V2 Caddyfile problem with Cloudflare plugin

1. My Caddy version (caddy version):

v2

2. How I run Caddy:

I run a custom built docker container with cloudflare plugin

a. System environment:

docker

d. My complete Caddyfile or JSON config:

radarr.mydomain.com {
  tls {
    dns cloudflare {$CLOUDFLARE_API_KEY}
  }
  reverse_proxy / radarr:7878
}

3. The problem I’m having:

Certificate issue errror.

4. Error messages and/or full log output:

caddy    | 2020/05/05 18:35:48 [INFO] [radarr.mydomain.com] acme: Obtaining bundled SAN certificate given a CSR
caddy    | 2020/05/05 18:35:49 [INFO] [radarr.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4386806586
caddy    | 2020/05/05 18:35:49 [INFO] [radarr.mydomain.com] acme: Could not find solver for: tls-alpn-01
caddy    | 2020/05/05 18:35:49 [INFO] [radarr.mydomain.com] acme: Could not find solver for: http-01
caddy    | 2020/05/05 18:35:49 [INFO] [radarr.mydomain.com] acme: use dns-01 solver
caddy    | 2020/05/05 18:35:49 [INFO] [radarr.mydomain.com] acme: Preparing to solve DNS-01
caddy    | 2020/05/05 18:35:49 [INFO] [radarr.mydomain.com] acme: Cleaning DNS-01 challenge
caddy    | 2020/05/05 18:35:49 [WARN] [radarr.mydomain.com] acme: cleaning up failed: no memory of presenting a DNS record for radarr.mydomain.com
caddy    | 2020/05/05 18:35:50 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<number>
caddy    | 2020/05/05 18:35:50 [ERROR] error: one or more domains had a problem:
caddy    | [radarr.mydomain.com] [radarr.mydomain.com] acme: error presenting token: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}]
caddy    |  (challenge=dns-01 remaining=[])
caddy    | 2020/05/05 18:35:52 [ERROR] attempt 1: [radarr.mydomain.com] Obtain: [radarr.mydomain.com] error: one or more domains had a problem:
caddy    | [radarr.mydomain.com] [radarr.mydomain.com] acme: error presenting token: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}]

I have the env variable in docker-compose file and I have tried with direct key in Caddyfile. My Dockerfile looks like this:

FROM caddy:2.0.0-builder AS builder

RUN caddy-builder \
  github.com/caddy-dns/cloudflare

FROM caddy:2.0.0

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Is there something I’m doing wrong and can someone point me into the right direction?

Thanks!

Are you sure CLOUDFLARE_API_KEY is set properly?

You can add --environ to your caddy run command to be sure (check the output).

Hi @matt, thanks for the fast reply. :slight_smile:

Yes, the env is in place, I have tried it both with env and with the real api key and I get the same result.

Strange, can you tell me how to reproduce the error? Your Caddyfile works for me. (I’m using the same plugin with the same config on a server.)

Can you try pulling my image and see if it works for you? nklmilojevic/caddy2-cloudflare on docker hub.

I don’t use Docker, sorry :slightly_frowning_face: Please reproduce it without Docker and I can help!

If it can’t be repro’d without Docker, then it’s a Docker misconfiguration, which someone who knows Docker will have to help you with. @francislavoie might know.

Sounds to me like an incorrectly formatted cloudflare token? What does the format of the token look like, (without leaking the token). Matt should be able to confirm whether his matches what you’re using.

I believe an empty token would result in malformed headers, since the Authorization header would be invalid.

It is a 37 character token with numbers and lower case letters. I’m going to try out with the caddy directly on Ubuntu machine and I’ll let you now if I can reproduce it there.

2 Likes

FYI we’re tracking a similar issue here, but with systemd this time: Compiled Caddy 2.0.0 with this module but TLS handshake error during challenge · Issue #1 · caddy-dns/cloudflare · GitHub

1 Like

Yes, seems like the exact issue I’m having. Tried on systemd, I got the same error. I’m going to follow the issue on GitHub and will investigate more as well.

Hey are you using your global API key or a scoped API token?

Edit: Looks like we got it resolved in the GitHub issue. I’ve updated the docs.

To anyone else reading this, use API tokens, NOT API keys.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.