Unable to start caddy service and obtain certificate


(Franklin Lee) #1

Hi,

I’m trying to use Caddy with a domain on Cloudflare. When I try to start the caddy service I get the following error message.

Mar 03 03:09:03 ncloud01 caddy[14964]: Please enter your email address to signify agreement and to be notified

Mar 03 03:09:03 ncloud01 caddy[14964]: in case of issues. You can leave it blank, but we don’t recommend it.

Mar 03 03:09:03 ncloud01 caddy[14964]: Email address: 2019/03/03 03:09:03 [INFO] [example.com] acme: Obtaining bundled SAN certificate

Mar 03 03:09:03 ncloud01 caddy[14964]: 2019/03/03 03:09:03 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/qYh3G_F_fyYsPbO6aiaFoWZoIkDMA61jCxGYZAkrq0A

Mar 03 03:09:03 ncloud01 caddy[14964]: 2019/03/03 03:09:03 [INFO] [example.com] acme: use tls-alpn-01 solver

Mar 03 03:09:03 ncloud01 caddy[14964]: 2019/03/03 03:09:03 [INFO] [example.com] acme: Trying to solve TLS-ALPN-01

Mar 03 03:09:19 ncloud01 caddy[14964]: 2019/03/03 03:09:19 [example.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:

Mar 03 03:09:19 ncloud01 caddy[14964]: [example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url:

i’ve verified that the host can reach out to the acme servers, but for some reason it’s not getting the certs.


(Matthew Fay) #2

That’s only one half of it. The ACME servers have to be able to reach back out, independently, and connect to your server (via the public DNS, to ensure that your server is in fact serving on that public domain).

Timeout during connect means that the ACME server did a lookup for the domain you requested, attempted to connect, but never got a response. No response means they can’t get a challenge token back, can’t verify you own the domain, and can’t issue a certificate.


(Franklin Lee) #3

So if my server is not publicly accessible, ACME servers won’t be able to grant the certificate?


(Matthew Fay) #4

The ACME server’s most important function is validating that you own or control the domain you’re requesting a certificate for.

One method, the fastest and simplest one, is to have your server answer a challenge when the ACME server attempts to connect to the host indicated by public domain name system.

If it can’t connect, it can’t use this method.

The other way to prove ownership / control is to add a TXT record to the domain. This doesn’t require public access to the server, but it does require a compatible DNS provider and some extra Caddy configuration.

https://caddyserver.com/docs/automatic-https#dns-challenge