Wildcard Domains aren't being made or I am an idiot

1. Caddy version ("whatever the latest docker image has"):

2. How I run Caddy:

a. System environment:

Docker, latest, built with cloudflare dns thing as per the docs using a custom Dockerfile and xcaddy

b. Command:

docker-compose up --build

c. Service/unit/compose file:

Dockerfile

FROM caddy:builder AS builder

RUN xcaddy build --with github.com/caddy-dns/cloudflare

FROM caddy

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

CMD caddy run --config /etc/caddy/Caddyfile --watch --adapter caddyfile 2>&1 | tee /etc/caddy/log.txt

(outputting with tee so I can get a log file)


docker-compose.yml

version: "3"

services:    
    caddy:
        build: ./CaddyCustom
        volumes:
            - ./caddy/etc/caddy:/etc/caddy
            - ./caddy/data:/data
            - ./caddy/config:/config
        ports: 
            - 80:80
            - 443:443
        restart: unless-stopped

d. My complete Caddyfile or JSON config:

{
    email <--redacted-->
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

wiki.domain.com {
    # tls /etc/caddy/pem/origin.pem /etc/caddy/pem/private.pem # << This works
    tls {
        dns cloudflare <--redacted--> # << this doesn't
    }
    reverse_proxy bookstack:80
    handle_errors {
	rewrite * /{http.error.status_code}
	reverse_proxy https://http.cat {
		header_up Host http.cat
	}
}
}

test.domain.com {
    tls {
        dns cloudflare <--redacted-->
    }
    file_server
}

3. The problem I’m having:

Trying to get wildcards working, they aren’t generating from what I can tell and aren’t doing anything apart from generating the error. I followed the linked steps below (“A”) but still nothing.

4. Error messages and/or full log output:

{"level":"warn","ts":1619668274.8755121,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":1}
{"level":"info","ts":1619668274.8786607,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1619668274.8793182,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1619668274.8794076,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1619668274.8805974,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["wiki.domain.com","test.domain.com"]}
{"level":"info","ts":1619668274.8829772,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1619668274.884096,"msg":"serving initial configuration"}
{"level":"info","ts":1619668274.8842986,"logger":"watcher","msg":"watching config file for changes","config_file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1619668274.8836048,"logger":"tls.obtain","msg":"acquiring lock","identifier":"wiki.domain.com"}
{"level":"info","ts":1619668274.8839924,"logger":"tls.obtain","msg":"acquiring lock","identifier":"test.domain.com"}
{"level":"info","ts":1619668274.8820753,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1619668274.8808472,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00025e150"}
2021/04/29 03:51:17 [INFO][FileStorage:/data/caddy] Lock for 'issue_cert_test.domain.com' is stale (created: 2021-04-29 03:50:00.202711567 +0000 UTC, last update: 2021-04-29 03:51:06.945757249 +0000 UTC); removing then retrying: /data/caddy/locks/issue_cert_test.domain.com.lock
{"level":"info","ts":1619668277.912262,"logger":"tls.obtain","msg":"lock acquired","identifier":"test.domain.com"}
{"level":"info","ts":1619668277.9457374,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["test.domain.com"]}
{"level":"info","ts":1619668277.9457736,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["test.domain.com"]}
{"level":"info","ts":1619668279.505964,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.domain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2021/04/29 03:51:19 [INFO][FileStorage:/data/caddy] Lock for 'issue_cert_wiki.domain.com' is stale (created: 2021-04-29 03:49:59.19981844 +0000 UTC, last update: 2021-04-29 03:51:09.373793417 +0000 UTC); removing then retrying: /data/caddy/locks/issue_cert_wiki.domain.com.lock
{"level":"info","ts":1619668279.955273,"logger":"tls.obtain","msg":"lock acquired","identifier":"wiki.domain.com"}
{"level":"info","ts":1619668279.9568436,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668279.9571512,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668281.21307,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"wiki.domain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619668284.1072655,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668284.1073608,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668286.0126152,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"wiki.domain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619668289.2018769,"logger":"tls.obtain","msg":"will retry","error":"[wiki.domain.com] Obtain: [wiki.domain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.wiki.domain.com: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.wiki.domain.com. (order=https://acme.zerossl.com/v2/DV90/order/mQeYryRURuD1chAKVqEyHg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":9.246294086,"max_duration":2592000}
{"level":"info","ts":1619668291.1182754,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["test.domain.com"]}
{"level":"info","ts":1619668291.1183445,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["test.domain.com"]}
{"level":"info","ts":1619668292.6809037,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.domain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619668295.5867183,"logger":"tls.obtain","msg":"will retry","error":"[test.domain.com] Obtain: [test.domain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.test.domain.com: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.test.domain.com. (order=https://acme.zerossl.com/v2/DV90/order/lmo8JVF1mOy-CRj08zVDzw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":17.674382109,"max_duration":2592000}
{"level":"info","ts":1619668351.138572,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19295947/41170743"}
{"level":"info","ts":1619668351.656199,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa91fdd72c3720a96f7a73cd79fd714e12bd"}
{"level":"info","ts":1619668351.6573625,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668351.6577225,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668352.9289944,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"wiki.domain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619668356.8084202,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.domain.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619668361.5195825,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"wiki.domain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1619668363.3493235,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.domain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619668370.3838074,"logger":"tls.obtain","msg":"will retry","error":"[test.domain.com] Obtain: [test.domain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.test.domain.com: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.test.domain.com. (order=https://acme.zerossl.com/v2/DV90/order/dC1VN7KeW2nh0vD5s7k5fw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":92.471471385,"max_duration":2592000}
{"level":"error","ts":1619668372.6230628,"logger":"tls.obtain","msg":"will retry","error":"[wiki.domain.com] Obtain: [wiki.domain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.wiki.domain.com: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.wiki.domain.com. (order=https://acme.zerossl.com/v2/DV90/order/dnbaGpoDK3HvZ6UCkXuzRw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":92.667480405,"max_duration":2592000}
{"level":"info","ts":1619668491.6921206,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.domain.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619668493.8739812,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19295947/41171801"}
{"level":"info","ts":1619668494.9127293,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/faa8610c36cb78d00f7271355445b5da4392"}
{"level":"info","ts":1619668494.9133801,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668494.913435,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668496.3977263,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"wiki.domain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619668502.389491,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.domain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1619668502.9351425,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"wiki.domain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619668505.3221574,"logger":"tls.obtain","msg":"will retry","error":"[test.domain.com] Obtain: [test.domain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.test.domain.com: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.test.domain.com. (order=https://acme.zerossl.com/v2/DV90/order/RKPmgA1kufntMPhVK2CIpg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":227.409821283,"max_duration":2592000}
{"level":"error","ts":1619668506.0611367,"logger":"tls.obtain","msg":"will retry","error":"[wiki.domain.com] Obtain: [wiki.domain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.wiki.domain.com: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.wiki.domain.com. (order=https://acme.zerossl.com/v2/DV90/order/uhUuekaPYRuj66dkT6UhAw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":226.105554428,"max_duration":2592000}
{"level":"info","ts":1619668626.5759432,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.domain.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619668627.3495274,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19295947/41172917"}
{"level":"info","ts":1619668628.0846784,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa52f1afeea894557253853ddff6ebfdf16b"}
{"level":"info","ts":1619668628.08533,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668628.0854037,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["wiki.domain.com"]}
{"level":"info","ts":1619668629.5653732,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"wiki.domain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619668634.3027813,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"wiki.domain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1619668635.4286656,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.domain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619668637.2494717,"logger":"tls.obtain","msg":"will retry","error":"[wiki.domain.com] Obtain: [wiki.domain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.wiki.domain.com: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.wiki.domain.com. (order=https://acme.zerossl.com/v2/DV90/order/jOiTr2rT488kcgS3-w-_3g) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":357.293889513,"max_duration":2592000}
{"level":"error","ts":1619668638.3663735,"logger":"tls.obtain","msg":"will retry","error":"[test.domain.com] Obtain: [test.domain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.test.domain.com: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.test.domain.com. (order=https://acme.zerossl.com/v2/DV90/order/XHYDhwCmgetSf1JsCgfM2Q) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":360.454037682,"max_duration":2592000}

5. What I already tried:

Googling everything I can think of, but I just can’t find a solid answer to “Setting up wildcard subdomains with Caddy and Cloudflare”

Origin cert works fine, but I don’t want to do that with my temporary domains.

Tried makeing a *.domain.com domain in cloudflare, and nothing

I just can’t work it out

6. Links to relevant resources:

A) selfhosted-apps-docker/caddy_v2 at master · DoTheEvo/selfhosted-apps-docker · GitHub
B) Docker Hub

Ah, right; there was a known issue with the cloudflare plugin, so depending on the version you ended up with from the build, you might have a broken one.

So run caddy version on your built container (or docker-compose exec caddy caddy version) and see what it shows you. If it’s v2.4.0-beta.1 then that’s the buggy version, if you have v2.4.0-beta.2 then it should be fine and the problem is something else. If you have v2.4.0-beta.1 then rebuild the container and you should get v2.4.0-beta.2.

returned REFUSED is not an error message I’ve seen before though, so that might be a misconfiguration of your domains on Cloudflare. Maybe your domain isn’t using the right name servers?

2 Likes

An example on how the domains or nameservers should be configured is needed, cause all I thought you had to do is not add any extra domains cause this wildcard thing should handle it.


update: some more configs and tests.

New Caddyfile:

{
    email <--redacted-->
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

wiki.domain.com {
    #tls /etc/caddy/pem/origin.pem /etc/caddy/pem/private.pem
    tls {
        dns cloudflare <--redacted-->
    }
    reverse_proxy bookstack:80
    handle_errors {
	rewrite * /{http.error.status_code}
	reverse_proxy https://http.cat {
		header_up Host http.cat
	}
}
}

test.domain.com {
    tls {
        dns cloudflare <--redacted-->
    }
    file_server *
}

*.domain.com {
    tls {
        dns cloudflare <--redacted-->
    }
    file_server *
}

domain.com {
    tls {
        dns cloudflare <--redacted-->
    }
    file_server *
}

New Log (trimmed cause post length)

{"level":"info","ts":1619693691.1569462,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19295947/41395286"}
{"level":"info","ts":1619693693.2922103,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619693695.9678893,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619693697.6776714,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/fac1db362b0773ef4ee3fb306830bfd1b571"}
{"level":"info","ts":1619693697.6803377,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["test.agilly1989.xyz"]}
{"level":"info","ts":1619693697.6804132,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["test.agilly1989.xyz"]}
{"level":"info","ts":1619693698.9418333,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619693699.1965206,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1619693703.46926,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619693706.5029197,"logger":"tls.obtain","msg":"will retry","error":"[test.agilly1989.xyz] Obtain: [test.agilly1989.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.test.agilly1989.xyz: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.test.agilly1989.xyz. (order=https://acme.zerossl.com/v2/DV90/order/M7KTqonbJRPnsM_BWRos0A) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":354.58701259,"max_duration":2592000}
{"level":"info","ts":1619693706.6095998,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619693713.933668,"logger":"tls.obtain","msg":"will retry","error":"[agilly1989.xyz] Obtain: [agilly1989.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.agilly1989.xyz: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.agilly1989.xyz. (order=https://acme.zerossl.com/v2/DV90/order/uDgUgmVnnzb89de0bnXHtg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":364.003598818,"max_duration":2592000}
{"level":"error","ts":1619693718.773188,"logger":"tls.obtain","msg":"will retry","error":"[*.agilly1989.xyz] Obtain: [*.agilly1989.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.agilly1989.xyz: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.agilly1989.xyz. (order=https://acme.zerossl.com/v2/DV90/order/gf8rxUSPJSJ2W_6eGEohhA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":368.842869682,"max_duration":2592000}
{"level":"info","ts":1619694007.7417672,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19295947/41397706"}
{"level":"info","ts":1619694009.0622997,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/fab6db98639fc81b78815280fc793117fe5c"}
{"level":"info","ts":1619694009.0629494,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["test.agilly1989.xyz"]}
{"level":"info","ts":1619694009.0630736,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["test.agilly1989.xyz"]}
{"level":"info","ts":1619694010.5575278,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619694015.4997683,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619694020.0444481,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619694020.3606923,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/121706421/9368666705"}
{"level":"info","ts":1619694021.5699024,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/04a95dfd449f66634b4790bb54aea2f324a6"}
{"level":"info","ts":1619694021.5708532,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"test.agilly1989.xyz"}
{"level":"info","ts":1619694021.5708838,"logger":"tls.obtain","msg":"releasing lock","identifier":"test.agilly1989.xyz"}
{"level":"info","ts":1619694024.7776327,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1619694032.9679582,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619694038.342312,"logger":"tls.obtain","msg":"will retry","error":"[agilly1989.xyz] Obtain: [agilly1989.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.agilly1989.xyz: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.agilly1989.xyz. (order=https://acme.zerossl.com/v2/DV90/order/LJ7EEkOKmwhZSniY5pPepg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":688.412243184,"max_duration":2592000}
{"level":"error","ts":1619694047.55834,"logger":"tls.obtain","msg":"will retry","error":"[*.agilly1989.xyz] Obtain: [*.agilly1989.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.agilly1989.xyz: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.agilly1989.xyz. (order=https://acme.zerossl.com/v2/DV90/order/jdd6-1FIj2liHuukIsTzZw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":697.628021414,"max_duration":2592000}
{"level":"info","ts":1619694639.5926733,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619694648.8182154,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1619694651.385267,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1619694654.1317787,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.agilly1989.xyz","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1619694655.3194816,"logger":"tls.obtain","msg":"will retry","error":"[agilly1989.xyz] Obtain: [agilly1989.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.agilly1989.xyz: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.agilly1989.xyz. (order=https://acme.zerossl.com/v2/DV90/order/QEfFlf3_bUb1IvApNZpTKw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":6,"retrying_in":1200,"elapsed":1305.38941234,"max_duration":2592000}
{"level":"error","ts":1619694658.0230675,"logger":"tls.obtain","msg":"will retry","error":"[*.agilly1989.xyz] Obtain: [*.agilly1989.xyz] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.agilly1989.xyz: NS phil.ns.cloudflare.com. returned REFUSED for _acme-challenge.agilly1989.xyz. (order=https://acme.zerossl.com/v2/DV90/order/baeXkIaib_EIU7JIeqUifw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":6,"retrying_in":1200,"elapsed":1308.092748845,"max_duration":2592000}```

Haven’t had time to dig into this too much (pun intended), but accoding to this thread: https://community.cloudflare.com/t/problem-in-handling-dns-lookups-by-cloudflare-nameserver/171932, it seems to be:

You are attempting a recursive DNS query on an authoritative nameserver. It is the job of the cloudflare nameserver you are querying to resolve hosts for domains it controls. Not to resolve 3rd party domains.

While that could be a bug in our code, I think we would have seen it before if it was happening in the general case. DNS misconfiguration maybe? Also, have you tried the latest beta (2.4.0-beta.2)? We fixed some DNS challenge stuff in that version.

And this thread: https://community.cloudflare.com/t/cloudflare-dns-records-refused/26995 - seems to suggest “your DNS entries should be A records, unless you’re doing some specialized CNAME setup.”

Also try upgrading; either way, hope this helps!

I’m not sure I agree with how you’ve set this up. I’m using a wildcard domain in Caddy with Cloudflare as my DNS hosting provider and it works fine. However, the approach I’m using essentially the reverse of what you’re attempting.

For a start, I have the wildcard domain set up in the Caddyfile e.g.

*.domain.com {
  ...
}

A good reference here is the Subdomains (wildcard certificate) section in the forum wiki article Serving tens of thousands of domains over HTTPS with Caddy

Secondly, unless you’re a Cloudflare Enterprise customer, you won’t get full proxy support for wildcard records. To get full protection, you need to explicitly define CNAME records for each subdomain (wiki and test in your Caddyfile). See this Cloudflare FAQ reference Does Cloudflare support wildcard DNS entries?.

2 Likes

@matt

Also, have you tried the latest beta (2.4.0-beta.2)? We fixed some DNS challenge stuff in that version.

Yes, I am on 2.4.0-beta.2

@basil

I’m not sure I agree with how you’ve set this up.

The thing is I couldn’t find anyone’s example on how to do this, all I can tell is you slap the Caddyfile together and it should “Just Work”. There are no example on if you have to use an A Name, CName or whatever, Just how you have to set up api token. A “working example” where you slap in your own domains to see how it works is handy for those who, like myself, see an example and go “OH, That is how you do this thing”

Secondly, unless you’re a Cloudflare Enterprise customer, you won’t get full proxy support for wildcard records. To get full protection, you need to explicitly define CNAME records for each subdomain (wiki and test in your Caddyfile). See this Cloudflare FAQ reference Does Cloudflare support wildcard DNS entries?.

I am aware of this. I just want them for temporary (quite literally up for a day) or personal domains. Things I will only really be accessing or my trusted friends.

This thread may be useful… Migrate to using a wildcard certificate

Straightforward if your ISP supplies you with a static IP address. More involved if a dynamic address is used.

The Cloudflare Community is probably a more appropriate forum to seek specific advice on Cloudflare configuration.

This topic was automatically closed after 30 days. New replies are no longer allowed.