Tls challenge failed

MikeCaddy · February 14, 2024, 9:07pm

1. The problem I’m having:

Caddy is running (according to systemctl status caddy) but my website is not loading. There is an error message about the tls certificate in the caddy logs. running curl against my ip address and/or domain produces no output.

My VPN provider my domain name is pointing correctly to the nameservers etc
````dig cabincrewforyou.com```

;; ANSWER SECTION:
cabincrewforyou.com. 3584 IN A 94.130.26.101

;; ANSWER SECTION:
cabincrewforyou.com. 3584 IN A 94.130.26.101

I’m not sure if this is simply a tls issue or something on top of that.

2. Error messages and/or full log output:

journalctl -f -u caddy
Feb 14 20:49:46 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"info","ts":1707943786.2648246,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"cabincrewforyou.com"}
Feb 14 20:49:47 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"info","ts":1707943787.1578243,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cabincrewforyou.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Feb 14 20:49:57 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943797.879355,"logger":"http.acme_client","msg":"challenge failed","identifier":"cabincrewforyou.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Fetching http://cabincrewforyou.com/.well-known/acme-challenge/9fBreOLBK2TeA5I6QNCyTJW00Jl3vkuXTvuVthFNsic: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
Feb 14 20:49:57 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943797.8794103,"logger":"http.acme_client","msg":"validating authorization","identifier":"cabincrewforyou.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Fetching http://cabincrewforyou.com/.well-known/acme-challenge/9fBreOLBK2TeA5I6QNCyTJW00Jl3vkuXTvuVthFNsic: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/136418433/14528647763","attempt":1,"max_attempts":3}
Feb 14 20:49:59 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"info","ts":1707943799.2601988,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cabincrewforyou.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Feb 14 20:50:09 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943809.9532871,"logger":"http.acme_client","msg":"challenge failed","identifier":"cabincrewforyou.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
Feb 14 20:50:09 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943809.9533417,"logger":"http.acme_client","msg":"validating authorization","identifier":"cabincrewforyou.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/136418433/14528650713","attempt":2,"max_attempts":3}
Feb 14 20:50:09 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943809.953381,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cabincrewforyou.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 94.130.26.101: Timeout during connect (likely firewall problem)"}
Feb 14 20:50:13 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943813.6351764,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cabincrewforyou.com","issuer":"acme.zerossl.com-v2-DV90","error":"[cabincrewforyou.com] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/DB6QrlNfSFmd3YbWEtMVNg has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/jO3YlwYMw8Clh3o-laYNtA) (ca=https://acme.zerossl.com/v2/DV90)"}
Feb 14 20:50:13 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943813.6352618,"logger":"tls.obtain","msg":"will retry","error":"[cabincrewforyou.com] Obtain: [cabincrewforyou.com] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/DB6QrlNfSFmd3YbWEtMVNg has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/jO3YlwYMw8Clh3o-laYNtA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":9,"retrying_in":1200,"elapsed":4139.908147831,"max_duration":2592000}
^[[C^[[C^[[C\ ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"info","ts":1707943786.2648246,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"cabincrewforyou.com"}
Feb 14 20:49:47 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"info","ts":1707943787.1578243,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cabincrewforyou.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Feb 14 20:49:57 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943797.879355,"logger":"http.acme_client","msg":"challenge failed","identifier":"cabincrewforyou.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Fetching http://cabincrewforyou.com/.well-known/acme-challenge/9fBreOLBK2TeA5I6QNCyTJW00Jl3vkuXTvuVthFNsic: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
Feb 14 20:49:57 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943797.8794103,"logger":"http.acme_client","msg":"validating authorization","identifier":"cabincrewforyou.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Fetching http://cabincrewforyou.com/.well-known/acme-challenge/9fBreOLBK2TeA5I6QNCyTJW00Jl3vkuXTvuVthFNsic: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/136418433/14528647763","attempt":1,"max_attempts":3}
Feb 14 20:49:59 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"info","ts":1707943799.2601988,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cabincrewforyou.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Feb 14 20:50:09 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943809.9532871,"logger":"http.acme_client","msg":"challenge failed","identifier":"cabincrewforyou.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
Feb 14 20:50:09 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943809.9533417,"logger":"http.acme_client","msg":"validating authorization","identifier":"cabincrewforyou.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/136418433/14528650713","attempt":2,"max_attempts":3}
Feb 14 20:50:09 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943809.953381,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cabincrewforyou.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 94.130.26.101: Timeout during connect (likely firewall problem)"}
Feb 14 20:50:13 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943813.6351764,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cabincrewforyou.com","issuer":"acme.zerossl.com-v2-DV90","error":"[cabincrewforyou.com] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/DB6QrlNfSFmd3YbWEtMVNg has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/jO3YlwYMw8Clh3o-laYNtA) (ca=https://acme.zerossl.com/v2/DV90)"}
Feb 14 20:50:13 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707943813.6352618,"logger":"tls.obtain","msg":"will retry","error":"[cabincrewforyou.com] Obtain: [cabincrewforyou.com] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/DB6QrlNfSFmd3YbWEtMVNg has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/jO3YlwYMw8Clh3o-laYNtA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":9,"retrying_in

● caddy.service - Caddy
     Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-02-13 13:37:29 UTC; 1 day 7h ago
       Docs: https://caddyserver.com/docs/
    Process: 22546 ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force (code=exited, status=0/S>
   Main PID: 13366 (caddy)
      Tasks: 8 (limit: 2244)
     Memory: 10.8M
        CPU: 15.227s
     CGroup: /system.slice/caddy.service
             └─13366 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

I followed the instructions for ubuntu on the caddy documentation page

a. System environment:

ubuntu

b. Command:

journalctl -f -u caddy

systemctl status caddy

I have also been running `curl cabincrewforyou.com` and there is no output

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
  servers {
	metrics
  }
}
cabincrewforyou.com {
	# Set this path to your site's directory.
	root * /var/www/html

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

5. Links to relevant resources:

francislavoie · February 14, 2024, 10:39pm

Your DNS A record should be the IP address of the machine running Caddy, not the IP address of your name servers.

I can’t connect to your server:

$ curl -v http://cabincrewforyou.com                                                                               
*   Trying 94.130.26.101:80...

Either DNS is wrong, or your firewall isn’t configured to allow traffic on ports 80 and 443.

MikeCaddy · February 15, 2024, 1:42am

Thank you for your response.
I ran ufw status and this was the output

ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)

So I then did ufw allow proto tcp from any to any port 80,443. Now this is the output

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
80,443/tcp                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
80,443/tcp (v6)            ALLOW       Anywhere (v6)

Afterwards, I saw more tls errors when running systemctl status caddy so I I ran journalctl -f -u caddy again, and it’s stating there’s likely a firewall problem. Does Caddy need a certain amount of time once I’ve added the new firewall rules? The documentation says Caddy is pretty much immediate in obtaining the certificates.

Feb 15 00:57:05 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707958625.5874627,"logger":"http.acme_client","msg":"validating authorization","identifier":"cabincrewforyou.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"94.130.26.101: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/136418433/14532927083","attempt":2,"max_attempts":3}

Feb 15 00:57:05 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707958625.5874915,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cabincrewforyou.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 94.130.26.101: Timeout during connect (likely firewall problem)"}

Feb 15 00:57:35 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"warn","ts":1707958655.5936327,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90/newNonce","error":"performing request: Head \"https://acme.zerossl.com/v2/DV90/newNonce\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"}

Feb 15 00:58:05 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"warn","ts":1707958685.986893,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90/newOrder","error":"performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": http2: timeout awaiting response headers (Client.Timeout exceeded while awaiting headers)"}

Feb 15 00:58:36 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"warn","ts":1707958716.2433405,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90/newOrder","error":"performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": http2: timeout awaiting response headers (Client.Timeout exceeded while awaiting headers)"}

Feb 15 00:59:35 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"warn","ts":1707958775.3163605,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90/newOrder","error":"performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"}

Feb 15 01:00:05 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"warn","ts":1707958805.573576,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90/newOrder","error":"performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": http2: timeout awaiting response headers (Client.Timeout exceeded while awaiting headers)"}

Feb 15 01:00:35 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"warn","ts":1707958835.8314686,"logger":"http.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90/newOrder","error":"performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": http2: timeout awaiting response headers (Client.Timeout exceeded while awaiting headers)"}

Feb 15 01:00:35 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707958835.8316276,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cabincrewforyou.com","issuer":"acme.zerossl.com-v2-DV90","error":"[cabincrewforyou.com] creating new order: attempt 2: https://acme.zerossl.com/v2/DV90/newOrder: performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": http2: timeout awaiting response headers (Client.Timeout exceeded while awaiting headers) (ca=https://acme.zerossl.com/v2/DV90)"}

Feb 15 01:00:35 ubuntu-2gb-nbg1-1 caddy[13366]: {"level":"error","ts":1707958835.8316913,"logger":"tls.obtain","msg":"will retry","error":"[cabincrewforyou.com] Obtain: [cabincrewforyou.com] creating new order: attempt 2: https://acme.zerossl.com/v2/DV90/newOrder: performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": http2: timeout awaiting response headers (Client.Timeout exceeded while awaiting headers) (ca=https://acme.zerossl.com/v2/DV90)","attempt":18,"retrying_in":3600,"elapsed":19162.104577367,"max_duration":2592000}

francislavoie · February 15, 2024, 1:51am

I can reach your server over HTTP

$ curl -v http://cabincrewforyou.com                                                                               
*   Trying 94.130.26.101:80...
* Connected to cabincrewforyou.com (94.130.26.101) port 80 (#0)
> GET / HTTP/1.1
> Host: cabincrewforyou.com
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://cabincrewforyou.com/
< Server: Caddy
< Date: Thu, 15 Feb 2024 01:46:44 GMT
< Content-Length: 0
< 
* Closing connection 0

I’m not sure what’s going on at this point though, TLS issuance should have worked.

Try restarting Caddy if you didn’t already since adjusting the firewall, to have Caddy start issuance from the beginning again.

MikeCaddy · February 15, 2024, 12:36pm

Thank you for your response.

I’m able to access my homepage in the browser but I’m getting a 403 error when I click the links to the blog pages. This is one of the links https://cabincrewforyou.com/posts/she-stoops-to-conquer-orange-tree/.

I checked the permissions on the folders

drwxr--r-- 4 root root 4096 Feb 14 14:48 **.**

drwxr-xr-x 10 root root 4096 Feb 14 14:48 **..**

-rwxr--r-- 1 root root 3530 Feb 14 14:48 **index.html**

-rwxr--r-- 1 root root 2107 Feb 14 14:48 **index.xml**

drwxr--r-- 2 root root 4096 Feb 14 14:48 **master-plan-michael-healey**

drwxr--r-- 2 root root 4096 Feb 14 14:48 **she-stoops-to-conquer-orange-tree**

I also added debug to the top of the Caddyfile. It doesn’t say anything about 403 errors

journalctl -f -u caddy
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.544072,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5442758,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5443804,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5443912,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cabincrewforyou.com"]}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.545386,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00020c700"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.547091,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.547433,"msg":"serving initial configuration"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 systemd[1]: Started Caddy.
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"warn","ts":1707999398.547265,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"6448175f-97ed-4722-a131-e48e26ee3a7e","try_again":1708085798.547263,"try_again_in":86399.999999439}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5485313,"logger":"tls","msg":"finis

Do you know of anything I can try. The search box in the Caddy documentation doesn’t have any info about 403 errors.

francislavoie · February 15, 2024, 12:38pm

Are you sure that’s all you have in your logs? That’s just Caddy’s startup logs. Scroll to the bottom.

Our recommended command to read your logs is here: Keep Caddy Running — Caddy Documentation

MikeCaddy · February 15, 2024, 1:00pm

These are my logs running journalctl -u caddy --no-pager | less +G

Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5434573,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.543481,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.544072,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5442758,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5443804,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5443912,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cabincrewforyou.com"]}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.545386,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00020c700"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.547091,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.547433,"msg":"serving initial configuration"}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 systemd[1]: Started Caddy.
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"warn","ts":1707999398.547265,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"6448175f-97ed-4722-a131-e48e26ee3a7e","try_again":1708085798.547263,"try_again_in":86399.999999439}
Feb 15 12:16:38 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1707999398.5485313,"logger":"tls","msg":"finished cleaning storage units"}
Feb 15 12:57:00 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"info","ts":1708001820.6277292,"logger":"admin.api","msg":"received request","method":"GET","host":"localhost:2019","uri":"/debug/vars","remote_ip":"127.0.0.1","remote_port":"37942","headers":{"Accept":["*/*"],"User-Agent":["curl/7.81.0"]}}

francislavoie · February 15, 2024, 4:26pm

There’s no debug logs there. I don’t think you actually enabled the debug global option.

MikeCaddy · February 15, 2024, 5:12pm

Thank you for responding.

This is what it says in my Caddyfile. From my understanding, this should enable debug.

{
  debug

  servers {
        metrics
  }
}
cabincrewforyou.com {
        # Set this path to your site's directory.
        root * /var/www/html

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000
}

francislavoie · February 15, 2024, 5:52pm

That should be right. But clearly there’s no debug logs did you reload Caddy afterwards?

Loading your site, it looks like /css/style.css isn’t loading. Are you sure that file is readable by the caddy user?

You could change ownership of all the files/folders in /var/www/html to caddy:caddy or caddy:www-data.

MikeCaddy · February 15, 2024, 6:21pm

Thank you for responding.

You wrote

You could change ownership of all the files/folders in /var/www/html to caddy:caddy or caddy:www-data .

I’m not sure exactly how to do this, or what permissions were set for caddy when I installed for ubuntu via the instructions on the caddy website.

However, I found some instructions on Digital Ocean for setting caddy permissions. Due to my previous experience with DO, I’m a little afraid some of them might be wrong and/or out of date.

This is how I installed Caddy

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

So it’s hard for me to know which of the following commands from the DO tutorial I might need to run. Will running any of these help me with your suggestions?

sudo groupadd --system caddy

sudo useradd --system \
    --gid caddy \
    --create-home \
    --home-dir /var/lib/caddy \
    --shell /usr/sbin/nologin \
    --comment "Caddy web server" \
    caddy

sudo chown root:root /usr/bin/caddy

sudo chmod 755 /usr/bin/caddy

sudo chown -R root:caddy /etc/caddy

sudo mkdir /etc/ssl/caddy
sudo chown -R root:caddy /etc/ssl/caddy

sudo chmod 0770 /etc/ssl/caddy

sudo chown caddy:caddy /var/www

These are the debug logs

le_server","msg":"sanitized path join","site_root":"/var/www/html","request_path":"/posts/master-plan-michael-healey/","result":"/var/www/html/posts/master-plan-michael-healey"}
Feb 15 18:05:29 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"debug","ts":1708020329.0764225,"logger":"http.log.error","msg":"stat /var/www/html/posts/master-plan-michael-healey: permission denied","request":{"remote_ip":"99.241.105.99","remote_port":"64600","client_ip":"99.241.105.99","proto":"HTTP/2.0","method":"GET","host":"cabincrewforyou.com","uri":"/posts/master-plan-michael-healey/","headers":{"Sec-Fetch-Mode":["navigate"],"Referer":["https://cabincrewforyou.com/"],"Accept-Language":["en-US,en;q=0.9"],"Cookie":[],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Site":["same-origin"],"Sec-Ch-Ua-Platform":["\"macOS\""],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua":["\".Not/A)Brand\";v=\"99\", \"Google Chrome\";v=\"103\", \"Chromium\";v=\"103\""],"Upgrade-Insecure-Requests":["1"],"Accept-Encoding":["gzip, deflate, br"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Sec-Fetch-Dest":["document"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cabincrewforyou.com"}},"duration":0.000180808,"status":403,"err_id":"x2gjzzn4v","err_trace":"fileserver.(*FileServer).ServeHTTP (staticfiles.go:282)"}
Feb 15 18:05:30 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"debug","ts":1708020330.7120636,"logger":"http.handlers.file_server","msg":"sanitized path join","site_root":"/var/www/html","request_path":"/images/favicon.ico","result":"/var/www/html/images/favicon.ico"}
Feb 15 18:05:30 ubuntu-2gb-nbg1-1 caddy[25884]: {"level":"debug","ts":1708020330.7121742,"logger":"http.log.error","msg":"stat /var/www/html/images/favicon.ico: permission denied","request":{"remote_ip":"99.241.105.99","remote_port":"64600","client_ip":"99.241.105.99","proto":"HTTP/2.0","method":"GET","host":"cabincrewforyou.com","uri":"/images/favicon.ico","headers":{"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Dest":["image"],"Referer":["https://cabincrewforyou.com/"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Ch-Ua-Platform":["\"macOS\""],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["en-US,en;q=0.9"],"Cookie":[],"Sec-Ch-Ua":["\".Not/A)Brand\";v=\"99\", \"Google Chrome\";v=\"103\", \"Chromium\";v=\"103\""],"Sec-Ch-Ua-Mobile":["?0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cabincrewforyou.com"}},"duration":0.000142627,"status":403,"err_id":"dvv0zv4se","err_trace":"fileserver.(*FileServer).ServeHTTP (staticfiles.go:282)"}

francislavoie · February 15, 2024, 6:49pm

Okay, yep that confirms the problem is file permissions.

Yeah don’t do any of those things from the guide. It’s all wrong. Always follow our docs.

When you installed Caddy using our package, it already created the caddy user, the /usr/bin/caddy binary (program) etc.

This is close – you can run this to change ownership of all the files in /var/www/html:

sudo chown -R caddy:caddy /var/www/html

The -R means recursive, so it updates all files and folders within to be user “caddy” and group “caddy” (user:group is the syntax).

MikeCaddy · February 15, 2024, 7:00pm

Thank you for your patience.

This is just for conversation, but why doesn’t everybody run into this problem who follows the recommended install for Caddy on Ubuntu? Or do you assume that people who install Caddy know to do this

sudo chown -R caddy:caddy /var/www/html

I didn’t see any instructions on your website about that.

Anyways, thank you again.

francislavoie · February 15, 2024, 8:06pm

It says this here:

You can place your static site files in either /var/www/html or /srv. Make sure the caddy user has permission to read the files.

We can’t explain “how to use your computer” in the docs, that’s not a reasonable expectation. There must be a base assumption that the user understands the basics of Linux. There’s lots of resources online to teach you those things. We need the docs to focus on Caddy specifically.

system · March 16, 2024, 8:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.