1. My Caddy version (caddy -version
):
v2.0.0-beta.14 h1:QX1hRMfTA5sel53o5SuON1ys50at6yuSAnPr56sLeK8=
2. How I run Caddy:
a. System environment:
Ubuntu 19.10 eoan (GNU/Linux 5.3.0-29-generic x86_64)
in a virtual server on Linode
c. Service/unit/compose file:
[Unit]
Description=Caddy v2 web server
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
#Restart=on-abnormal
; Do not allow the process to be restarted in a tight loop. If the
; process fails to start, something critical needs to be fixed.
;StartLimitIntervalSec=14400
;StartLimitBurst=10
; User and group the process will run as.
User=www-data
Group=www-data
; caddy command assumes the caddyfile adapter if filename starts with Caddyfile
ExecStart=/usr/local/bin/caddy run --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
; Use graceful shutdown with a reasonable timeout
ExecStop=/usr/local/bin/caddy stop
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=4096
; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile:
# global options block
{
storage file_system {
root /etc/caddy/storage
}
experimental_http3
email skyfaller@gmail.com
}
# reusable snippets
(boilerplate) {
encode gzip zstd
file_server
}
# start site blocks
# test page
www.sunrisemovement.dev {
root * /srv/sunrisemovement.dev/public/
# try_files {path}.html {path}
import boilerplate
}
# redirect no-www to www
sunrisemovement.dev {
redir https://www.sunrisemovement.dev
}
# handcoded Rhode Island site
ri.sunrisemovement.dev {
root * /srv/sunrisemovement.dev/ri/public
# try_files {path}/ {path} {path}.php
import boilerplate
php_fastcgi unix//var/run/php/php7.3-fpm.sock
}
# handcoded SF Bay website (originally Github Pages)
sfbay.sunrisemovement.dev {
root * /srv/sunrisemovement.dev/sfbay/public
import boilerplate
}
sfbay.sunrisemovement.org {
root * /srv/sunrisemovement.org/sfbay/public
import boilerplate
}
3. The problem Iām having:
I added the website sfbay.sunrisemovement.org to my Caddyfile, then reloaded Caddy. The website wouldnāt load, and returned an SSL error. Seemed it wasnāt able to get the cert for some reason. So I restarted Caddy. Caddy got the cert, according to the log. But it still behaved as if it didnāt have the cert and refused to serve the website, despite having just fetched the cert!
EDIT: OK, now I see that the cert wasnāt actually fetched after restarting Caddy, it only said āThe server validated our requestā. We only got the message āServer responded with a certificateā after rebooting the virtual server. My question as to why this happened remains.
So I rebooted my virtual server, and because computers are voodoo magic everything worked fine once the server came back up. Why wasnāt restarting Caddy good enough?? I figured Iād post here anyway, just in case this info is useful to someone, maybe even my future self.
4. Error messages and/or full log output:
Hereās the output of journalctl --boot -u caddy.service
after restart:
Feb 14 09:00:16 attenborough systemd[1]: Started Caddy v2 web server.
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.581 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.591 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.592 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.592 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.594 INFO http enabling experimental HTTP/3 listener {"addr": ":443"}
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.595 INFO http enabling automatic TLS certificate management {"domains": ["sfbay.sunrisemovement.org", "www.sunrisemovement.dev", "ri.sunrisemovement.dev", "sunrisemovement.dev", "sfbay.sunrisemovement.dev"]}
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 09:00:16 [INFO][cache:0xc00071fdb0] Started certificate maintenance routine
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.628 INFO tls cleaned up storage units
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.629 INFO autosaved config {"file": "/var/www/.config/caddy/autosave.json"}
Feb 14 09:00:16 attenborough caddy[24906]: 2020/02/14 14:00:16.629 INFO serving initial configuration
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO][sfbay.sunrisemovement.org] Obtain certificate
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO][sfbay.sunrisemovement.org] Obtain: Waiting on rate limiter...
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO][sfbay.sunrisemovement.org] Obtain: Done waiting
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO] [sfbay.sunrisemovement.org] acme: Obtaining bundled SAN certificate
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO] [sfbay.sunrisemovement.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2814213773
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO] [sfbay.sunrisemovement.org] acme: Could not find solver for: tls-alpn-01
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO] [sfbay.sunrisemovement.org] acme: use http-01 solver
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO] [sfbay.sunrisemovement.org] acme: Trying to solve HTTP-01
Feb 14 09:00:18 attenborough caddy[24906]: 2020/02/14 09:00:18 [INFO][sfbay.sunrisemovement.org] Served key authentication (HTTP challenge)
Feb 14 09:00:19 attenborough caddy[24906]: 2020/02/14 09:00:19 [INFO][sfbay.sunrisemovement.org] Served key authentication (HTTP challenge)
Feb 14 09:00:19 attenborough caddy[24906]: 2020/02/14 09:00:19 [INFO][sfbay.sunrisemovement.org] Served key authentication (HTTP challenge)
Feb 14 09:00:19 attenborough caddy[24906]: 2020/02/14 09:00:19 [INFO][sfbay.sunrisemovement.org] Served key authentication (HTTP challenge)
Feb 14 09:00:22 attenborough caddy[24906]: 2020/02/14 09:00:22 [INFO] [sfbay.sunrisemovement.org] The server validated our request
Feb 14 09:00:39 attenborough caddy[24906]: 2020/02/14 09:00:39 http: TLS handshake error from [2601:42:0:6200:34b6:1a6f:6149:7b56]:49548: no certificate available for 'sfbay.sunrisemovement.org'
Feb 14 09:00:42 attenborough caddy[24906]: 2020/02/14 09:00:42 http: TLS handshake error from [2601:42:0:6200:34b6:1a6f:6149:7b56]:49552: no certificate available for 'sfbay.sunrisemovement.org'
after I rebooted the virtual server:
-- Logs begin at Sun 2020-01-26 02:12:23 EST, end at Fri 2020-02-14 09:45:58 EST. --
Feb 14 09:27:51 attenborough systemd[1]: Started Caddy v2 web server.
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.720 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.744 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.745 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.750 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.754 INFO http enabling experimental HTTP/3 listener {"addr": ":443"}
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.758 INFO http enabling automatic TLS certificate management {"domains": ["sfbay.sunrisemovement.dev", "sfbay.sunrisemovement.org", "www.sunrisemovement.dev", "ri.sunrisemovement.dev", "sunrisemovement.dev"]}
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 09:27:51 [INFO][cache:0xc0002b05f0] Started certificate maintenance routine
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.863 INFO tls cleaned up storage units
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.867 INFO autosaved config {"file": "/var/www/.config/caddy/autosave.json"}
Feb 14 09:27:51 attenborough caddy[651]: 2020/02/14 14:27:51.867 INFO serving initial configuration
Feb 14 09:27:52 attenborough caddy[651]: 2020/02/14 09:27:52 [INFO][sfbay.sunrisemovement.org] Obtain certificate
Feb 14 09:27:52 attenborough caddy[651]: 2020/02/14 09:27:52 [INFO][sfbay.sunrisemovement.org] Obtain: Waiting on rate limiter...
Feb 14 09:27:52 attenborough caddy[651]: 2020/02/14 09:27:52 [INFO][sfbay.sunrisemovement.org] Obtain: Done waiting
Feb 14 09:27:52 attenborough caddy[651]: 2020/02/14 09:27:52 [INFO] [sfbay.sunrisemovement.org] acme: Obtaining bundled SAN certificate
Feb 14 09:27:52 attenborough caddy[651]: 2020/02/14 09:27:52 [INFO] [sfbay.sunrisemovement.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2814213773
Feb 14 09:27:52 attenborough caddy[651]: 2020/02/14 09:27:52 [INFO] [sfbay.sunrisemovement.org] acme: authorization already valid; skipping challenge
Feb 14 09:27:52 attenborough caddy[651]: 2020/02/14 09:27:52 [INFO] [sfbay.sunrisemovement.org] acme: Validations succeeded; requesting certificates
Feb 14 09:27:53 attenborough caddy[651]: 2020/02/14 09:27:53 [INFO] [sfbay.sunrisemovement.org] Server responded with a certificate.
5. What I already tried:
Rebooting virtual server, and annoyingly that worked.