Unable to complete DNS challenge - Cloudflare (was working fine before)

itsshash · June 21, 2023, 5:46pm

1. The problem I’m having:

Wildcard Certificate won’t renew with the DNS challenge. I think for whatever reason, Caddy keeps getting refused to insert a new TXT record on Cloudflare. This wasn’t the case before at all. But I’ve changed the token multiple times, with different permissions, still the record doesn’t appear. I’m at a loss to getting this working. HTTP and TLS-ALPN both work fine.

2. Error messages and/or full log output:

Jun 21 18:29:05 pve caddy[1123152]: {"level":"info","ts":1687368545.2503197,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
Jun 21 18:29:21 pve caddy[1123152]: {"level":"error","ts":1687368561.073843,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": NS lila.ns.cloudflare.com. returned REFUSED for _acme-challenge.example.com. (order=https://acme.zerossl.com/v2/DV90/order/yj8_U9z7P6wpiRbdsCw7Jg) (ca=https://acme.zerossl.com/v2/DV90)"}
Jun 21 18:29:21 pve caddy[1123152]: {"level":"error","ts":1687368561.0739055,"logger":"tls.renew","msg":"will retry","error":"[*.example.com] Renew: [*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": NS lila.ns.cloudflare.com. returned REFUSED for _acme-challenge.example.com. (order=https://acme.zerossl.com/v2/DV90/order/yj8_U9z7P6wpiRbdsCw7Jg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":274.917720649,"max_duration":2592000}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

Debian

b. Command:

systemctl start caddy

c. Service/unit/compose file:


[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
Environment="CLOUDFLARE_AUTH_TOKEN=******"
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
	email me@example.com
}
mine.example.com {
	encode gzip zstd
	reverse_proxy 192.168.1.93
	rewrite /.well-known/carddav /remote.php/dav
	rewrite /.well-known/caldav /remote.php/dav

	reverse_proxy /.well-known/carddav 192.168.1.93/remote.php/dav
	reverse_proxy /.well-known/caldav 192.168.1.93/remote.php/dav
	reverse_proxy 192.168.1.93

	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		}
	tls {
		#dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
		resolvers 1.1.1.1
	}
}

*.example.com {
	encode gzip zstd
	#tls /etc/caddy/certificate.pem /etc/caddy/key.pem
	tls {
		dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
		resolvers 1.1.1.1
	}
	@i host i.example.com
	handle @i {
		reverse_proxy 192.168.1.153:40115
	}
	@authelia host authelia.example.com
	handle @authelia {
		reverse_proxy 192.168.1.237:9092
	}
	@radarr host radarr.example.com
	handle @radarr {
		reverse_proxy 192.168.1.229:7878
	}
	@sonarr host sonarr.example.com
	handle @sonarr {
		reverse_proxy 192.168.1.229:8989
	}
	# @mc host mc.example.com
	handle @mc {
		reverse_proxy 192.168.1.196:8080
	}
	@flood host flood.example.com
	handle @flood {
		reverse_proxy 192.168.1.229:3000
	}
	@nas host nas.example.com
	handle @nas {
		reverse_proxy localhost:8006 {
			transport http {
				tls_insecure_skip_verify
			}
		}
	}
	@portainer host portainer.example.com
	handle @portainer {
		reverse_proxy 192.168.1.153:9000
	}
	@archive host archive.example.com
	handle @archive {
		reverse_proxy 192.168.1.153:8001
	}
	@jellyfin host jellyfin.example.com
	handle @jellyfin {
		reverse_proxy 192.168.1.98:8096
	}
	@prowlarr host prowlarr.example.com
	handle @prowlarr {
		reverse_proxy 192.168.1.229:9696
	}
	@pa host pa.example.com
	handle @pa {
		reverse_proxy 192.168.1.153:8056
	}
	@oversee host oversee.example.com
	handle @oversee {
		reverse_proxy 192.168.1.153:5055
	}
	@plex host plex.example.com
	handle @plex {
		reverse_proxy 192.168.1.200:32400
	}
	@auth host auth.example.com
	handle @auth {
		reverse_proxy 192.168.1.90:8080
	}
	@tautulli host tautulli.example.com
	handle @tautulli {
		reverse_proxy 192.168.1.153:8181
	}
	@hass host hass.example.com
	handle @hass {
		reverse_proxy 192.168.1.142:8123
	}
	@paper host paper.example.com
	handle @paper {
		reverse_proxy 192.168.1.153:8300
	}
	@status host status.example.com
	handle @status {
		reverse_proxy 192.168.1.88:3001
	}
	@breeze host breeze.example.com
	handle @breeze {
		reverse_proxy 192.168.1.153:10416
	}
	handle {
		abort
	}
}

francislavoie · June 22, 2023, 5:59am

itsshash:

	reverse_proxy 192.168.1.93
	rewrite /.well-known/carddav /remote.php/dav
	rewrite /.well-known/caldav /remote.php/dav

	reverse_proxy /.well-known/carddav 192.168.1.93/remote.php/dav
	reverse_proxy /.well-known/caldav 192.168.1.93/remote.php/dav
	reverse_proxy 192.168.1.93

This doesn’t make sense, remove the second half of this, the first half is sufficient. You have a duplicate reverse_proxy (first and last lines are the same) and your other two at the bottom are using invalid upstream addresses (you can’t have a path in an upstream address, it must be only a hostname+port).

That’s really strange.

You obfuscated your domain, so I can’t do anything to check further why this would be happening. Remember, domains are public information. Our forum rules ask that you don’t obfuscate information, it only makes it harder for us to help.

You can probably turn off propagation checks though, they usually aren’t necessary. You can add propagation_timeout -1 to your tls directive. tls (Caddyfile directive) — Caddy Documentation

itsshash · July 3, 2023, 8:42pm

Jul 03 21:39:56 pve caddy[79036]: {"level":"error","ts":1688416796.3280337,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.itsshash.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.itsshash.com\" (usually OK if presenting also failed)"}
Jul 03 21:39:56 pve caddy[79036]: {"level":"error","ts":1688416796.4621115,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"*.itsshash.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.itsshash.com] solving challenges: presenting for challenge: adding temporary record for zone \"itsshash.com.\": got error status: HTTP 403: [{Code:9109 Message:Invalid access token}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/20390728/9565902634) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Jul 03 21:39:58 pve caddy[79036]: {"level":"info","ts":1688416798.9388182,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.itsshash.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
Jul 03 21:39:59 pve caddy[79036]: {"level":"error","ts":1688416799.689335,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.itsshash.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.itsshash.com\" (usually OK if presenting also failed)"}
Jul 03 21:39:59 pve caddy[79036]: {"level":"error","ts":1688416799.7443368,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"*.itsshash.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.itsshash.com] solving challenges: presenting for challenge: adding temporary record for zone \"itsshash.com.\": got error status: HTTP 403: [{Code:9109 Message:Invalid access token}] (order=https://acme.zerossl.com/v2/DV90/order/dl3mLHUee1BmbF-N96JLjA) (ca=https://acme.zerossl.com/v2/DV90)"}
Jul 03 21:39:59 pve caddy[79036]: {"level":"error","ts":1688416799.7443943,"logger":"tls.renew","msg":"will retry","error":"[*.itsshash.com] Renew: [*.itsshash.com] solving challenges: presenting for challenge: adding temporary record for zone \"itsshash.com.\": got error status: HTTP 403: [{Code:9109 Message:Invalid access token}] (order=https://acme.zerossl.com/v2/DV90/order/dl3mLHUee1BmbF-N96JLjA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":190.945561168,"max_duration":2592000}

This is what I’ve got.

I’ll try adding the propagation check

francislavoie · July 4, 2023, 3:05am

This is implying that Caddy couldn’t authenticate with the Cloudflare API. Make sure your API token is correct. Review the docs on GitHub - libdns/cloudflare: Cloudflare provider implementation for libdns for instructions.

itsshash · July 4, 2023, 11:38am

It worked thank you!!

system · August 3, 2023, 11:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.