Unable to get certificates with DuckDNS - Docker Compose

1. The problem I’m having:

Attempting to set up Vaultwarden using Docker Compose. DuckDNS is unable to get certificates to allow me to access Vaultwarden only on local network over HTTPS using DNS challenge.

2. Error messages and/or full log output:

{"level":"info","ts":1716612539.1572597,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"4rknm.duckdns.org"}
{"level":"info","ts":1716612539.2637055,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"4rknm.duckdns.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1716612542.95581,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"4rknm.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[4rknm.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.4rknm.duckdns.org\": read udp 172.20.0.3:54016->3.97.58.28:53: read: connection refused (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/149383864/16743200264) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"info","ts":1716612545.063555,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"4rknm.duckdns.org","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1716612548.8130076,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"4rknm.duckdns.org","issuer":"acme.zerossl.com-v2-DV90","error":"[4rknm.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.4rknm.duckdns.org\": read udp 172.20.0.3:43835->3.97.58.28:53: read: connection refused (order=https://acme.zerossl.com/v2/DV90/order/GLcFIiaPdTvHnoFPuyH_tQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1716612548.8131003,"logger":"tls.obtain","msg":"will retry","error":"[4rknm.duckdns.org] Obtain: [4rknm.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.4rknm.duckdns.org\": read udp 172.20.0.3:43835->3.97.58.28:53: read: connection refused (order=https://acme.zerossl.com/v2/DV90/order/GLcFIiaPdTvHnoFPuyH_tQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":361.319402864,"max_duration":2592000}
{"level":"info","ts":1716612848.8136885,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"4rknm.duckdns.org"}
{"level":"info","ts":1716612849.0044034,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"4rknm.duckdns.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1716612852.8483026,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"4rknm.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[4rknm.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.4rknm.duckdns.org\": read udp 172.20.0.3:57162->3.97.58.28:53: read: connection refused (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/149383864/16743265204) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"info","ts":1716612861.187242,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"4rknm.duckdns.org","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1716612886.881571,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"4rknm.duckdns.org","issuer":"acme.zerossl.com-v2-DV90","error":"[4rknm.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.4rknm.duckdns.org\": dial tcp 3.97.58.28:53: i/o timeout (order=https://acme.zerossl.com/v2/DV90/order/-dTCwDBzCFrO_Y1J8FntOA) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1716612886.8817215,"logger":"tls.obtain","msg":"will retry","error":"[4rknm.duckdns.org] Obtain: [4rknm.duckdns.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.4rknm.duckdns.org\": dial tcp 3.97.58.28:53: i/o timeout (order=https://acme.zerossl.com/v2/DV90/order/-dTCwDBzCFrO_Y1J8FntOA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":699.388022747,"max_duration":2592000}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

Built Caddy with

xcaddy build --with github.com/caddy-dns/duckdns

Configured the compose.yaml file and Caddyfile per this guide and caddy.env from this guide.

a. System environment:

• Arch Linux using Linux-LTS kernel, x86_64

• Docker and Docker Compose

b. Command:

sudo docker compose up -d

c. Service/unit/compose file:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://4rknm.duckdns.org"  # Your domain; vaultwarden needs to >
    volumes:
      - /srv/vaultwarden/vw-data:/data

  caddy:
    image: caddy:2
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 443:443/udp # Needed for HTTP/3.
    volumes:
      - /srv/caddy/caddy:/usr/bin/caddy  # Your custom build of Caddy.
      - /srv/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - /srv/caddy/caddy-config:/config
      - /srv/caddy/caddy-data:/data
    environment:
      DOMAIN: "https://4rknm.duckdns.org"  # Your domain.
      EMAIL: "x@x.com"
      DUCKDNS_TOKEN: "x-x-x-x-x"                   #>
      LOG_FILE: "/data/access.log"

d. My complete Caddy config:

/srv/caddy/Caddyfile

{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Use the ACME DNS-01 challenge to get a cert for the configured do>
  tls {
    dns duckdns {$DUCKDNS_TOKEN}
  }

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode zstd gzip

  # Proxy everything to Rocket
  reverse_proxy vaultwarden:80
}

/srv/caddy/caddy.env

DOMAIN=4rknm.duckdns.org
DUCKDNS_TOKEN=x-x-x-x-x

5. Links to relevant resources:

I changed my Caddyfile to the following:

{
    email x@x.com
}

{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Use the ACME DNS-01 challenge to get a cert for the configured do>
  tls {
        issuer acme {
                dns duckdns {$DUCKDNS_TOKEN}
                propagation_timeout -1
       }
       issuer zerossl {
                dns duckdns {$DUCKDNS_TOKEN}
                propagation_timeout -1
       }
  }

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode zstd gzip

  # Proxy everything to Rocket
  reverse_proxy vaultwarden:80
}

Any idea why it would suddenly issue a certificate and allow me to access Vaultwarden?

This is saying that Caddy wasn’t able to make DNS queries to check that your domain’s TXT records were updated; it seems like however your DNS resolvers are configured on your system cause it to break in some way.

Setting this turns off those propagation checks, i.e. Caddy no longer double-checks “did I successfully write the TXT records?” and just moves on in telling the ACME issuer “yep it should be good, go ahead” and it succeeds. Propagation checks are optional (not necessary, just a “sanity check”) so it’s fine to disable it.

I recommend when you upgrade to v2.8.0 that you turn off propagation checks and keep an eye on your logs, I think we may have fixed some of the issues which may resolve the problem for you but I’m not certain. It would be great if you could follow up on that later!

I don’t entirely know what changed, but I removed the propagation check setting and it suddenly corrected itself before I updated to 2.8 this morning.

I appreciate your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.