Wildcard SSL not working with Lets Encrypt+Cloudflare

keshav · March 24, 2021, 12:20am

1. Caddy version (`caddy version`):

v2.4.0-beta.1 h1:Ed/tIaN3p6z8M3pEiXWJL/T8JmCqV62FrSJCHKquW/I=

2. How I run Caddy:

I run caddy inside Ubuntu 18.04

a. System environment:

Ubuntu 18.04

b. Command:

caddy run

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

*.stage.mydomain.com {
	
	encode zstd gzip
	tls {
		dns cloudflare REDACTED
	}
}

3. The problem I’m having:

After requesting a wildcard certificate for my subdomain, I see that caddy is unable to obtain a certificate from lets encrypt, it tries after with zerossl and successfully obtains the certificate. Is there a reason why it was not able to retrieve it from lets encrypt instead? I verified that there was in fact a TXT record for the domain. Could it possibly be a timing issue, as zerossl is able to obtain the certificate as it is tried second?

Thank you for your help!

4. Error messages and/or full log output:

Mar 23 22:32:51 intranet caddy[603]: {"level":"info","ts":1616538771.8101516,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00025e850"}
Mar 23 22:32:51 intranet caddy[603]: {"level":"info","ts":1616538771.8101516,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00025e850"}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.0949454,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.internal.mydomain.com","*.stagings.mydomain.com","*.mydomain.com"]}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.1070056,"logger":"tls","msg":"cleaned up storage units"}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.1237586,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.1239414,"msg":"serving initial configuration"}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.12652,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.stagings.mydomain.com"}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.130257,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.stagings.mydomain.com"}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.143203,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.stagings.mydomain.com"]}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.1434176,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.stagings.mydomain.com"]}
Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.783211,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.stagings.mydomain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Mar 23 22:32:56 intranet caddy[603]: {"level":"error","ts":1616538776.698515,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.stagings.mydomain.com","challenge_type":"dns-01","status_code":403,"problem_type":"urn:ietf:params:acme:error:unauthorized","error":"No TXT record found at _acme-challenge.stagings.mydomain.com"}
Mar 23 22:32:56 intranet caddy[603]: {"level":"error","ts":1616538776.698574,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.stagings.mydomain.com","error":"authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.stagings.mydomain.com","order":"https://acme-v02.api.letsencrypt.org/acme/order/REDACTED","attempt":1,"max_attempts":3}
Mar 23 22:32:57 intranet caddy[603]: {"level":"info","ts":1616538777.975016,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.stagings.mydomain.com"]}
Mar 23 22:32:57 intranet caddy[603]: {"level":"info","ts":1616538777.9762406,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.stagings.mydomain.com"]}
Mar 23 22:32:58 intranet caddy[603]: {"level":"info","ts":1616538778.7990777,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.stagings.mydomain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
Mar 23 22:35:59 intranet caddy[603]: {"level":"info","ts":1616538959.3806121,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/REDACTED"}
Mar 23 22:36:14 intranet caddy[603]: {"level":"info","ts":1616538974.7955675,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme.zerossl.com/v2/DV90/cert/REDACTED"}
Mar 23 22:36:14 intranet caddy[603]: {"level":"info","ts":1616538974.800866,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"*.stagings.mydomain.com"}
Mar 23 22:36:14 intranet caddy[603]: {"level":"info","ts":1616538974.8008902,"logger":"tls.obtain","msg":"releasing lock","identifier":"*.stagings.mydomain.com"}
Mar 23 22:36:15 intranet caddy[603]: {"level":"warn","ts":1616538975.000993,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [*.stagings.mydomain.com]: parsing OCSP response: ocsp: error from server: unauthorized"}

5. What I already tried:

I tried issuing a new API Token from cloudflare with very loose permissions to rule out that the API token was the problem, this did not fix it.

6. Links to relevant resources:

basil · March 24, 2021, 1:51am

*.stagings.mydomain.com? Please note that the Help template does say:

DO NOT REDACT anything except credentials
or helpers will be sad

Can you confirm you’re having a similar problem with *.internal.mydomain.com, but *.mydomain.com is okay?

keshav · March 24, 2021, 4:10am

Sorry about that, I didn’t know if it would be helpful.
I am having the same problem with *.internal.mydomain.com, however since *.mydomain.com was added a while ago and still gets renewed with a new letsencrypt wildcard certificate every 3 months I assume it does not share the same issue.
I am not sure if this is a big problem but I am wondering why the *.mydomain.com grabs certs fine from LE but the others fail and fallback to ZeroSSL (which does succeed).

basil · March 24, 2021, 4:47am

I believe what’s happening is that Let’s Encrypt support single-level wildcard certificates, but not multi-level wildcard certificates, so *.mydomain.com is supported, but *.*.mydomain.com is not. More info here. It’s possible that ZeroSSL do support multi-level wildcard domains (on a paid plan?) and that’s why it worked for you.

To work around this problem with Let’s Encrypt, you could define three domains in Cloudflare internal.mydomain.com, stagings.mydomain.com and mydomain.com. That would result in three wildcard certificates being issued, however, as ZeroSSL seems to address the problem, I wonder if the extra effort is worth it?

francislavoie · March 24, 2021, 5:24am

Caddy only issues wildcard certificates if a domain with a * is specified as a site address. It’ll get individual ones otherwise.

keshav · March 24, 2021, 5:37am

@basil @francislavoie using crt.sh I was able to see that in the past my pfsense firewall with the acme plugin was able to successfully request a certificate for *.internal.mydomain.com, whereas caddy was not able to. I have ensured that the API token permissions are the same. Is it possible maybe there is a timing issue because LE is tried first, and ZeroSSL is tried second (as shown in the logs). Maybe if caddy tried ZeroSSL first and then secondly LE then it would obtain the certificate from LE?

The *.internal.mydomain.com would not be a multi level wildcard certificate so I don’t think LE should have a problem with issuance.

The only thing I have made before I experienced this behavior is to upgrade to caddy 2.4.0-beta, this behavior could have existed in the past but I only tested it after upgrading so I am not sure.

basil · March 24, 2021, 9:09am

The log in the OP seems to suggest this.

Mar 23 22:32:55 intranet caddy[603]: {"level":"info","ts":1616538775.0949454,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.internal.mydomain.com","*.stagings.mydomain.com","*.mydomain.com"]}

While not exactly the same. I have a wildcard certificate issued for *.udance.com.au and that seems to be fine. @francislavoie something else is going on here.

@keshav It’s dawned on me now that’s what you’ve done. Ignore everything I’ve said about multi-level wildcard certificates. What you have here is three single-level wildcard domains. If it’s worked with ZeroSSL, it probably should have worked with Let’s Encrypt. Can you confirm you have the three domains set up in Cloudflare?

keshav · March 24, 2021, 7:33pm

That is right, I do not have any DNS entries setup in cloudflare for these domains as I am using DNS challenge anyway to obtain certificates. This allows me to obtain certificates for internal services without having external DNS pointing to them.

keshav · March 25, 2021, 4:57am

@matt @francislavoie @basil So I think I am on to something, I switched to the staging endpoint of LE by adding the option in my global options. I noticed that while caddy was attempting to obtain certificates using LE there was never any TXT record created in cloudflare, which then gives us the error:

HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.stagings.mydomain.com","order":"https://acme-v02.api.letsencrypt.org/acme/order/REDACTED","attempt":1,"max_attempts":3}

When caddy then switches to zerossl, I can see the TXT record successfully created.

Therefore, I think there must be something that has changed with how caddy 2.4.0 handles LE acme, as compared to ZeroSSL.

francislavoie · March 25, 2021, 5:50am

How exactly did you build Caddy? What command did you use (if you didn’t use the download page)?

You can read through this thread for context, you may be running into the same problem:

keshav · March 25, 2021, 6:18am

@francislavoie I used the main caddy download page to get the executable for the build. I looked at the post you mentioned, our logs are similar as he gets a 400, and I get a 403.

basil · March 25, 2021, 9:44pm

I have a not dissimilar situation. In order for the DNS challenge to work, it needs to write to a TXT record under the domain name. Do you have stagings.mydomain.com and internal.mydomain.com defined as separate domains under Cloudflare?

keshav · March 25, 2021, 10:31pm

I have only defined mydomain.com in cloudflare. I don’t think that should be an issue right? If zerossl is able to pass the dns challenge then LE should be able to as well from my understanding.

basil · March 25, 2021, 10:49pm

I’m reasonably confident now, this is where the issue lies. I can’t speak for ZeroSSL, but it’s clear from this reference that Let’s Encrypt only support single-level wildcard domains i.e. *.mydomain.com, not *.*.mydomain.com. For Let’s Encrypt to support *.internal.mydomain.com and *.stagings.mydomain.com, both internal.mydomain.com and stagings.mydomain.com need to be treated as if they are separate domains.

.

keshav · March 25, 2021, 11:45pm

I am not totally sure if I understand, I have been able to obtain a certificate for *.internal.mydomain.com in the past. I have even logs on crt.sh to show that, I have never had any DNS entries in cloudflare for the *.internal.mydomain.com because I didn’t want it to be resolvable externally. The *.internal.mydomain.com domain should still be treated as a single level wildcard and there shouldn’t really be a problem whether it be LE or ZeroSSL, there is no functional difference between the two that would allow one the ability to issue certs that the other cannot. From refreshing the cloudflare dashboard repeatedly while caddy tried to solve the DNS challenge the problem seems to lie in the Let’s Encrypt stage when creating the TXT records for the domain. When this fails and later falls back to ZeroSSL I’m able to see the relevant TXT records show up in cloudflare and then a certificate is issued.

basil · March 25, 2021, 11:55pm

I wonder if starting a thread (that references this thread) in the Let’s Encrypt forum might be the next step? It may shed some light on what’s happening here, like why it’s worked for you in the past and why it’s not working now, and why it works for ZeroSSL, but not Let’s Encrypt?

keshav · March 26, 2021, 12:00am

Good idea! Is it possible that there may have been any changes to caddy’s Lets Encrypt component in the recent beta build?

francislavoie · March 26, 2021, 12:35am

Have you tried either of the solutions in the thread I linked above?

Either try a build of Caddy v2.3.0 with an older commit of the cloudflare plugin, or try a newer build of Caddy (the commit I mentioned near the bottom of that thread) with the latest version of the cloudflare plugin.

keshav · March 26, 2021, 5:51am

That did it!!! Thank You! Is it best to stay on 2.3.0 until a new version of 2.4 comes out?

francislavoie · March 26, 2021, 6:04am

Yeah, like I said, either v2.3.0 with an older cloudflare commit, or a specific commit after v2.4.0-beta.1 which has the changes needed for the latest version of cloudflare to work properly. We’ll probably release a v2.4.0-beta.2 soon, so you could use that when that’s out.