[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
; User and group the process will run as.
User=caddy
Group=caddy
; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/home/caddy
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/bin/caddy run --config=/etc/caddy/Caddyfile
ExecReload=/bin/kill -USR1 $MAINPID
; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=4096
[Install]
WantedBy=multi-user.target
SSL not working. Moved domain to new server, used caddy before, followed same setup but website gets an error when you goto it:
This site can’t provide a secure connection ERR_SSL_PROTOCOL_ERROR
4. Error messages and/or full log output:
Feb 20 01:43:28 ns102521 caddy[23249]: 2020/02/20 01:43:28 [INFO][www.coconutpool.com] Served key authentication (HTTP challenge)
Feb 20 01:43:33 ns102521 caddy[23249]: 2020/02/20 01:43:33 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 01:43:42 ns102521 caddy[23249]: 2020/02/20 01:43:42 http: TLS handshake error from 107.77.211.5:51307: no certificate available for 'domain.com'
5. What I already tried:
twiddling thumbs and wait for it it go away on its own
cursing
asking nicely for it to work
permissions may be wrong somewhere?
lots of google searches
reload caddy, restart caddy, maybe it will go away?
The “command” is the command you type to run Caddy, in your case, caddy run --config /path/to/caddyfile
Can you please post your full and unredacted Caddyfile? And the full and unredacted logs. They are crucial to helping you with this problem since it is domain-name specific. Thanks!
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] acme: Validations succeeded; requesting certificates
Feb 20 16:12:30 ns102521 caddy[16639]: 2020/02/20 16:12:30 [INFO] [www.coconutpool.com] Server responded with a certificate.
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:13095: no certificate available for 'coconutpool.com'
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:9919: no certificate available for 'coconutpool.com'
Almost there… can you post the full log output, please? There is surely more than that, as Caddy always starts with some initialization log output, for example. Only part of the puzzle is here…
theres not much to see. it just repeats that over and over again.
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.042 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "confFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.043 INFO admin admin endpoint started {"address": "localhost:2019", "enforceFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO http server is listening only on the HTTPS port but has no TLS connection Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO http enabling automatic TLS certificate management {"domains": ["wwFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][cache:0xc00039a730] Started certificate maintenance routine
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO tls cleaned up storage units
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.045 INFO autosaved config {"file": "/home/caddy/.config/caddy/autosave.json"}
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.045 INFO serving initial configuration
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain certificate
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain: Waiting on rate limiter...
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain: Done waiting
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO] [www.coconutpool.com] acme: Obtaining bundled SAN certificate
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2919756322
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] acme: use tls-alpn-01 solver
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] acme: Trying to solve TLS-ALPN-01
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 http: TLS handshake error from 127.0.0.1:64508: EOF
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] acme: Validations succeeded; requesting certificates
Feb 20 16:12:30 ns102521 caddy[16639]: 2020/02/20 16:12:30 [INFO] [www.coconutpool.com] Server responded with a certificate.
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:13095: no certificate available for 'coconutpool.com'
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:9919: no certificate available for 'coconutpool.com'
Feb 20 16:12:45 ns102521 caddy[16639]: 2020/02/20 16:12:45 http: TLS handshake error from 107.77.211.5:10531: no certificate available for 'coconutpool.com'
Feb 20 16:12:45 ns102521 caddy[16639]: 2020/02/20 16:12:45 http: TLS handshake error from 107.77.211.5:61667: no certificate available for 'coconutpool.com'
Feb 20 16:13:38 ns102521 caddy[16639]: 2020/02/20 16:13:38 http: TLS handshake error from 107.77.211.5:60943: no certificate available for 'coconutpool.com'
Feb 20 16:13:38 ns102521 caddy[16639]: 2020/02/20 16:13:38 http: TLS handshake error from 107.77.211.5:6451: no certificate available for 'coconutpool.com'
Feb 20 16:14:15 ns102521 caddy[16639]: 2020/02/20 16:14:15.715 ERROR http.log.error making dial info: upstream php: invalid dial address php: Feb 20 16:27:21 ns102521 caddy[16639]: 2020/02/20 16:27:21 http: TLS handshake error from 107.77.211.5:51127: no certificate available for 'coconutpool.com'
Feb 20 16:27:21 ns102521 caddy[16639]: 2020/02/20 16:27:21 http: TLS handshake error from 107.77.211.5:31703: no certificate available for 'coconutpool.com'
Feb 20 16:27:50 ns102521 caddy[16639]: 2020/02/20 16:27:50 http: TLS handshake error from 107.77.211.5:19511: no certificate available for 'coconutpool.com'
Feb 20 16:27:50 ns102521 caddy[16639]: 2020/02/20 16:27:50 http: TLS handshake error from 107.77.211.5:60519: no certificate available for 'coconutpool.com'
Feb 20 16:35:42 ns102521 caddy[16639]: 2020/02/20 16:35:42 http: TLS handshake error from 107.77.211.5:13983: no certificate available for 'coconutpool.com'
Feb 20 16:35:42 ns102521 caddy[16639]: 2020/02/20 16:35:42 http: TLS handshake error from 107.77.211.5:56223: no certificate available for 'coconutpool.com'
Feb 20 16:40:27 ns102521 caddy[16639]: 2020/02/20 16:40:27 http: TLS handshake error from 34.217.100.109:41310: no certificate available for 'coconutpool.com'
Feb 20 16:45:19 ns102521 caddy[16639]: 2020/02/20 16:45:19 http: TLS handshake error from 107.77.211.5:19515: no certificate available for 'coconutpool.com'
Feb 20 16:45:26 ns102521 caddy[16639]: 2020/02/20 16:45:26 http: TLS handshake error from 107.77.211.5:27515: no certificate available for 'coconutpool.com'
Feb 20 16:45:26 ns102521 caddy[16639]: 2020/02/20 16:45:26 http: TLS handshake error from 107.77.211.5:18591: no certificate available for 'coconutpool.com'
Feb 20 16:47:04 ns102521 caddy[16639]: 2020/02/20 16:47:04 http: TLS handshake error from 54.225.5.202:53154: no certificate available for 'coconutpool.com'
Feb 20 16:47:11 ns102521 caddy[16639]: 2020/02/20 16:47:11.323 ERROR http.log.error making dial info: upstream php: invalid dial address php: Feb 20 16:51:15 ns102521 caddy[16639]: 2020/02/20 16:51:15 http: TLS handshake error from 107.77.211.5:44191: no certificate available for 'coconutpool.com'
Feb 20 16:51:15 ns102521 caddy[16639]: 2020/02/20 16:51:15 http: TLS handshake error from 107.77.211.5:61675: no certificate available for 'coconutpool.com'
Feb 20 16:58:34 ns102521 caddy[16639]: 2020/02/20 16:58:34 http: TLS handshake error from 107.77.211.5:46739: no certificate available for 'coconutpool.com'
Feb 20 16:58:34 ns102521 caddy[16639]: 2020/02/20 16:58:34 http: TLS handshake error from 107.77.211.5:49283: no certificate available for 'coconutpool.com'
Feb 20 17:12:22 ns102521 caddy[16639]: 2020/02/20 17:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 17:12:22 ns102521 caddy[16639]: 2020/02/20 17:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 17:31:32 ns102521 caddy[16639]: 2020/02/20 17:31:32 http: TLS handshake error from 70.39.117.18:54854: no certificate available for ''
Feb 20 17:56:26 ns102521 caddy[16639]: 2020/02/20 17:56:26 http: TLS handshake error from 172.58.38.244:39438: no certificate available for 'coconutpool.com'
Feb 20 17:56:41 ns102521 caddy[16639]: 2020/02/20 17:56:41 http: TLS handshake error from 172.58.38.244:63044: no certificate available for 'coconutpool.com'
Feb 20 17:57:07 ns102521 caddy[16639]: 2020/02/20 17:57:07 http: TLS handshake error from 172.58.38.244:25740: no certificate available for 'coconutpool.com'
Feb 20 18:12:22 ns102521 caddy[16639]: 2020/02/20 18:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 18:12:22 ns102521 caddy[16639]: 2020/02/20 18:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 18:15:02 ns102521 caddy[16639]: 2020/02/20 18:15:02 http: TLS handshake error from 198.108.66.161:28924: no certificate available for ''
Feb 20 19:12:22 ns102521 caddy[16639]: 2020/02/20 19:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 19:12:22 ns102521 caddy[16639]: 2020/02/20 19:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 20:12:22 ns102521 caddy[16639]: 2020/02/20 20:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 20:12:22 ns102521 caddy[16639]: 2020/02/20 20:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 20:33:14 ns102521 caddy[16639]: 2020/02/20 20:33:14 http: TLS handshake error from 54.218.118.123:58950: no certificate available for 'coconutpool.com'
Feb 20 21:12:22 ns102521 caddy[16639]: 2020/02/20 21:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 21:12:22 ns102521 caddy[16639]: 2020/02/20 21:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 21:37:08 ns102521 caddy[16639]: 2020/02/20 21:37:08 http: TLS handshake error from 93.174.95.106:50206: no certificate available for ''
I presume you’re navigating from the browser, right? Are you visiting coconutpool.com. on the browser address bar or coconutpool.com ? (mind the dot at the end). Caddy doesn’t seem to be able to find coconutpool.com, rightly so because it was configured for coconutpool.com. (with the dot at the end).
What’s up with this first line though? It’s kind of mangled:
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.042 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "confFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.043 INFO admin admin endpoint started {"address": "localhost:2019", "enforceFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO http server is listening only on the HTTPS port but has no TLS connection Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO http enabling automatic TLS certificate management {"domains": ["wwFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][cache:0xc00039a730] Started certificate maintenance routine
Did something happen there in copy+pasting it? Can you dump it to a file instead?
I know you said you’re not running it as a service, but the logs are prefixed with:
Feb 20 01:43:28 ns102521 caddy[23249]:
Which is not Caddy output.
The useful part is unfortunately being lost, potentially corrupted by the log manager you’re using or something gone horribly wrong with the copy+paste:
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO http enabling automatic TLS certificate management {"domains": ["wwFeb 20 16:12:22 ns10252
This log line, now complete, confirms my suspicions:
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044 INFO http enabling automatic TLS certificate management {"domains": ["www.coconutpool.com"]}
Caddy is only managing a certificate for www.coconutpool.com and not coconutpool.com because your Caddyfile has coconutpool.com. instead of coconutpool.com in it, like @Mohammed90 suggested. See Automatic HTTPS — Caddy Documentation
Fix the typo in your Caddyfile and you should be good to go!
This would happen when you’ve got a valid HTTPS certificate but Google can’t find its issuance in certificate transparency logs. That is, probably only in a very short window immediately following issuance.
LE did some maintenance on their CT logs today, I dunno but that may have had something to do with it. CT is hard, and sometimes it does take a few minutes…
@dogpatchmedia Would you be able to upgrade to the latest on the v2 branch (newer than beta 18, will go out with beta 19)? I think I’ve fixed a bug today that was at least related to the hanging, if not the hanging itself. Did you notice that this only happens with the HTTP challenge? If so, it might very well have been fixed now… if not, meh, we’ll see. Let me know after you upgrade if it happens or doesn’t happen again!
After 20 trials I was unable to replicate the issue (which I have experienced before myself since your report).