Using acme DNS in global options but can't solve DNS challenges for cert issuance but could work on directives

Help
1

1. Caddy version (caddy version): 2.4.6

2. How I run Caddy:

# desired Caddy version
ARG VERSION=2.4.6

###########
# builder #
FROM caddy:${VERSION}-builder-alpine AS builder
ARG VERSION
RUN xcaddy build v${VERSION} \
    --with github.com/caddy-dns/cloudflare

#########
# image #
FROM caddy:${VERSION}-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

OS Information 	linux x86_64 Slackware 14.2 x86_64 (post 14.2 -current)
Kernel Version 	5.10.28-Unraid
Total CPU 	16
Total memory 	16.8 GB
Version 	20.10.5 (API: 1.41)
Root directory 	/var/lib/docker
Storage Driver 	btrfs
Logging Driver 	json-file
Volume Plugins 	local
Network Plugins 	bridge, host, ipvlan, macvlan, null, overlay

b. Command:

Paste command here.

c. Service/unit/compose file:

version: '3.9'

services:
  caddy:
    image: erfianugrah/caddy-cfdns:v1.2-2.4.6
    hostname: caddy
    container_name: caddy
    restart: unless-stopped
    network_mode: host
    privileged: true
    volumes:
      - /mnt/user/data/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /mnt/user/data/caddy/site:/srv
      - /mnt/user/data/caddy/data:/data
      - /mnt/user/data/caddy/config:/config
      - /mnt/user/data/caddy/log:/var/log
    environment:
      - TZ=Asia/Singapore
      - CF_API_TOKEN=${CF_API_TOKEN}
      - EMAIL=${EMAIL}

d. My complete Caddyfile or JSON config:

{
	email {env.EMAIL}
	acme_dns cloudflare {env.CF_API_TOKEN}
	cert_issuer acme
	http_port 80
	https_port 443
	admin localhost:2019
	debug
	grace_period 5s
	log {
		level debug
		output file /var/log/access.log {
			roll_size 1gb
			roll_keep 5
			roll_keep_for 720h
		}
	}
	servers {
		protocol {
			strict_sni_host
		}
	}
}

erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	@image path_regexp image ^.*\.(jpe?g|png|gif|web)$
	header @image {
		defer
		Cache-Control "public, max-age=31536000, stale-while-revalidate=31536000"
		Access-Control-Allow-Origin "*"
		Access-Control-Max-Age "86400"
	}
	reverse_proxy 172.18.0.2:2368
}

port.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.17.0.3:9000
}

servarr.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy localhost:90
}

plex.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.19.0.8:32400
}

hydra.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.19.0.7:5076
}

nzb.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.19.0.6:7000
}

sonarr.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.19.0.3:8989
}

radarr.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.19.0.2:7878
}

bazarr.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.19.0.4:6767
}

lidarr.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.19.0.5:8686
}

nextcloud.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.21.0.2:80
}

grafana-unraid.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.17.0.2:3000
}

prom-unraid.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	reverse_proxy 172.17.0.4:9090
}

vaultwarden.erfianugrah.com {
	tls {
		resolvers 1.1.1.1
	}
	encode gzip
	reverse_proxy /notifications/hub 172.20.0.2:3012
	reverse_proxy 172.20.0.2:80 {
		header_up X-Real-IP {remote_host}
	}
}

3. The problem I’m having:

Not sure if the global options is even doing anything, the past issuance were with HTTP when I didn’t have acme DNS setup, I just had to grey cloud on CF. But this new host doesn’t work now.

4. Error messages and/or full log output:

{"level":"debug","ts":1642317283.304537,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1642317283.3046834,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"vaultwarden.erfianugrah.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1642317284.6302872,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"172.19.0.3:8989","duration":0.007560517,"request":{"remote_addr":"192.168.1.227:62246","proto":"HTTP/2.0","method":"GET","host":"sonarr.erfianugrah.com","uri":"/api/v3/command","headers":{"Sec-Fetch-Mode":["cors"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"],"Accept":["application/json, text/javascript, */*; q=0.01"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"Accept-Language":["en-GB,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"X-Api-Key":["4d6b845835534fcfbf58b2cd1b726a95"],"X-Requested-With":["XMLHttpRequest"],"Dnt":["1"],"Referer":["https://sonarr.erfianugrah.com/"],"Cookie":["SonarrAuth=AxKYi1OVcfiRNkAWJwN0%2fkXLtUPz2QEaOhTIU4Q88EY%3do%2bYeDwXOJmHs8CPtWFHo43XcrW6s4b2N6GPInUNGFzMJk7YxkhN2PC%2bgT6RvEcf6"],"X-Forwarded-For":["192.168.1.227"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"sonarr.erfianugrah.com"}},"headers":{"Date":["Sun, 16 Jan 2022 07:14:44 GMT"],"Vary":["Accept"],"Access-Control-Allow-Origin":["*"],"Set-Cookie":["SonarrAuth=AxKYi1OVcfiRNkAWJwN0%2fkXLtUPz2QEaOhTIU4Q88EY%3do%2bYeDwXOJmHs8CPtWFHo43XcrW6s4b2N6GPInUNGFzMJk7YxkhN2PC%2bgT6RvEcf6; path=/; expires=Sun, 23-Jan-2022 07:14:44 GMT; HttpOnly; SameSite=Lax"],"Server":["Mono-HTTPAPI/1.0"],"Content-Encoding":["gzip"],"Content-Type":["application/json; charset=utf-8"],"Keep-Alive":["timeout=15,max=100"],"X-Application-Version":["3.0.6.1342"],"Cache-Control":["no-cache, no-store, must-revalidate, max-age=0"],"Pragma":["no-cache"],"Expires":["0"]},"status":200}
{"level":"debug","ts":1642317285.902872,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/tM-_8Y7sHENNy_vyILssAw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:45 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/7o05y6voi8f8K9tpgkwy8A>;rel=\"up\""],"Replay-Nonce":["cXp_8bbbrLA3N8uKlrkpFI7ASWhji4M56cpCjQpJjuc"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"debug","ts":1642317285.9036982,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"vaultwarden.erfianugrah.com","challenge_type":"http-01"}
{"level":"debug","ts":1642317268.268725,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1441475148","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["40180628"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["1855"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:28 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002gCOcGA-03k_KcHaWhwro5xcjL51MkOXaJPLY03BGUtw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1642317268.269506,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"vaultwarden.erfianugrah.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Invalid response from https://vaultwarden.erfianugrah.com/.well-known/acme-challenge/ycCWWeaG42BB8skQcqo11O8wapaR0oIUPr7LvBfSfWw [2606:4700::6810:ed85]: \"<!DOCTYPE html>\\n<!--[if lt IE 7]> <html class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"> <![endif]-->\\n<!--[if IE 7]>    <html class=\\\"no-js \"","instance":"","subproblems":[]}}
{"level":"error","ts":1642317268.2696366,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"vaultwarden.erfianugrah.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Invalid response from https://vaultwarden.erfianugrah.com/.well-known/acme-challenge/ycCWWeaG42BB8skQcqo11O8wapaR0oIUPr7LvBfSfWw [2606:4700::6810:ed85]: \"<!DOCTYPE html>\\n<!--[if lt IE 7]> <html class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"> <![endif]-->\\n<!--[if IE 7]>    <html class=\\\"no-js \"","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/40180628/1544867918","attempt":2,"max_attempts":3}
{"level":"debug","ts":1642317269.4954445,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["40180628"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["363"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/40180628/1544868078"],"Replay-Nonce":["0002ixubGOULkMzCeBEJ2qsKJEbGndC-5feXe3Z4O3Cr4Qo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1642317269.701591,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1441475298","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["40180628"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["829"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002jPqHGns10rv8G6qmo4anN8GdqytBgIWDhEfLI4bStq8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1642317269.7017796,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"debug","ts":1642317269.9105122,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1441475298","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["40180628"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["833"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002A0cTLjILulcJliR1IQZv6wSLwX0C_aryx5JvR9Jgn_0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

5. What I already tried:

I tried specifying the resolvers and forcing on acme as the cert issuer.

Tried this as well:

vaultwarden.erfianugrah.com {
	tls {
		dns cloudflare {env.CF_API_TOKEN}
		resolvers 1.1.1.1
	}
	encode gzip
	reverse_proxy /notifications/hub 172.20.0.2:3012
	reverse_proxy 172.20.0.2:80 {
		header_up X-Real-IP {remote_host}
	}
}

Which is resulted in this:

{"level":"debug","ts":1642318980.2555122,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/12z-hAOGcDwY-iDBV_kSfA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["457"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:00 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["WFbi5d00AWzGDAcTB5qqbWsW4LOKVGpOGuqrnc718hs"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"info","ts":1642318980.2558122,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"vaultwarden.erfianugrah.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1642318990.339418,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/VyQazG90IOt5C8r1ap_ZVQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["163"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:10 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/12z-hAOGcDwY-iDBV_kSfA>;rel=\"up\""],"Replay-Nonce":["VPzh3o6HD6uZ0qBV0WIXJVAGJyGR95Rk3GkEs4kuqJ4"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"debug","ts":1642318990.3397338,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"vaultwarden.erfianugrah.com","challenge_type":"dns-01"}
{"level":"debug","ts":1642318996.0105262,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/12z-hAOGcDwY-iDBV_kSfA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["326"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:15 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["YaoVEJUUjCIGq4Zf7awqDkkAdEwZ3ThaLuS0lOO3Qc8"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"info","ts":1642318996.3237948,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A"}
{"level":"debug","ts":1642319001.2273762,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A/finalize","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["292"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:21 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A"],"Replay-Nonce":["FF4FluCKaH-bkGP0Ax72Qxiyd8gLoLnUTovU5mY5Ez0"],"Retry-After":["15"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"debug","ts":1642319021.4281766,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["364"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:41 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A"],"Replay-Nonce":["DKNla2CrUXViQ5EJlC0-7POm9t3yRiHV36OxM-KEaJU"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"debug","ts":1642319026.3529727,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/cert/ZXqWeNWRz2swlqZhmOdDew","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["4148"],"Content-Type":["application/pem-certificate-chain"],"Date":["Sun, 16 Jan 2022 07:43:46 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ZF98-14E0FXoVl_OD9MJ3FgPiZdY1Ra1KtltHHWbI_c"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"info","ts":1642319026.3532124,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme.zerossl.com/v2/DV90/cert/ZXqWeNWRz2swlqZhmOdDew"}
{"level":"info","ts":1642319026.436798,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"vaultwarden.erfianugrah.com"}
{"level":"info","ts":1642319026.4368877,"logger":"tls.obtain","msg":"releasing lock","identifier":"vaultwarden.erfianugrah.com"}
{"level":"debug","ts":1642319026.4391541,"logger":"tls","msg":"loading managed certificate","domain":"vaultwarden.erfianugrah.com","expiration":1650153599,"issuer_key":"acme.zerossl.com-v2-DV90","storage":"FileStorage:/data/caddy"}
{"level":"warn","ts":1642319027.4483824,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [vaultwarden.erfianugrah.com]: parsing OCSP response: ocsp: error from server: unauthorized"}
{"level":"debug","ts":1642319027.4485528,"logger":"tls.cache","msg":"added certificate to cache","subjects":["vaultwarden.erfianugrah.com"],"expiration":1650153599,"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"88681f2a0270a02c5f4fc419b5eae115b4639dfbfd3e61b353cd29d344585240","cache_size":14,"cache_capacity":10000}

Why wouldn’t the global option work?

6. Links to relevant resources:

### 6. Links to relevant resources:

5. What I already tried:

6. Links to relevant resources:

2

Okay, it was because of my api token. facepalm

3

FYI, when using the log global option, these aren’t access logs anymore, but instead Caddy’s runtime logs. The filename is kinda misleading.

You can remove these options, they’re already the default and therefore redundant.

The problem is that you’re configuring resolvers here, which causes that site to use an otherwise default TLS config (without DNS challenge configured). We don’t have a resolvers global option yet that would allow you to set both globally at the same time.

In this case for now, you’d probably be better off using a Caddyfile snippet to reuse the TLS config for each site:

2 Likes
4

Ah that makes a lot of sense!

1 Like
5

This topic was automatically closed after 30 days. New replies are no longer allowed.