1. Caddy version (caddy version
):
# docker-compose exec caddy caddy version
v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=
2. How I run Caddy:
a. System environment:
OS: Ubuntu 18.04.5 LTS
Docker: 20.10.5
b. Command:
docker-compose up -d
c. Service/unit/compose file:
version: "3.5"
services:
caddy:
build: ./build
env_file:
- caddy.env
networks:
- caddy
- external
ports:
- 80:80
- 443:443
restart: always
volumes:
- config:/config
- data:/data
volumes:
config:
data:
networks:
# Network to hook backends into
caddy:
name: caddy
internal: true
# Used to allow external access (necessary for ACME)
external:
d. My complete Caddyfile or JSON config:
{
default_sni {$DEFAULT_SNI}
email {$ACME_EMAIL}
on_demand_tls {
interval 7d
burst 50
}
}
ares.fallenwarrior.me {
root * /usr/share/caddy
file_server
}
3. The problem I’m having:
In trying to obtain a certificate for the listed host, Caddy logged several errors indicating a failed TLS-ALPN-01 challenge.
Not a problem in itself, as the site still works with HTTPS and everything, but error level logs are in my opinion still worth investigating.
4. Error messages and/or full log output:
{"level":"info","ts":1615289462.5444105,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"ares.fallenwarrior.me","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1615289463.5418978,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"ares.fallenwarrior.me","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:connection","error":"Connection refused"}
{"level":"error","ts":1615289463.5421784,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"ares.fallenwarrior.me","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Connection refused","order":"https://acme-v02.api.letsencrypt.org/acme/order/115121735/8346560287","attempt":1,"max_attempts":3}
5. What I already tried:
To check if it was an intermittent error, I tried doing the same thing against the LE staging API but got the same result.
6. Links to relevant resources:
As you can verify yourself if you navigate to https://ares.fallenwarrior.me, HTTPS does work (in the end by using the HTTP-01 challenge), so it’s not like the traffic isn’t getting through to Caddy.
Which is why I don’t understand where the connection refused error happens.