1. Caddy version (caddy version):
v2.4.5 h1:P1mRs6V2cMcagSPn+NWpD+OEYUYLIf6ecOa48cFGeUg=
2. How I run Caddy:
systemctl start caddy
a. System environment:
NAME="CentOS Linux"
VERSION="8"
b. Command:
systemctl start caddy
c. Service/unit/compose file:
# /usr/lib/systemd/system/caddy.service
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/caddy.service.d/override.conf
[Service]
ExecStart=
ExecReload=
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/caddy.json
ExecReload=/usr/bin/caddy reload --config /etc/caddy/caddy.json
d. My complete Caddyfile or JSON config:
{
"logging": {
"sink": { "writer": { "output": "stderr" } },
"logs": {
"default": {
"encoder": {
"format": "filter",
"wrap": { "format": "json" },
"fields": {
"request>remote_addr": {
"filter": "ip_mask",
"ipv4_cidr": 24,
"ipv6_cidr": 48
},
"request>headers": { "filter": "delete" },
"common_log": { "filter": "delete" },
"duration": { "filter": "delete" },
"resp_headers": { "filter": "delete" }
}
}
}
}
},
"apps": {
"tls": {
"certificates": {
"load_files": [
{
"certificate": "/etc/caddy/certs/is.meh.mgmt.bob.pem",
"key": "/etc/caddy/certs/is.meh.mgmt.bob.key",
"tags": [ "nodomain" ]
}
]
},
"automation": {
"policies": [
{
"issuers": [ { "module": "acme", "email": "letsencrypt@meh.is" } ],
"key_type": "ed25519",
"must_staple": true
}
]
},
"session_tickets": { "disabled": true }
},
"http": {
"servers": {
"insecure": {
"listen": [ ":80" ],
"automatic_https": { "disable": true },
"routes": [
{
"match": [],
"handle": [ {
"handler": "headers",
"response": {
"deferred": true,
"set": {
"access-control-allow-origin": [ "https://{http.request.host}" ],
"content-security-policy": [ "default-src 'none'; base-uri 'none'; sandbox; form-action 'none'; frame-ancestors 'none'; report-to csp;" ],
"content-type": [ "text/plain; charset=utf-8" ],
"link": [ "<https://{http.request.host}{http.request.orig_uri}>; rel=\"canonical\"" ],
"permission-policy": [ "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()" ],
"referrer-policy": [ "no-referrer" ],
"report-to": [ "\\\u007b \u0022group\u0022: \u0022csp\u0022, \u0022includeSubdomains\u0022: true, \u0022max_age\u0022: 604800, \u0022endpoints\u0022: [ \\\u007b \u0022url\u0022: \u0022https://meta.meh.is/reporting/csp\u0022, \u0022priority\u0022: 100, \u0022weight\u0022: 100 \\\u007d ] \\\u007d" ],
"x-content-type-options": [ "nosniff" ],
"x-frame-options": [ "deny" ],
"x-xss-protection": [ "1; mode=block" ]
},
"delete": [ "server" ]
}
} ]
}
]
},
"main": {
"listen": [ ":443" ],
"experimental_http3": true,
"strict_sni_host": true,
"automatic_https": { "skip_certificates": [ "bob.mgmt.meh.is" ] },
"logs": { "default_logger_name": "default" },
"tls_connection_policies": [
{
"default_sni": "bob.mgmt.meh.is"
}
],
"routes": [
{
"match": [],
"handle": [{
"handler": "headers",
"response": {
"deferred": true,
"set": {
"access-control-allow-origin": [ "https://{http.request.host}" ],
"link": [ "<https://{http.request.host}{http.request.orig_uri}>; rel=\"canonical\"" ],
"permission-policy": [ "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()" ],
"referrer-policy": [ "no-referrer" ],
"report-to": [ "\\\u007b \u0022group\u0022: \u0022csp\u0022, \u0022includeSubdomains\u0022: true, \u0022max_age\u0022: 604800, \u0022endpoints\u0022: [ \\\u007b \u0022url\u0022: \u0022https://meta.meh.is/reporting/csp\u0022, \u0022priority\u0022: 100, \u0022weight\u0022: 100 \\\u007d ] \\\u007d" ],
"strict-transport-security": [ "max-age=63072000; includeSubDomains; preload" ],
"x-content-type-options": [ "nosniff" ],
"x-frame-options": [ "deny" ],
"x-xss-protection": [ "1; mode=block" ]
},
"delete": [ "server" ]
}
}]
},
{
"match": [ { "host": [ "dns02.meh.is" ] } ],
"handle": [ {
"handler": "headers",
"response": {
"deferred": true,
"set": {
"content-security-policy": [ "default-src 'none'; base-uri 'none'; sandbox; form-action 'none'; frame-ancestors 'none'; report-to csp;" ],
"content-type": [ "text/plain; charset=utf-8" ]
}
}
} ]
},
{
"match": [ { "host": [ "dns02.meh.is" ], "path": [ "/" ] } ],
"handle": [ {
"handler": "static_response",
"status_code": 200,
"body": "dee enn ess\n"
} ],
"terminal": true
}
],
"errors": {
"routes": [
{
"match": [],
"handle": [ {
"handler": "headers",
"response": {
"deferred": true,
"set": {
"access-control-allow-origin": [ "https://{http.request.host}" ],
"content-security-policy": [ "default-src 'none'; base-uri 'none'; sandbox; form-action 'none'; frame-ancestors 'none'; report-to csp;" ],
"content-type": [ "text/plain; charset=utf-8" ],
"link": [ "<https://{http.request.host}{http.request.orig_uri}>; rel=\"canonical\"" ],
"referrer-policy": [ "no-referrer" ],
"report-to": [ "\\\u007b \u0022group\u0022: \u0022csp\u0022, \u0022includeSubdomains\u0022: true, \u0022max_age\u0022: 604800, \u0022endpoints\u0022: [ \\\u007b \u0022url\u0022: \u0022https://meta.meh.is/reporting/csp\u0022, \u0022priority\u0022: 100, \u0022weight\u0022: 100 \\\u007d ] \\\u007d" ],
"x-content-type-options": [ "nosniff" ]
},
"delete": [ "server" ]
}
} ]
},
{
"handle": [ {
"handler": "static_response",
"status_code": "{http.error.status_code}",
"body": "{http.error.status_code}\n"
} ],
"terminal": true
}
]
}
}
}
}
}
}
3. The problem I’m having:
Unable to issue ed25519 certs.
4. Error messages and/or full log output:
Oct 27 10:42:51 bob systemd[1]: Starting Caddy...
Oct 27 10:42:51 bob caddy[32995]: caddy.HomeDir=/var/lib/caddy
Oct 27 10:42:51 bob caddy[32995]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Oct 27 10:42:51 bob caddy[32995]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Oct 27 10:42:51 bob caddy[32995]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Oct 27 10:42:51 bob caddy[32995]: caddy.Version=v2.4.5 h1:P1mRs6V2cMcagSPn+NWpD+OEYUYLIf6ecOa48cFGeUg=
Oct 27 10:42:51 bob caddy[32995]: runtime.GOOS=linux
Oct 27 10:42:51 bob caddy[32995]: runtime.GOARCH=amd64
Oct 27 10:42:51 bob caddy[32995]: runtime.Compiler=gc
Oct 27 10:42:51 bob caddy[32995]: runtime.NumCPU=1
Oct 27 10:42:51 bob caddy[32995]: runtime.GOMAXPROCS=1
Oct 27 10:42:51 bob caddy[32995]: runtime.Version=go1.16.8
Oct 27 10:42:51 bob caddy[32995]: os.Getwd=/
Oct 27 10:42:51 bob caddy[32995]: LANG=en_US.UTF-8
Oct 27 10:42:51 bob caddy[32995]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Oct 27 10:42:51 bob caddy[32995]: NOTIFY_SOCKET=/run/systemd/notify
Oct 27 10:42:51 bob caddy[32995]: HOME=/var/lib/caddy
Oct 27 10:42:51 bob caddy[32995]: LOGNAME=caddy
Oct 27 10:42:51 bob caddy[32995]: USER=caddy
Oct 27 10:42:51 bob caddy[32995]: INVOCATION_ID=84b8a1b36d7c41038638ef2e46d09acd
Oct 27 10:42:51 bob caddy[32995]: JOURNAL_STREAM=9:110536
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3234231,"msg":"using provided configuration","config_file":"/etc/caddy/caddy.json","config_adapter":""}
Oct 27 10:42:51 bob caddy[32995]: 2021/10/27 10:42:51 [INFO] Redirecting sink to: stderr
Oct 27 10:42:51 bob caddy[32995]: 2021/10/27 10:42:51 [INFO] Redirected sink to here (stderr)
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3273125,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
Oct 27 10:42:51 bob caddy[32995]: {"level":"warn","ts":1635331371.3368676,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [bob.mgmt.meh.is 93.95.226.204 2001:678:58c:3:c76b:6229:a994:4d1]: no OCSP server specified in certificate"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"debug","ts":1635331371.3368838,"logger":"tls.cache","msg":"added certificate to cache","subjects":["bob.mgmt.meh.is","93.95.226.204","2001:678:58c:3:c76b:6229:a994:4d1"],"expiration":1950656751,"managed":false,"issuer_key":"","hash":"2db2a05e1ada655bcad496f450cafc20b7d6dc2fa51111652814046a700e8c70"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3369217,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"main"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"debug","ts":1635331371.3373673,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3373914,"logger":"http","msg":"enabling experimental HTTP/3 listener","addr":":443"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"debug","ts":1635331371.3374135,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":true,"tls":true}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3374193,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["dns02.meh.is"]}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.337555,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3375828,"msg":"serving initial configuration"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3376079,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3376288,"logger":"tls","msg":"finished cleaning storage units"}
Oct 27 10:42:51 bob systemd[1]: Started Caddy.
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.341327,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00052fce0"}
Oct 27 10:42:51 bob caddy[32995]: 2021/10/27 10:42:51 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.341607,"logger":"tls.obtain","msg":"acquiring lock","identifier":"dns02.meh.is"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3424778,"logger":"tls.obtain","msg":"lock acquired","identifier":"dns02.meh.is"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"debug","ts":1635331371.3427896,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-v02.api.letsencrypt.org-directory"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.3489637,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["dns02.meh.is"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"letsencrypt@meh.is"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"info","ts":1635331371.348977,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["dns02.meh.is"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"letsencrypt@meh.is"}
Oct 27 10:42:51 bob caddy[32995]: {"level":"debug","ts":1635331371.92144,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["658"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:51 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:52 bob caddy[32995]: {"level":"debug","ts":1635331372.0900261,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 27 Oct 2021 10:42:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001-VVN1P8ZoAeQdMODKOp2NrA4q8Vo4N0l4u9SDzUhi5A"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:52 bob caddy[32995]: {"level":"debug","ts":1635331372.2893472,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["335"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/256374730/35044827370"],"Replay-Nonce":["0001b7XNz5HfUFMlLBVe0irPB0ZCRVGKMplRNURZYv57O6I"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Oct 27 10:42:52 bob caddy[32995]: {"level":"debug","ts":1635331372.462805,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["793"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00023brv_tpgxy7mDjSBgQBfOv0NYIMqFh1qOHE6aHqGJUc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:52 bob caddy[32995]: {"level":"debug","ts":1635331372.4629724,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
Oct 27 10:42:52 bob caddy[32995]: {"level":"info","ts":1635331372.4629815,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"dns02.meh.is","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Oct 27 10:42:52 bob caddy[32995]: {"level":"debug","ts":1635331372.4638321,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:42750: EOF"}
Oct 27 10:42:52 bob caddy[32995]: {"level":"debug","ts":1635331372.6447887,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/43725561640/1_mfxg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["190"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/43725561640/1_mfxg"],"Replay-Nonce":["0002zR1_SRGNXeUlval41JlkN_5N43xVFiibRWrxzfNK2gE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:52 bob caddy[32995]: {"level":"debug","ts":1635331372.644861,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"dns02.meh.is","challenge_type":"tls-alpn-01"}
Oct 27 10:42:52 bob caddy[32995]: {"level":"info","ts":1635331372.964355,"logger":"tls","msg":"served key authentication certificate","server_name":"dns02.meh.is","challenge":"tls-alpn-01","remote":"[2a05:d014:3ad:702:5e21:33c4:d5b3:ec3a]:44048","distributed":false}
Oct 27 10:42:53 bob caddy[32995]: {"level":"debug","ts":1635331373.0713503,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["793"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00029ZsvU5MebOulBAd-BOT3Vi14LlOzx-gTvnblyowQt3I"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:53 bob caddy[32995]: {"level":"info","ts":1635331373.075856,"logger":"tls","msg":"served key authentication certificate","server_name":"dns02.meh.is","challenge":"tls-alpn-01","remote":"[2600:1f16:269:da02:295d:8c92:b202:43ac]:56200","distributed":false}
Oct 27 10:42:53 bob caddy[32995]: {"level":"debug","ts":1635331373.495174,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["793"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:53 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002hAJSjPynHIP_LHR3jG-o4zG94kptLnGApKNcn-C52w4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:53 bob caddy[32995]: {"level":"info","ts":1635331373.5383494,"logger":"tls","msg":"served key authentication certificate","server_name":"dns02.meh.is","challenge":"tls-alpn-01","remote":"[2600:1f14:804:fd02:dcdc:391a:9b83:9c03]:48844","distributed":false}
Oct 27 10:42:53 bob caddy[32995]: {"level":"info","ts":1635331373.5526164,"logger":"tls","msg":"served key authentication certificate","server_name":"dns02.meh.is","challenge":"tls-alpn-01","remote":"[2600:3000:2710:200::1d]:39040","distributed":false}
Oct 27 10:42:53 bob caddy[32995]: {"level":"debug","ts":1635331373.9207406,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["793"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:53 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001M2hcLg1hsOcvisjAZoNGmqI9y0bjl8VGu-j1FnltEQY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:54 bob caddy[32995]: {"level":"debug","ts":1635331374.3448663,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["793"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:54 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002iUi6a5fs1xP8AzmeBk_mso7N_l3y3AbbnOu5UylBDYo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:54 bob caddy[32995]: {"level":"debug","ts":1635331374.7682357,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["793"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:54 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002aU-lmirmV9UwnXiMiCR3v8SGlTer8Xy0DGE_2f2Zvnw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:55 bob caddy[32995]: {"level":"debug","ts":1635331375.192517,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["793"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001kJawmlefXri79eo4DPgtEouBIcEmbMWTIKktkdaZTzI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:55 bob caddy[32995]: {"level":"debug","ts":1635331375.6169608,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/43725561640","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["684"],"Content-Type":["application/json"],"Date":["Wed, 27 Oct 2021 10:42:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002_L3zIEn7R1kAX1WdgbR3Vve3GbEqsBH-ju7Zj6LEMyA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Oct 27 10:42:55 bob caddy[32995]: {"level":"info","ts":1635331375.617154,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/256374730/35044827370"}
Oct 27 10:42:55 bob caddy[32995]: {"level":"debug","ts":1635331375.796927,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/finalize/256374730/35044827370","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.5 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["256374730"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["173"],"Content-Type":["application/problem+json"],"Date":["Wed, 27 Oct 2021 10:42:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001eIVbGoY1KTbPX2UJIC1YhT5Naw4hTo7asRPwk2eqdr0"],"Server":["nginx"]},"status_code":400}
Oct 27 10:42:55 bob caddy[32995]: {"level":"error","ts":1635331375.797035,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"dns02.meh.is","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:badCSR - Error finalizing order :: invalid public key in CSR: unsupported key type ed25519.PublicKey"}
Oct 27 10:42:55 bob caddy[32995]: {"level":"error","ts":1635331375.7970543,"logger":"tls.obtain","msg":"will retry","error":"[dns02.meh.is] Obtain: [dns02.meh.is] finalizing order https://acme-v02.api.letsencrypt.org/acme/order/256374730/35044827370: attempt 1: https://acme-v02.api.letsencrypt.org/acme/finalize/256374730/35044827370: HTTP 400 urn:ietf:params:acme:error:badCSR - Error finalizing order :: invalid public key in CSR: unsupported key type ed25519.PublicKey (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":4.454565891,"max_duration":2592000}
Oct 27 10:43:01 bob systemd[1]: Stopping Caddy...
Oct 27 10:43:01 bob caddy[32995]: {"level":"info","ts":1635331381.2276137,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
Oct 27 10:43:01 bob caddy[32995]: {"level":"warn","ts":1635331381.2276657,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
Oct 27 10:43:01 bob caddy[32995]: 2021/10/27 10:43:01 [DEBUG] Fake-closing underlying packet conn
Oct 27 10:43:01 bob caddy[32995]: {"level":"info","ts":1635331381.2322085,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00052fce0"}
Oct 27 10:43:01 bob caddy[32995]: {"level":"info","ts":1635331381.2324193,"logger":"tls.obtain","msg":"releasing lock","identifier":"dns02.meh.is"}
Oct 27 10:43:01 bob caddy[32995]: {"level":"error","ts":1635331381.2324638,"logger":"tls.obtain","msg":"unable to unlock","identifier":"dns02.meh.is","lock_key":"issue_cert_dns02.meh.is","error":"remove /var/lib/caddy/.local/share/caddy/locks/issue_cert_dns02.meh.is.lock: no such file or directory"}
Oct 27 10:43:01 bob caddy[32995]: {"level":"error","ts":1635331381.2324777,"logger":"tls","msg":"job failed","error":"dns02.meh.is: obtaining certificate: context canceled"}
Oct 27 10:43:01 bob caddy[32995]: {"level":"info","ts":1635331381.233533,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
Oct 27 10:43:01 bob caddy[32995]: {"level":"info","ts":1635331381.2335525,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
Oct 27 10:43:01 bob systemd[1]: caddy.service: Succeeded.
Oct 27 10:43:01 bob systemd[1]: Stopped Caddy.
5. What I already tried:
Lots of googling, but nobody seems to have had this problem.
I don’t really want to change key type unless there is officially no support for it anymore at Let’s Encrypt, but i have not found any source for that.
but anyway, I think it’s something Caddy can/will support when the CAs do.