1. The problem I’m having :
Quick recap : I cannot get a wildcard certificate, and I do not really understand the logs.
Edit 1 : One of the issues seems to have been solved
Hi ! I am trying to get a wildcard certificate for my domain using Caddy, but I am encountering errors that I am unable to interpret adequately. In particular I am unable to properly understand what this log means and what part of my setup is causing it :
{"level":"error","ts":1726295807.7741916,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"*.pfalz-zweibruecken.eu","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.pfalz-zweibruecken.eu\" (usually OK if presenting also failed)"}
I use Caddy for my home lab experiments, and as I am very new to this I am discovering the concepts revolving around Caddy as I « debug » my setup. At the moment I am just trying to get a wildcard certificate for my domain, so I have not dug into the reverse proxy part of it yet.
I have tried my best to try to solve the problem on my own without having to resort to this forum, so my apologises if the solution to this problem seems rather trivial ! I would also like to add that English is not my first language, so my explanations may not be as clear as I would like them to be.
2. Error messages and/or full log output:
Caddy | {"level":"info","ts":1726351395.9387898,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
Caddy | {"level":"info","ts":1726351395.9451654,"msg":"adapted config to JSON","adapter":"caddyfile"}
Caddy | {"level":"info","ts":1726351395.9593756,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Caddy | {"level":"info","ts":1726351395.9605906,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x400083a600"}
Caddy | {"level":"info","ts":1726351395.9607377,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Caddy | {"level":"info","ts":1726351395.9607942,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Caddy | {"level":"info","ts":1726351395.9618063,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Caddy | {"level":"info","ts":1726351395.9628394,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Caddy | {"level":"info","ts":1726351395.9633424,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Caddy | {"level":"info","ts":1726351395.96341,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.pfalz-zweibruecken.eu"]}
Caddy | {"level":"info","ts":1726351395.9649122,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
Caddy | {"level":"info","ts":1726351395.964998,"msg":"serving initial configuration"}
Caddy | {"level":"info","ts":1726351395.9682307,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.pfalz-zweibruecken.eu"}
Caddy | {"level":"info","ts":1726351395.9682117,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"0e8742c4-5e12-498f-9ac2-72d3dc9b776b","try_again":1726437795.9682045,"try_again_in":86399.999997552}
Caddy | {"level":"info","ts":1726351395.969346,"logger":"tls","msg":"finished cleaning storage units"}
Caddy | {"level":"info","ts":1726351395.9733164,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.pfalz-zweibruecken.eu"}
Caddy | {"level":"info","ts":1726351395.9742613,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.pfalz-zweibruecken.eu"}
Caddy | {"level":"info","ts":1726351395.9773896,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.pfalz-zweibruecken.eu"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"pfalz-kaiserslautern.spousal013@aleeas.com"}
Caddy | {"level":"info","ts":1726351395.9774797,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.pfalz-zweibruecken.eu"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"pfalz-kaiserslautern.spousal013@aleeas.com"}
Caddy | {"level":"info","ts":1726351395.9776306,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1945760536","account_contact":["mailto:pfalz-kaiserslautern.spousal013@aleeas.com"]}
Caddy | {"level":"info","ts":1726351397.0457633,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.pfalz-zweibruecken.eu","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Caddy | {"level":"error","ts":1726351397.1455142,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"*.pfalz-zweibruecken.eu","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.pfalz-zweibruecken.eu\" (usually OK if presenting also failed)"}
Caddy | {"level":"error","ts":1726351397.314817,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.pfalz-zweibruecken.eu","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.pfalz-zweibruecken.eu] solving challenges: presenting for challenge: adding temporary record for zone \"pfalz-zweibruecken.eu.\": Post \"https://ote.domrobot.com/jsonrpc/\": dial tcp: lookup ote.domrobot.com on 127.0.0.11:53: no such host (order=https://acme-v02.api.letsencrypt.org/acme/order/1945760536/305199599076) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
Caddy | {"level":"error","ts":1726351397.3155138,"logger":"tls.obtain","msg":"will retry","error":"[*.pfalz-zweibruecken.eu] Obtain: [*.pfalz-zweibruecken.eu] solving challenges: presenting for challenge: adding temporary record for zone \"pfalz-zweibruecken.eu.\": Post \"https://ote.domrobot.com/jsonrpc/\": dial tcp: lookup ote.domrobot.com on 127.0.0.11:53: no such host (order=https://acme-v02.api.letsencrypt.org/acme/order/1945760536/305199599076) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":1.341861927,"max_duration":2592000}
3. Caddy version:
The Caddy image used by Docker is a custom image based on the 2.8.4-alpine version, with the inwx dns module added to it. The image was built following the Caddy documentation.
4. How I installed and ran Caddy:
A. System environment:
Caddy runs on Docker, installed on a Raspberry Pi Model B and whose OS is DietPi 9.7.1 version. There is at the moment only one container running alongside Caddy, and that is Technitium, although I did not set up Caddy to use the Technitium DNS server.
If I am not mistaken, DNS challenges do not require the domain to be externally accessible, and therefore although I have set up in the an A record pointing to my public IP address in the DNS records, I have not yet configured my router to forward port 80 and port 443 requests to my server.
B. Command:
sudo docker compose up -d caddy
C. Service/unit/compose file:
services:
caddy:
build: .
container_name: Caddy
cap_add:
- NET_ADMIN
ports:
- 80:80
- 443:443
- 443:443/udp
volumes:
- /home/user/Docker/Caddy/Caddyfile:/etc/caddy/Caddyfile
- /home/user/Docker/Caddy/site:/srv
- /home/user/Docker/Caddy/data:/data
- /home/user/Docker/Caddy/config:/config
restart: unless-stopped
networks:
- Caddy
networks:
Caddy:
name: Caddy
D. My complete Caddy config:
(1) The dockerfile the docker-compose.yml uses to build the container
FROM caddy:2.8.4-builder-alpine AS builder
RUN xcaddy build \
--with github.com/caddy-dns/inwx
FROM caddy:2.8.4-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
(2) The Caddyfile config
{
email pfalz-kaiserslautern.spousal013@aleeas.com
}
*.pfalz-zweibruecken.eu {
tls {
dns inwx {
username redacted
password redacted
shared_secret redacted
endpoint_url https://ote.domrobot.com/jsonrpc/
}
}
}
5. Links to relevant resources :
The dns inwx module :
6. Updates
Thanks to @Bruce5051’s input, I was able to solve the Post \"https://ote.domrobot.com/jsonrpc/\": dial tcp: lookup ote.domrobot.com on 127.0.0.11:53: no such host
issue.
Switching from https://ote.domrobot.com/jsonrpc/
(production environment) to https://api.ote.domrobot.com/jsonrpc/
(test environment) effectively solved the issue, although I stay unsure about the meaning of production and test environments.
Nonetheless the issue described in the introduction to this post persists.
Thank you in advance for the help !