The request message was malformed

1. The problem I’m having:

I have been using Caddy for a while with no problems. Today, my SSL certificates expired. I tried re-rolling the Cloudflare API key and nothing has changed. I have re-built the docker image on my Dockerfile and restarted it and it won’t renew the cert.

2. Error messages and/or full log output:

{"level":"info","ts":1709674738.1316001,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1709674738.1338828,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1709674738.1340492,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1709674738.1340594,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1709674738.134067,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000628200"}
{"level":"info","ts":1709674738.1342459,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1709674738.1342783,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1709674738.1343749,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1709674738.1346753,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1709674738.1347637,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["mainsail.harding.trev.red"]}
{"level":"info","ts":1709674738.134997,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1709674738.1350753,"msg":"serving initial configuration"}
{"level":"info","ts":1709674738.1351802,"logger":"tls.obtain","msg":"acquiring lock","identifier":"mainsail.harding.trev.red"}
{"level":"warn","ts":1709674738.1378205,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"eba5aa8c-3934-4741-85e3-59c40c5b9989","try_again":1709761138.1378188,"try_again_in":86399.999999668}
{"level":"info","ts":1709674738.1378686,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1709674738.1410253,"logger":"tls.obtain","msg":"lock acquired","identifier":"mainsail.harding.trev.red"}
{"level":"info","ts":1709674738.1411471,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"mainsail.harding.trev.red"}
{"level":"info","ts":1709674738.141799,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["mainsail.harding.trev.red"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
{"level":"info","ts":1709674738.1418078,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["mainsail.harding.trev.red"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
{"level":"info","ts":1709674738.5166535,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mainsail.harding.trev.red","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1709674738.8668828,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"mainsail.harding.trev.red","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.mainsail.harding.trev.red\" (usually OK if presenting also failed)"}
{"level":"error","ts":1709674738.922455,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"mainsail.harding.trev.red","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[mainsail.harding.trev.red] solving challenges: presenting for challenge: adding temporary record for zone \"red.\": expected 1 zone, got 0 for red. (order=https://acme-v02.api.letsencrypt.org/acme/order/1185980397/249892542617) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"info","ts":1709674738.9227188,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["mainsail.harding.trev.red"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
{"level":"info","ts":1709674738.9227426,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["mainsail.harding.trev.red"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
{"level":"error","ts":1709674739.3735948,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"mainsail.harding.trev.red","issuer":"acme.zerossl.com-v2-DV90","error":"[mainsail.harding.trev.red] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/vDHOK90XL-VivFTNmSYgHQ has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/oDnyJC-oxaMakTApDwSVIQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1709674739.3736284,"logger":"tls.obtain","msg":"will retry","error":"[mainsail.harding.trev.red] Obtain: [mainsail.harding.trev.red] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/vDHOK90XL-VivFTNmSYgHQ has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/oDnyJC-oxaMakTApDwSVIQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":1.232591811,"max_duration":2592000}

3. Caddy version:

4. How I installed and ran Caddy:

a. System environment:

OS: Proxmox VE 7.4-17 x86_64
Host: 10MUS35500 ThinkCentre M910q
Kernel: 5.15.131-1-pve
Docker version 24.0.7, build afdd53b
Docker Compose version v2.21.0

b. Command:

docker compose up --force-recreate --build -d

c. Service/unit/compose file:

Dockerfile

FROM caddy:2.7-builder AS builder

RUN xcaddy build --with github.com/caddy-dns/cloudflare@latest

FROM caddy:2.7

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

compose.yaml

---
version: "3"
services:
  caddy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: caddy
    restart: always
    ports:
      - 80:80
      - 443:443
      - 2019:2019
    volumes:
      - ./config:/config
      - ./data:/data
      - ./logs/:/logs/
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./sites/:/etc/caddy/sites/
    networks:
      - web

networks:
  web:
    external: true

d. My complete Caddy config:

mainsail.harding.trev.red {
        tls {
                dns cloudflare CLOUDFLARE-API-KEY
        }
        respond "go away!"
}

5. Links to relevant resources:

It might be important to add that this is a local domain. I never wanted this domains\ exposed to the internet. But, it’s worked that way before…

Hey @Trevo525,

Does this happen if you add resolvers 1.1.1.1 to your tls config for this site?

Can you clarify what you mean by this? I assume it’s a valid domain, but you’re just not hosting any publicly-accessible DNS records - internal DNS only?

1 Like

I added resolvers 1.1.1.1 and didn’t notice any different.

Yes, I mean it’s internal DNS only. The trev.red points to my IP address. I had the domain trev.red pointing to my IP but the rest were all resolved local.

I think I have it fixed now. The IP address on Cloudflare was wrong. I thought I had setup DDNS so my IP Address would update if it changed but when I was just checking it hadn’t updated in a while…

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.