So I’ve had Caddy working well for the last few months with zero issues. Out of nowhere today I started getting TLS handshake issues and certificate timeouts.
After 1.0 Upgrade:
2019/04/25 18:31:30 [INFO] Certificate for [ftp.alexsguardian.net] expires in 644h43m46.60933353s; attempting renewal
2019/04/25 18:31:30 [INFO] [ftp.alexsguardian.net] acme: Trying renewal with 644 hours remaining
2019/04/25 18:31:30 [INFO] [ftp.alexsguardian.net] acme: Obtaining bundled SAN certificate
2019/04/25 18:31:31 [INFO] [ftp.alexsguardian.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/awXE4dadEJyPyHCcJlv35FQ2lNdLtU8zW-p9orium3I
2019/04/25 18:31:31 [INFO] [ftp.alexsguardian.net] acme: use tls-alpn-01 solver
2019/04/25 18:31:31 [INFO] [ftp.alexsguardian.net] acme: Trying to solve TLS-ALPN-01
2019/04/25 18:31:32 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/awXE4dadEJyPyHCcJlv35FQ2lNdLtU8zW-p9orium3I
2019/04/25 18:31:32 [ERROR] Renewing [ftp.alexsguardian.net]: acme: Error -> One or more domains had a problem:
[ftp.alexsguardian.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
; trying again in 10s
Before 1.0 Upgrade:
2019/04/25 18:12:55 [INFO] Certificate for [ftp.alexsguardian.net] expires in 645h2m21.92910889s; attempting renewal
2019/04/25 18:12:55 [INFO] [ftp.alexsguardian.net] acme: Trying renewal with 645 hours remaining
2019/04/25 18:12:55 [INFO] [ftp.alexsguardian.net] acme: Obtaining bundled SAN certificate
2019/04/25 18:12:55 [INFO] [ftp.alexsguardian.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/hKF1DaZ4guthsvbl9Mi3jD1i7320RVbXB4GzvHbawrU
2019/04/25 18:12:55 [INFO] [ftp.alexsguardian.net] acme: use tls-alpn-01 solver
2019/04/25 18:12:55 [INFO] [ftp.alexsguardian.net] acme: Trying to solve TLS-ALPN-01
2019/04/25 18:12:56 http: TLS handshake error from 162.158.79.253:50076: remote error: tls: illegal parameter
2019/04/25 18:12:56 http: TLS handshake error from 172.69.62.210:54590: remote error: tls: illegal parameter
2019/04/25 18:12:57 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/hKF1DaZ4guthsvbl9Mi3jD1i7320RVbXB4GzvHbawrU
2019/04/25 18:12:57 [ERROR] Renewing [ftp.alexsguardian.net]: acme: Error -> One or more domains had a problem:
[ftp.alexsguardian.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
; trying again in 10s
My current setup (which hasn’t changed since I originally setup Caddy) is:
Cloudflare (Full (strict)) > Router (443) <443-444> Caddy in Docker.
I updated to Caddy 1.0 to see if it would fix it and now, apparently, I’ve hit the rate limit for LE and still seeing the unauthorized error. I have 8 subdomains + root domain.
This hit me out of no-where and not sure what happened.
Was able to recover my root domain and get caddy booted and responding to web requests again. Though all of my subdomains are still down due to rate limit.
Does the ALPN challenge not allow me to have Caddy behind Orange CF? If so thats quite annoying since the DNS challenge constantly fails because it doesn’t wait long enough for DNS to update.
TLS-ALPN challenge is solved during TLS negotiation with Caddy.
If you have Cloudflare MITMing your HTTPS (i.e. orange-cloud), LetsEncrypt can’t negotiate TLS with Caddy, it must negotiate with Cloudflare which then talks to your server on the client’s behalf.
You might try running Caddy with the -disable-tls-alpn-challenge flag, forcing Caddy (specifically, Caddy’s ACME library, acme-go/lego) to use the HTTP challenge instead. This should work despite the Cloudflare MITM.
At a guess - some script kiddie is running vuln scans against your web server for less-secure protocols. Might be trying to fingerprint Caddy. Probably not targeted - likely just random scans. I get bursts of these on some of my servers every now and again, from large groups of IPs so it’s difficult to pin them and rate limit them. It’s not too concerning - happens to everyone with a public IP address at some point or another.
So it looks like the Comcast node for my region is having massive latency isssues in their t3 routing. So that’s probably contributing to the caddy log with timeouts, etc as clients can’t keep the connection open.
2019/04/25 22:07:12 http: TLS handshake error from ip:38320: tls: no cipher suite supported by both client and server
It is also possible that you are recieving requests from older clients. In 0.11.5 caddy removed several cipher types from the default list that are used by older clients such as Safari on older Ipads etc. These clients are no longer able to connect to your website and will get an error that looks like your site is down.
Keep an eye on your logs, if you believe it is affecting a large number of your connections then add back in all the cipher suites in your tls directive in your caddyfile