Unable to solve challenges

1. The problem I’m having:

I have been trying to get a reverse proxy set up with Caddy and DuckDNS for use with a Jellyfin server for 2 days now and I’m at the end of my rope

2. Error messages and/or full log output:

C:\Tools\Caddy>caddy run --config Caddyfile
2023/10/02 00:14:10.079 e[34mINFOe[0m   using provided configuration    {"config_file": "Caddyfile", "config_adapter": ""}
2023/10/02 00:14:10.079 e[33mWARNe[0m   Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 6}
2023/10/02 00:14:10.100 e[34mINFOe[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//127.0.0.1:2019", "//localhost:2019", "//[::1]:2019"]}
2023/10/02 00:14:10.101 e[34mINFOe[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00048a100"}
2023/10/02 00:14:10.101 e[34mINFOe[0m   http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/10/02 00:14:10.102 e[34mINFOe[0m   http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/10/02 00:14:10.102 e[35mDEBUGe[0m  http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["balthasar2.duckdns.org"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8096"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2023/10/02 00:14:10.103 e[34mINFOe[0m   tls     cleaning storage unit   {"description": "FileStorage:C:\\Users\\BALTHASAR-2\\AppData\\Roaming\\Caddy"}
2023/10/02 00:14:10.103 e[34mINFOe[0m   http    enabling HTTP/3 listener        {"addr": ":443"}
2023/10/02 00:14:10.103 e[34mINFOe[0m   tls     finished cleaning storage units
2023/10/02 00:14:10.104 e[35mDEBUGe[0m  http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2023/10/02 00:14:10.104 e[34mINFOe[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/10/02 00:14:10.104 e[35mDEBUGe[0m  http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2023/10/02 00:14:10.104 e[34mINFOe[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/10/02 00:14:10.105 e[34mINFOe[0m   http    enabling automatic TLS certificate management   {"domains": ["balthasar2.duckdns.org"]}
2023/10/02 00:14:10.116 e[34mINFOe[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\BALTHASAR-2\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/10/02 00:14:10.117 e[34mINFOe[0m   serving initial configuration
2023/10/02 00:14:10.117 e[34mINFOe[0m   tls.obtain      acquiring lock  {"identifier": "balthasar2.duckdns.org"}
2023/10/02 00:14:10.145 e[34mINFOe[0m   tls.obtain      lock acquired   {"identifier": "balthasar2.duckdns.org"}
2023/10/02 00:14:10.153 e[34mINFOe[0m   tls.obtain      obtaining certificate   {"identifier": "balthasar2.duckdns.org"}
2023/10/02 00:14:10.153 e[35mDEBUGe[0m  events  event   {"name": "cert_obtaining", "id": "5d8bccff-139b-4937-92c7-60bc5656d99f", "origin": "tls", "data": {"identifier":"balthasar2.duckdns.org"}}
2023/10/02 00:14:10.155 e[35mDEBUGe[0m  tls.obtain      trying issuer 1/2       {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2023/10/02 00:14:11.548 e[35mDEBUGe[0m  tls.issuance.acme.acme_client   http request    {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["752"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:14:06 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/02 00:14:11.935 e[35mDEBUGe[0m  tls.issuance.acme.acme_client   http request    {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 02 Oct 2023 00:14:07 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["ufY58pLaIbvqtxLZw4Rv4sxtYP39Tefo2OhdR9_HxSsgJQzU4ko"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/02 00:14:12.405 e[35mDEBUGe[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1338794386"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["326"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:14:07 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/1338794386"],"Replay-Nonce":["ufY58pLaHpY0uSpAZaqRtbw1SKF5UcuVmQhmhSgvvWg11Bs8TUw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/10/02 00:14:12.452 e[34mINFOe[0m   tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["balthasar2.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "<redacted>@gmail.com"}
2023/10/02 00:14:12.453 e[34mINFOe[0m   tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["balthasar2.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "<redacted>@gmail.com"}
2023/10/02 00:14:13.295 e[35mDEBUGe[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1338794386"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["348"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:14:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1338794386/212213182156"],"Replay-Nonce":["GuszAyB3ADwtSKSEGLcKmARI7BOFK4C2i5msbNVNiGoVkwXmOTQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/10/02 00:14:13.689 e[35mDEBUGe[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/269841738126", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1338794386"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:14:09 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["ufY58pLank-gYKcZtmEjpDe9n1owSY6_s4OoESrzbAv1BL8UTGM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/02 00:14:13.694 e[34mINFOe[0m   tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "balthasar2.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/10/02 00:16:53.872 e[31mERRORe[0m  tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "balthasar2.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.balthasar2.duckdns.org\" (usually OK if presenting also failed)"}
2023/10/02 00:16:54.267 e[35mDEBUGe[0m  tls.issuance.acme.acme_client   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/269841738126", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1338794386"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["810"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:49 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["ufY58pLa1aoIna_Byqm8tVDBc5Q8CycrJ7Putz6q1Yv3wBjym-w"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/02 00:16:54.269 e[31mERRORe[0m  tls.obtain      could not get certificate from issuer   {"identifier": "balthasar2.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[balthasar2.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.balthasar2.duckdns.org\": could not find the start of authority for _acme-challenge.balthasar2.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme-v02.api.letsencrypt.org/acme/order/1338794386/212213182156) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2023/10/02 00:16:54.273 e[35mDEBUGe[0m  tls.obtain      trying issuer 2/2       {"issuer": "acme.zerossl.com-v2-DV90"}
2023/10/02 00:16:57.069 e[34mINFOe[0m   tls.issuance.zerossl    generated EAB credentials       {"key_id": "E-tMV-ndH1ZUZT6TU4POfg"}
2023/10/02 00:16:59.021 e[35mDEBUGe[0m  tls.issuance.zerossl.acme_client        http request    {"method": "GET", "url": "https://acme.zerossl.com/v2/DV90", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:54 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/10/02 00:16:59.723 e[35mDEBUGe[0m  tls.issuance.zerossl.acme_client        http request    {"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Mon, 02 Oct 2023 00:16:55 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["6-P0V6T2GV9gTDWnRu0wT4RIEyFVR3Oue0LGzqETyl8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/10/02 00:17:00.556 e[35mDEBUGe[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newAccount", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["587"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:55 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Location":["https://acme.zerossl.com/v2/DV90/account/E-tMV-ndH1ZUZT6TU4POfg"],"Replay-Nonce":["CddAyDSah5dCA3IFrI_dsmk2B8gSxtVOlH_cJJHI2zQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/10/02 00:17:00.589 e[34mINFOe[0m   tls.issuance.zerossl    waiting on internal rate limiter        {"identifiers": ["balthasar2.duckdns.org"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "<redacted>@gmail.com"}
2023/10/02 00:17:00.590 e[34mINFOe[0m   tls.issuance.zerossl    done waiting on internal rate limiter   {"identifiers": ["balthasar2.duckdns.org"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "<redacted>@gmail.com"}
2023/10/02 00:17:01.813 e[35mDEBUGe[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["284"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:57 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/u2lYM0-c2Y9T9G4xqy6C5g"],"Replay-Nonce":["HgH0BXAjpI3ebC1Td9_6PT1C4xIJuZliFoyanFp-HPw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/10/02 00:17:02.778 e[35mDEBUGe[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/bg8i3wIkDUb3gek9Hg_Fbg", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:58 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["dfY2t7k12_gQZfVtVZLqnaKNEmj4i0F7QRLGvUDvnyM"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/10/02 00:17:02.791 e[34mINFOe[0m   tls.issuance.zerossl.acme_client        trying to solve challenge       {"identifier": "balthasar2.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/10/02 00:19:42.959 e[31mERRORe[0m  tls.issuance.zerossl.acme_client        cleaning up solver      {"identifier": "balthasar2.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.balthasar2.duckdns.org\" (usually OK if presenting also failed)"}
2023/10/02 00:19:46.105 e[35mDEBUGe[0m  tls.issuance.zerossl.acme_client        http request    {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/bg8i3wIkDUb3gek9Hg_Fbg", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["134"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:19:40 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["bd5Qv5ew2dKv68pLIZMXCGYFlN9kGej-LHctkAw4WyU"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/10/02 00:19:46.113 e[31mERRORe[0m  tls.obtain      could not get certificate from issuer   {"identifier": "balthasar2.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[balthasar2.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.balthasar2.duckdns.org\": could not find the start of authority for _acme-challenge.balthasar2.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/u2lYM0-c2Y9T9G4xqy6C5g) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/10/02 00:19:46.116 e[35mDEBUGe[0m  events  event   {"name": "cert_failed", "id": "ba5b84ee-daaa-4ffd-aa1a-81a183835e04", "origin": "tls", "data": {"error":{},"identifier":"balthasar2.duckdns.org","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
2023/10/02 00:19:46.117 e[31mERRORe[0m  tls.obtain      will retry      {"error": "[balthasar2.duckdns.org] Obtain: [balthasar2.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.balthasar2.duckdns.org\": could not find the start of authority for _acme-challenge.balthasar2.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/u2lYM0-c2Y9T9G4xqy6C5g) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 335.9649322, "max_duration": 2592000}

3. Caddy version:

I’m using the standard caddy build (2.7.4) + the duckdns module (0.4.0) [latest] found on the downloads page.

4. How I installed and ran Caddy:

Whenever I run caddy run, every single attempt of acme “trying to solve challenge” times out and fails and I can’t make sense of the errors.

a. System environment:

Windows 10, ethernet connection, and ports 80 & 443 opened and confirmed working through telenet test.

b. Command:

caddy run --config Caddyfile

c. Service/unit/compose file:

d. My complete Caddy config:

(duckdns) {
    tls {
	dns duckdns <my-api-key>
    }
} 
balthasar2.duckdns.org { 
    reverse_proxy localhost:8096 
    import duckdns 
}

5. Links to relevant resources:

I think something on your system is preventing DNS queries to 1.0.0.1 (i.e. Cloudflare) from working.

Since you’re on Windows, check your firewall settings.

1 Like

What should I be looking for? (I added an incoming rule to the firewall previously for ports 80,443 and 2019)

You might need to allow the Caddy process to make outgoing connections.

I’m not a Windows networking expert so I’m not sure what else to suggest.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.