Wildcard certificate generation is not working

1. Caddy version (caddy version):

v2.4.5

2. How I run Caddy:

Caddy running in Kubernetes Cluster as a deployment.

a. System environment:

Docker (Kubernetes)

c. Service/unit/compose file:

I run the

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  labels:
    deployment: caddy
  name: caddy-deployment
  namespace: default
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      deployment: caddy
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        deployment: caddy
      namespace: default
    spec:
      automountServiceAccountToken: false
      containers:
      - image: eu.gcr.io/my_registry/caddy:d6da163533500b50901ed41f794eae520253f044
        imagePullPolicy: IfNotPresent
        name: caddy
        resources:
          limits:
            cpu: 500m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 50Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30

d. My complete Caddyfile or JSON config:

*.myweb1.com, myweb2.com {
 reverse_proxy frontend-service:3000
}

3. The problem I’m having:

The problem occurs in the wildcard certificate generation. As you can see in my caddy file I have two webs defined. The second one it is working perfectly and the certificate was generated okay, but the wildcard one, it is failing in the certificate generation. I’m using LetsEncrypt certificates.

4. Error messages and/or full log output:

{"level":"warn","ts":1654072342.0371742,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"info","ts":1654072342.907673,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"BztbeM1m8stBvfC1yJ-8nQ"}
{"level":"warn","ts":1654072376.3145614,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90/newOrder","error":"performing request: Post \"https://acme.zerossl.com/v2/DV90/newOrder\": http2: timeout awaiting response headers"}
{"level":"error","ts":1654072411.9290082,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.myweb1.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.myweb1.com] solving challenges: *.myweb1.com: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/fa14RtUNHlQ-mrJyefUHRQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1654072411.9290702,"logger":"tls.obtain","msg":"will retry","error":"[*.myweb1.com] Obtain: [*.myweb1.com] solving challenges: *.myweb1.com: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme.zerossl.com/v2/DV90/order/fa14RtUNHlQ-mrJyefUHRQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":502.555984698,"max_duration":2592000}

5. What I already tried:

I have tried to change the caddy file separating the two webs in different block, but with no succes…

It looks like you’re actually using ZeroSSL certificates, unless that’s not your entire log. Please post the entire log, as there is certainly more entries than those 5 lines.

Anyway, this looks like ZeroSSL’s ACME server was too slow to write response headers (http2: timeout awaiting response headers). Have you tried reaching out to their support?