55494,"Zone":""},"LocalAddr":{"IP":"10.10.0.155","Port":443,"Zone":""}}}}
2025/07/22 13:54:38.561 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "10.10.0.155"}
2025/07/22 13:54:38.561 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "<MY_IP>", "remote_port": "55494", "server_name": "", "remote": "<MY_IP>:55494", "identifier": "10.10.0.155", "cipher_suites": [10794, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2025/07/22 13:54:38.561 DEBUG   http.stdlib     http: TLS handshake error from <MY_IP>:55494: no certificate available for '10.10.0.155'

3. Caddy version:

8ba7eefd0767228c87004a3c8c13c5712b680ec4+modified (20 Jul 25 21:40 UTC)

4. How I installed and ran Caddy:

I built Caddy from source, following instructions in the Github repo.

a. System environment:

Debian 12 on ARM64.
Go version go1.24.5.

b. Command:

caddy run

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

{
        email <MY-EMAIL>@gmail.com
        debug
}

https://167.234.234.130 {
        respond "hello world"

        tls {
                issuer acme {
                        dir https://acme-staging-v02.api.letsencrypt.org/directory
                        profile shortlived
                        disable_tlsalpn_challenge
                }
        }
}

Mohammed90 · July 22, 2025, 2:48pm

The certificate is for

but the request came through the interface 10.10.0.155.

rodrigoaddor · July 22, 2025, 3:56pm

Yeah, 167.234.234.130 is my VPS’ external IP, and 10.10.0.155 would be the interface ip:

$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp0s6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP group default qlen 1000
    link/ether 02:00:17:03:f4:93 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.155/24 metric 100 brd 10.10.0.255 scope global dynamic enp0s6
       valid_lft 58019sec preferred_lft 58019sec
    inet6 fe80::17ff:fe03:f493/64 scope link
       valid_lft forever preferred_lft forever`

Is there a way to force Caddy to use the certificate to my external IP?

Mohammed90 · July 22, 2025, 4:09pm

This is not a Caddy problem. For the use of the certificate of the IP address, the request has to come through the interface of that same IP address.

system · August 21, 2025, 4:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.