1. Caddy version (caddy version
):
v2.4.5 h1:P1mRs6V2cMcagSPn+NWpD+OEYUYLIf6ecOa48cFGeUg=
2. How I run Caddy:
a. System environment:
pi@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
b. Command:
sudo systemctl start caddy
c. Service/unit/compose file:
Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.
d. My complete Caddyfile or JSON config:
:80 {
reverse_proxy localhost:1080
}
mew.tailnet-b593.ts.net {
reverse_proxy localhost:1080
}
3. The problem I’m having:
I am unable to get a TLS certificate issued for my Tailscale node. It’s a new feature that came out in 2.50 release:
4. Error messages and/or full log output:
By running journalctl -u caddy --no-pager | less +G
, I see these logs:
Mar 16 08:56:44 raspberrypi caddy[6740]: {"level":"info","ts":1647421004.5081987,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mew.tailnet-b59
3.ts.net","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Mar 16 08:56:45 raspberrypi caddy[6740]: {"level":"error","ts":1647421005.2800276,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"mew.tailnet-b593.ts.net
","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"DNS problem: NXDOMAIN looking up A for mew.tailnet-b593.ts.net - check that a DNS
record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for mew.tailnet-b593.ts.net - check that a DNS record exists for this domain"}
Mar 16 08:56:45 raspberrypi caddy[6740]: {"level":"error","ts":1647421005.2802334,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"mew.tailnet-b59
3.ts.net","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for mew.tailnet-b593.ts.net - check that a DNS record exists for th
is domain; DNS problem: NXDOMAIN looking up AAAA for mew.tailnet-b593.ts.net - check that a DNS record exists for this domain","order":"https://acme-staging-v02.api.letsencrypt.org/acme
/order/47329398/2042287218","attempt":1,"max_attempts":3}
Mar 16 08:56:46 raspberrypi caddy[6740]: {"level":"info","ts":1647421006.816509,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mew.tailnet-b593
.ts.net","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Mar 16 08:56:47 raspberrypi caddy[6740]: {"level":"error","ts":1647421007.6190846,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"mew.tailnet-b593.ts.net
","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"DNS problem: NXDOMAIN looking up A for mew.tailnet-b593.ts.net - check that a
DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for mew.tailnet-b593.ts.net - check that a DNS record exists for this domain"}
Mar 16 08:56:47 raspberrypi caddy[6740]: {"level":"error","ts":1647421007.6193137,"logger":"tls.issuance.acme.acme_client","msg":"validating authorizati
on","identifier":"mew.tailnet-b593.ts.net","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for mew.tailnet-b593.ts.net - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for mew.tailnet-b593.ts.net - check that a DNS record exists for this domain","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/47329398/2042287408","attempt":2,"max_attempts":3}
Mar 16 08:56:49 raspberrypi caddy[6740]: {"level":"error","ts":1647421009.4231,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"mew.tailnet-b593.ts.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[mew.tailnet-b593.ts.net] solving challenges: mew.tailnet-b593.ts.net: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/47329398/2042287518) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Mar 16 08:56:49 raspberrypi caddy[6740]: {"level":"warn","ts":1647421009.4292324,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
Mar 16 08:56:50 raspberrypi caddy[6740]: {"level":"info","ts":1647421010.7975643,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"XclwP9ZCJfZ7t1KlSw-fYw"}
Mar 16 08:57:16 raspberrypi caddy[6740]: {"level":"info","ts":1647421036.003566,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mew.tailnet-b593.ts.net","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
Mar 16 09:02:29 raspberrypi caddy[6740]: {"level":"error","ts":1647421349.5678914,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"mew.tailnet-b593.ts.net","issuer":"acme.zerossl.com-v2-DV90","error":"[mew.tailnet-b593.ts.net] solving challenges: [mew.tailnet-b593.ts.net] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/6eV0ds9XPiy5hYoaNh17ig) (ca=https://acme.zerossl.com/v2/DV90)"}
Mar 16 09:02:29 raspberrypi caddy[6740]: {"level":"error","ts":1647421349.568119,"logger":"tls.obtain","msg":"will retry","error":"[mew.tailnet-b593.ts.net] Obtain: [mew.tailnet-b593.ts.net] solving challenges: [mew.tailnet-b593.ts.net] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/6eV0ds9XPiy5hYoaNh17ig) (ca=https://acme.zerossl.com/v2/DV90)","attempt":13,"retrying_in":21600,"elapsed":47453.046438203,"max_duration":2592000}
5. What I already tried:
I am not too sure where to start. My knowledge of both Tailscale and Caddy is limited. I am happy to check whatever you want me to check next, thanks!