Unable to obtain certificate using "dns.providers.cloudflare" plugin, ACME returns HTTP 400

supriyo_biswas · December 24, 2023, 5:08am

1. The problem I’m having:

I’m trying to obtain a certificate for a domain that is not directly reachable as it is behind Cloudflare, and therefore I’m using the dns.providers.cloudflare plugin. However, I am unable to obtain a certificate for said domain due to a HTTP 400 Invalid request headers error from the ACME endpoints.

2. Error messages and/or full log output:

I’m using an example domain of errors.example.com as I don’t want to reveal my domain here, but the rest of it should be correct.

Dec 24 04:49:13 localhost caddy[179476]: {"level":"info","ts":1703393353.347018,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"errors.example.com"}
Dec 24 04:49:13 localhost caddy[179476]: {"level":"info","ts":1703393353.8292255,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"errors.example.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Dec 24 04:49:14 localhost caddy[179476]: {"level":"error","ts":1703393354.5457985,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"errors.example.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.errors.example.com\" (usually OK if presenting also failed)"}
Dec 24 04:49:14 localhost caddy[179476]: {"level":"error","ts":1703393354.701809,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"errors.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[errors.example.com] solving challenges: presenting for challenge: adding temporary record for zone \"example.com.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/130028524/13173747434) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Dec 24 04:50:22 localhost caddy[179476]: {"level":"info","ts":1703393422.8372903,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"errors.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
Dec 24 04:50:23 localhost caddy[179476]: {"level":"error","ts":1703393423.549013,"logger":"tls.issuance.zerossl.acme_client","msg":"cleaning up solver","identifier":"errors.example.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.errors.example.com\" (usually OK if presenting also failed)"}
Dec 24 04:50:23 localhost caddy[179476]: {"level":"error","ts":1703393423.964868,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"errors.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[errors.example.com] solving challenges: presenting for challenge: adding temporary record for zone \"example.com.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/YtLFwN5i41VK_D04cOJMug) (ca=https://acme.zerossl.com/v2/DV90)"}
Dec 24 04:50:23 localhost caddy[179476]: {"level":"error","ts":1703393423.964933,"logger":"tls.obtain","msg":"will retry","error":"[errors.example.com] Obtain: [errors.example.com] solving challenges: presenting for challenge: adding temporary record for zone \"example.com.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/YtLFwN5i41VK_D04cOJMug) (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":325.752662221,"max_duration":2592000}
Dec 24 04:52:23 localhost caddy[179476]: {"level":"info","ts":1703393543.9657283,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"errors.example.com"}
Dec 24 04:52:24 localhost caddy[179476]: {"level":"info","ts":1703393544.4401548,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"errors.example.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Dec 24 04:52:25 localhost caddy[179476]: {"level":"error","ts":1703393545.1643019,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"errors.example.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.errors.example.com\" (usually OK if presenting also failed)"}
Dec 24 04:52:25 localhost caddy[179476]: {"level":"error","ts":1703393545.318902,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"errors.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[errors.example.com] solving challenges: presenting for challenge: adding temporary record for zone \"example.com.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/130028524/13173792444) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04 + systemd

b. Service/unit/compose file:

[Unit]
Description=Caddy web server
After=network.target
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
User=www-data
Group=www-data
Type=exec
ExecStart=/usr/local/bin/caddy run --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
ExecStop=/usr/local/bin/caddy stop
LimitNOFILE=1048576
LimitNPROC=512
ProtectSystem=full
ProtectProc=noaccess
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectControlGroups=true
Environment=HOME=/var/lib/caddy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ReadWritePaths=/var/lib/caddy /var/log/caddy

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
    servers {
        # this is simply a list of Cloudflare IPs in "trusted_proxies static"
        import realip.conf 
    }
}

http:// {
    redir https://{host}{uri} permanent

    log {
        output discard
    }
}

errors.example.com {
  tls my@example.com {
      dns cloudflare 'cloudflare_api_token'
      resolvers 1.1.1.1 1.0.0.1
  }

  reverse_proxy http://127.0.0.1:8000

  log {
      format filter {
          wrap json
          fields {
              common_log delete
          }
      }

      output file /var/log/caddy/errors.example.com.log {
          roll_size 10MiB
          roll_keep 3
          roll_keep_for 7d
          roll_uncompressed
      }
  }
}

Mohammed90 · December 24, 2023, 7:37am

This is suspicious

Ensure you have the correct API token. Follow the instructions here:

libdns/cloudflare: Cloudflare provider implementation for libdns (github.com)

system · January 23, 2024, 7:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.