Wildcard certificates

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

Using docker with a custom built image to support digitalocean plugin.

a. System environment:

Docker on a DigitalOcean VPS

b. Command:

docker compose up -d

c. Service/unit/compose file:

version: "3.7"

networks:
    com:
        external: true
    internal:
        external: false
        driver: bridge

services:
    caddy:
        container_name: caddy
        image: test-caddy
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - ./:/etc/caddy
            - ./data:/data
            - ./config:/config
        networks:
            - com
            - internal

d. My complete Caddy config:

{
        acme_dns digitalocean TOKEN
}

*.example.com {
        tls email

        @cd host cd.example.com
        handle @cd {
                reverse_proxy localhost:5000
        }
}

3. The problem I’m having:

I was trying to work Caddy with wildcard certiifcates. But I’m getting this error
Note: The domains, API key and email was changed before posting here. They’re the real ones in the original file.

4. Error messages and/or full log output:

caddy  | {"level":"info","ts":1670144172.705275,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy  | {"level":"info","ts":1670144172.7075498,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1670144172.7081594,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy  | {"level":"info","ts":1670144172.7082477,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy  | {"level":"debug","ts":1670144172.7090368,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy  | {"level":"info","ts":1670144172.7091339,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1670144172.7092092,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1670144172.7093208,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
caddy  | {"level":"debug","ts":1670144172.7094316,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
caddy  | {"level":"info","ts":1670144172.7094991,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1670144172.709533,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.example.com"]}
caddy  | {"level":"info","ts":1670144172.7098174,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1670144172.7098746,"msg":"serving initial configuration"}
caddy  | {"level":"info","ts":1670144172.710552,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.example.com"}
caddy  | {"level":"info","ts":1670144172.713003,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.example.com"}
caddy  | {"level":"info","ts":1670144172.7146335,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.example.com"}
caddy  | {"level":"debug","ts":1670144172.7148502,"logger":"events","msg":"event","name":"cert_obtaining","id":"2496d076-0d52-44b5-95bc-97a61aa7c499","origin":"tls","data":{"identifier":"*.example.com"}}
caddy  | {"level":"debug","ts":1670144172.7152817,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
caddy  | {"level":"info","ts":1670144172.7157884,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"email"}
caddy  | {"level":"info","ts":1670144172.7158778,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"email"}
caddy  | {"level":"info","ts":1670144172.7176874,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002532d0"}
caddy  | {"level":"info","ts":1670144172.7178473,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
caddy  | {"level":"info","ts":1670144172.7179127,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"debug","ts":1670144173.5733871,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["659"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:56:13 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"debug","ts":1670144173.8418436,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 04 Dec 2022 08:56:13 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["371CxwkP3PDa7uBPJrGdJT3FeqemOvGYNCu6vKBvfNC0NJQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"debug","ts":1670144174.3117144,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["855247577"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["340"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:56:14 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/855247577/150209150817"],"Replay-Nonce":["C878Q6xZ-KQ25xu-xpg0NnVqiYHrP9XFyUWfPd7B0LSlDOs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
caddy  | {"level":"debug","ts":1670144174.5961976,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/183773519017","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["855247577"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["387"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:56:14 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1DFAWXosm7glbSlR4iQU-2LASXS-uLMx9SQafh_mwpKZwRI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"info","ts":1670144174.5965059,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy  | {"level":"debug","ts":1670144175.7504728,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"*.example.com","challenge_type":"dns-01"}
caddy  | {"level":"debug","ts":1670144177.7578695,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"*.example.com","challenge_type":"dns-01"}
caddy  | {"level":"debug","ts":1670144178.405722,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/183773519017","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["855247577"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["391"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:56:18 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["5CA2520DfB0HqcRAKle_cbXufLyE2020bhWC7NU1YSWottY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"error","ts":1670144178.4064107,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme-v02.api.letsencrypt.org/acme/order/855247577/150209150817) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
caddy  | {"level":"debug","ts":1670144178.406548,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
caddy  | {"level":"info","ts":1670144178.407191,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"email"}
caddy  | {"level":"info","ts":1670144178.4073071,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"email"}
caddy  | {"level":"debug","ts":1670144179.313984,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:56:19 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy  | {"level":"debug","ts":1670144182.463191,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Sun, 04 Dec 2022 08:56:22 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["U3wJTm4Hi8vCeupjIc4V3yakrZyVC9yYoDfRk8RuU4A"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy  | {"level":"debug","ts":1670144185.3027523,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["277"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:56:25 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/TPsJJijAdLT4f6L1OnhC0g"],"Replay-Nonce":["fIhsxT3ERMkGGhmeELKfK4NaVTSUA000n7tAuRaRSrs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
caddy  | {"level":"debug","ts":1670144186.7797742,"logger":"events","msg":"event","name":"tls_get_certificate","id":"c0a187dd-d248-4cab-a790-b171fd3b320d","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,49195,49199,52393,52392,159,158,52394,49327,49325,49326,49324,49188,49192,49187,49191,49162,49172,49161,49171,49315,49311,49314,49310,107,103,57,51,157,156,49313,49309,49312,49308,61,60,53,47,255],"ServerName":"example.com","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
caddy  | {"level":"debug","ts":1670144186.7801962,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"example.com"}
caddy  | {"level":"debug","ts":1670144186.7802448,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.codes"}
caddy  | {"level":"debug","ts":1670144186.7802627,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1670144186.7802813,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"111.92.73.21","remote_port":"37206","sni":"example.com"}
caddy  | {"level":"debug","ts":1670144186.7807474,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"111.92.73.21","remote_port":"37206","server_name":"example.com","remote":"111.92.73.21:37206","identifier":"example.com","cipher_suites":[4866,4867,4865,49196,49200,49195,49199,52393,52392,159,158,52394,49327,49325,49326,49324,49188,49192,49187,49191,49162,49172,49161,49171,49315,49311,49314,49310,107,103,57,51,157,156,49313,49309,49312,49308,61,60,53,47,255],"cert_cache_fill":0,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1670144186.7813444,"logger":"http.stdlib","msg":"http: TLS handshake error from 111.92.73.21:37206: no certificate available for 'example.com'"}
caddy  | {"level":"debug","ts":1670144187.5308483,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/FsR6aJRvrr17hHbfzrwA1Q","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["297"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:56:27 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["yMjZ38HYQakwdBkF4FBQDdz2hx0PTg-QvoHOqRLsc98"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy  | {"level":"info","ts":1670144187.5315335,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddy  | {"level":"debug","ts":1670144187.8813767,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"*.example.com","challenge_type":"dns-01"}
caddy  | {"level":"debug","ts":1670144189.8891122,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"*.example.com","challenge_type":"dns-01"}
caddy  | {"level":"debug","ts":1670144193.37542,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/FsR6aJRvrr17hHbfzrwA1Q","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["141"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:56:33 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["82Dc4wC1SMHXHqViG3k-ek2NIsIsrUpPBy8j_1XuadY"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy  | {"level":"error","ts":1670144193.3755624,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme.zerossl.com/v2/DV90/order/TPsJJijAdLT4f6L1OnhC0g) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy  | {"level":"debug","ts":1670144193.3756192,"logger":"events","msg":"event","name":"cert_failed","id":"c68fbbd7-b9dd-471b-91df-c56080a20f05","origin":"tls","data":{"error":{},"identifier":"*.example.com","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
caddy  | {"level":"error","ts":1670144193.3756602,"logger":"tls.obtain","msg":"will retry","error":"[*.example.com] Obtain: [*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme.zerossl.com/v2/DV90/order/TPsJJijAdLT4f6L1OnhC0g) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":20.662508228,"max_duration":2592000}
caddy  | {"level":"debug","ts":1670144248.6258576,"logger":"events","msg":"event","name":"tls_get_certificate","id":"5e06f99a-55e9-4eea-b3e4-7b343683fdce","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,49195,49199,52393,52392,159,158,52394,49327,49325,49326,49324,49188,49192,49187,49191,49162,49172,49161,49171,49315,49311,49314,49310,107,103,57,51,157,156,49313,49309,49312,49308,61,60,53,47,255],"ServerName":"example.com","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
caddy  | {"level":"debug","ts":1670144248.6259162,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"example.com"}
caddy  | {"level":"debug","ts":1670144248.6259243,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.codes"}
caddy  | {"level":"debug","ts":1670144248.6259267,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1670144248.6259303,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"111.92.73.21","remote_port":"38064","sni":"example.com"}
caddy  | {"level":"debug","ts":1670144248.6259344,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"111.92.73.21","remote_port":"38064","server_name":"example.com","remote":"111.92.73.21:38064","identifier":"example.com","cipher_suites":[4866,4867,4865,49196,49200,49195,49199,52393,52392,159,158,52394,49327,49325,49326,49324,49188,49192,49187,49191,49162,49172,49161,49171,49315,49311,49314,49310,107,103,57,51,157,156,49313,49309,49312,49308,61,60,53,47,255],"cert_cache_fill":0,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1670144248.6259978,"logger":"http.stdlib","msg":"http: TLS handshake error from 111.92.73.21:38064: no certificate available for 'example.com'"}
caddy  | {"level":"info","ts":1670144253.3760183,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.example.com"}
caddy  | {"level":"debug","ts":1670144253.3760788,"logger":"events","msg":"event","name":"cert_obtaining","id":"1a60c674-d956-461c-90f6-8ef1501f4462","origin":"tls","data":{"identifier":"*.example.com"}}
caddy  | {"level":"debug","ts":1670144253.37637,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
caddy  | {"level":"debug","ts":1670144254.1766593,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["830"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:57:34 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"debug","ts":1670144254.4285743,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 04 Dec 2022 08:57:34 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["7F3CiQzRG88tVwrZR-lt0QNOQ2XiL2DecWk4nKBRCh_dPeQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"debug","ts":1670144254.732994,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["78454884"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["351"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:57:34 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/78454884/5634113794"],"Replay-Nonce":["8F05OPpwZfqGulsryqrHI8IYp3oKicd5wOqHnMn7fFHfm_0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
caddy  | {"level":"debug","ts":1670144254.9886522,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4529784124","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["78454884"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["393"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:57:34 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["BEB9DxOe4w2G6MPpJPhoLnjqE19JauRo0l6cE0YGBV4pjzs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"info","ts":1670144254.9893289,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy  | {"level":"debug","ts":1670144255.3840158,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"*.example.com","challenge_type":"dns-01"}
caddy  | {"level":"debug","ts":1670144257.3915486,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"*.example.com","challenge_type":"dns-01"}
caddy  | {"level":"debug","ts":1670144258.0481255,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4529784124","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["78454884"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["397"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:57:37 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["7F3CuRZSohDteqnzOpTOyHuuFD4O9sbmEKPUO1oZyF2IX-Q"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"error","ts":1670144258.0488505,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/78454884/5634113794) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
caddy  | {"level":"debug","ts":1670144258.0491629,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
caddy  | {"level":"debug","ts":1670144260.1745253,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Sun, 04 Dec 2022 08:57:40 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["J37A2QvOr2YqrVFlPEF_pxJH-lhLT85PdugtqRTspUk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy  | {"level":"debug","ts":1670144262.7259126,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["277"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:57:42 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/giHSIM8Fy1QmJLJtvPQ_og"],"Replay-Nonce":["gvSIs4kE3d7cTy4V-7RL6D0EYXk4TQP7sMyDcPcW51A"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
caddy  | {"level":"debug","ts":1670144264.6616774,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/GCbREmms5B0QW6oDCg7ebQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["297"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:57:44 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["7FoG65N-GSGt7Mumusf4WahyQ6DprWoqS1Deyb0EVhs"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy  | {"level":"info","ts":1670144264.6618307,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddy  | {"level":"debug","ts":1670144264.969919,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"*.example.com","challenge_type":"dns-01"}
caddy  | {"level":"debug","ts":1670144266.976503,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"*.example.com","challenge_type":"dns-01"}
caddy  | {"level":"debug","ts":1670144269.9554064,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/GCbREmms5B0QW6oDCg7ebQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["141"],"Content-Type":["application/json"],"Date":["Sun, 04 Dec 2022 08:57:49 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["HLv167rFu9dc6NO1tWSFFFt7lYK3LwZhbBiBkKLCafg"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
caddy  | {"level":"error","ts":1670144269.9555976,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme.zerossl.com/v2/DV90/order/giHSIM8Fy1QmJLJtvPQ_og) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy  | {"level":"debug","ts":1670144269.9556508,"logger":"events","msg":"event","name":"cert_failed","id":"00a985c5-7af7-4bad-ab97-5d776793018e","origin":"tls","data":{"error":{},"identifier":"*.example.com","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
caddy  | {"level":"error","ts":1670144269.9556775,"logger":"tls.obtain","msg":"will retry","error":"[*.example.com] Obtain: [*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme.zerossl.com/v2/DV90/order/giHSIM8Fy1QmJLJtvPQ_og) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":97.242523567,"max_duration":2592000}

5. What I already tried:

I’ve checked if there is a TXT record automatically popping up in the DigitalOcean console and it isn’t.

6. Links to relevant resources:

caddy | {“level”:“info”,“ts”:1670144172.7093208,“msg”:“failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See UDP Receive Buffer Size · lucas-clemente/quic-go Wiki · GitHub for details.”}
→ seems a need to increase buffer ?

caddy | {“level”:“info”,“ts”:1670144172.709533,“logger”:“http”,“msg”:“enabling automatic TLS certificate management”,“domains”:[“*.example.com”]}
→ wrong domain setup ?

caddy | {“level”:“debug”,“ts”:1670144186.7813444,“logger”:“http.stdlib”,“msg”:“http: TLS handshake error from 111.92.73.21:37206: no certificate available for ‘example.com’”}
→ I think you put in Caddyfile a wrong domain, no ?

*.example.com {
tls email

    @cd host cd.example.com
    handle @cd {
            reverse_proxy localhost:5000
    }

}

You need to setup your own real domain here :stuck_out_tongue:

You need to setup your own real domain here :stuck_out_tongue:

The domains, API keys etc was changed before posting here

How do I do that?
Caddy is running on a DigitalOcean VPS

Ok… good point indeed :stuck_out_tongue:

Try something like this:

{
	auto_https disable_redirects
	acme_dns digitalocean TOKEN

	http_port 80
	https_port 443

	email email

	servers :443 {
		protocols h1 h2 h3
		listener_wrappers {
			http_redirect
			tls
		}
	}

	servers :80 {
		protocols h1 h2 h3
	}
}

*.example.com {
	tls {
		dns clouddigitalocean TOKEN
	}

	@cd host cd.example.com
	handle @cd {
		reverse_proxy localhost:5000 {
			#trusted_proxies #if needed
			header {
				header_up Host {host}
				header_down Host {host}
				header_up X-Real-IP {host}
				header_down X-Real-IP {host}
				header_up X-Forwarded-For {host}
				header_down X-Forwarded-For {host}
				defer
			}
		}
	}
}

Nope. I’m still getting the same error.

caddy  | {"level":"info","ts":1670165137.2473648,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1670165137.2489276,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":4}
caddy  | {"level":"info","ts":1670165137.2507694,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1670165137.2529573,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy  | {"level":"warn","ts":1670165137.2540307,"logger":"http","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv0"}
caddy  | {"level":"info","ts":1670165137.2561553,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1670165137.2577507,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1670165137.2582815,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.example.com"]}
caddy  | {"level":"info","ts":1670165137.258634,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1670165137.2592487,"msg":"serving initial configuration"}
caddy  | {"level":"info","ts":1670165137.2612822,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.example.com"}
caddy  | {"level":"info","ts":1670165137.2664287,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.example.com"}
caddy  | {"level":"info","ts":1670165137.2667558,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.example.com"}
caddy  | {"level":"info","ts":1670165137.267963,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"email@example.com"}
caddy  | {"level":"info","ts":1670165137.2681,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"email@example.com"}
caddy  | {"level":"info","ts":1670165137.2711012,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000189420"}
caddy  | {"level":"info","ts":1670165137.2712867,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
caddy  | {"level":"info","ts":1670165137.2713506,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"info","ts":1670165138.9560807,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy  | {"level":"error","ts":1670165142.0029848,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme-v02.api.letsencrypt.org/acme/order/855247577/150283882727) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
caddy  | {"level":"info","ts":1670165142.00324,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"email@example.com"}
caddy  | {"level":"info","ts":1670165142.0032485,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"email@example.com"}
caddy  | {"level":"info","ts":1670165144.9866922,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddy  | {"level":"error","ts":1670165148.4614394,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme.zerossl.com/v2/DV90/order/urH74kuX6mV-Q0JN4n6Q1A) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy  | {"level":"error","ts":1670165148.4621522,"logger":"tls.obtain","msg":"will retry","error":"[*.example.com] Obtain: [*.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of \"_acme-challenge.example.com\": could not determine authoritative nameservers (order=https://acme.zerossl.com/v2/DV90/order/urH74kuX6mV-Q0JN4n6Q1A) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":11.195555707,"max_duration":2592000}

I have also tried increasing the maximum buffer size as from UDP Receive Buffer Size · lucas-clemente/quic-go Wiki · GitHub

I’m not using this setup.
But I read that you should use staging LE servers until you’re ready for production.
Did you tried ?

I switched from Traefik to Caddy and already had a complete setup…
Just need to adapt logic :stuck_out_tongue:

Are you sure your CA is ZeroSSL ?

Looks like you may have a DNS misconfiguration, no authoritative nameservers. Unfortunately you have redacted your domains, so we cannot help you. (That is why it is against our rules to do so.) All we can do is guess.

1 Like

Well, if that’s the case, it’s rithask.codes

You might want to add - "443:443/udp" for HTTP/3 support.

And mind this warning to make sure performance is optimal (to be done on your host machine).

This problem usually means that Caddy isn’t able to make DNS requests to check that your TXT record is actually written correctly (i.e. propagation checks). Maybe your system’s DNS resolver is preventing it from seeing what the “public” sees.

To work around this, you can either set a different set of resolvers for Caddy to use (e.g. 1.1.1.1 for CloudFlare’s DNS resolver or 8.8.8.8 for Google’s):

tls your@email.com {
	resolvers 1.1.1.1
}

Or you can turn of propagation checks with this verbose bit of config:

tls {
	issuer acme {
		propagation_timeout -1
	}
	issuer zerossl {
		propagation_timeout -1
	}
}

Both issuers need to be configured for now to retain Caddy’s issuer fallback behaviour – there’s no propagation_timeout top-level option in tls currently, it’s only inside the issuer config for now. We’ll eventually improve this.

@Kraoc unfortunately, your comment is misleading.

There’s no need for this; avoid using config that just overwrites the defaults with themselves.

This doesn’t make sense – h2 and h3 both require TLS, so it’s not possible for anything other than h1 to work on port :80. Either way, Caddy sets this up correctly by default. Remove this.

Similarly, protocols is useless here, because that just overwrites the defaults, with the defaults.

And you probably don’t need http_redirect, unless you specifically have a reason to turn it on. Do you expect clients to actually make HTTP requests to your 443 port? That should never happen, unless someone writes http://yourdomain.com:443 in their HTTP client… which is very very strange in the first place.

So just remove that entire chunk.

Why disable redirects? That’s generally not helpful.

None of the header stuff makes sense here.

The reverse_proxy directive doesn’t support header, it only supports header_up and header_down. It also doesn’t support defer; that’s a feature of the header directive (which is separate from reverse_proxy altogether).

And either way, Caddy already sets the appropriate proxy headers by default. It’s not good to blindly set headers like this, unless you understand the implications. See the docs:

1 Like

You are totally right! And thank your for correcting my conf :slight_smile:
I did like you said and it works normally.
It seems a little througput but maybe placebo feeling ?

This topic was automatically closed after 30 days. New replies are no longer allowed.