[window] acme http-01 solver not create challange file in webroot folder

I try to do reverse proxy to web jenkins app with latest version 1.0.3

#Caddyfile
vadomain.com {
gzip	
proxy /jenkins http://localhost:8080 {
          transparent
      }
#tls self_signed
}

With self_signed cert, caddy work without issue when force port 443
But when run in admin powershell
.\caddy.exe -ca "https://acme-staging-v02.api.letsencrypt.org/directory" -log stdoutt
it say failed to obtain certificate due to timeout error. (the http-01 solver one)

I double check the web root directory (which it only have index.html file) and no folder ./well-known/acme-challenge show up.

Also, my window firewall allow program ./caddy.exe receive all inbound and outbound connection.

The let’s encrypt doc say ACME client will put a file in my http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> . So I am really not sure this was acme error or i just have the wrong permission to create file.

Thanks for the help

PS C:\Users\vad\caddy> .\caddy.exe -ca "https://acme-staging-v02.api.letsencrypt.org/directory" -log stdout
Activating privacy features... 2019/09/22 10:55:44 [INFO][cache:0xc0000b6730] Started certificate maintenance routine
2019/09/22 10:55:45 [INFO][vadomain.com] Obtain certificate
2019/09/22 10:55:46 [INFO] [vadomain.com] acme: Obtaining bundled SAN certificate
2019/09/22 10:55:47 [INFO] [vadomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604562
2019/09/22 10:55:47 [INFO] [vadomain.com] acme: Could not find solver for: tls-alpn-01
2019/09/22 10:55:47 [INFO] [vadomain.com] acme: use http-01 solver
2019/09/22 10:55:47 [INFO] [vadomain.com] acme: Trying to solve HTTP-01
2019/09/22 10:56:04 [INFO] Unable to deactivated authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604562
2019/09/22 10:56:04 [ERROR][vadomain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[vadomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://vadomain.com/.well-known/acme-challenge/2DgjItajETrGxAqOmwnan3mhlXN3Pw7mR8_xQaCjS0k: Timeout during connect (likely firewall problem), url:
 (attempt 1/3; challenge=http-01)
2019/09/22 10:56:05 [INFO] [vadomain.com] acme: Obtaining bundled SAN certificate
2019/09/22 10:56:06 [INFO] [vadomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604591
2019/09/22 10:56:06 [INFO] [vadomain.com] acme: Could not find solver for: tls-alpn-01
2019/09/22 10:56:06 [INFO] [vadomain.com] acme: use http-01 solver
2019/09/22 10:56:06 [INFO] [vadomain.com] acme: Trying to solve HTTP-01
2019/09/22 10:56:19 [INFO] Unable to deactivated authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604591
2019/09/22 10:56:19 [ERROR][vadomain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[vadomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://vadomain.com/.well-known/acme-challenge/EwQIDXXzmjhingMIpHQ6o2iMYCtJnFXZzH7e_I9m898: Timeout during connect (likely firewall problem), url:
 (attempt 2/3; challenge=http-01)
2019/09/22 10:56:20 [INFO] [vadomain.com] acme: Obtaining bundled SAN certificate
2019/09/22 10:56:20 [INFO] [vadomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604611
2019/09/22 10:56:20 [INFO] [vadomain.com] acme: Could not find solver for: tls-alpn-01
2019/09/22 10:56:20 [INFO] [vadomain.com] acme: use http-01 solver
2019/09/22 10:56:20 [INFO] [vadomain.com] acme: Trying to solve HTTP-01
2019/09/22 10:56:33 [INFO] Unable to deactivated authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604611
2019/09/22 10:56:33 [ERROR][vadomain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[vadomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://vadomain.com/.well-known/acme-challenge/2yppIOHsOaSpHg03hov1SoooqFSGyh3PrSzioNPrOws: Timeout during connect (likely firewall problem), url:
 (attempt 3/3; challenge=http-01)
2019/09/22 10:56:34 [INFO] [vadomain.com] acme: Obtaining bundled SAN certificate
2019/09/22 10:56:35 [INFO] [vadomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604630
2019/09/22 10:56:35 [INFO] [vadomain.com] acme: use tls-alpn-01 solver
2019/09/22 10:56:35 [INFO] [vadomain.com] acme: Trying to solve TLS-ALPN-01
2019/09/22 10:56:56 [INFO] Unable to deactivated authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604630
2019/09/22 10:56:58 [ERROR][vadomain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[vadomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url:
 (attempt 1/3; challenge=tls-alpn-01)
2019/09/22 10:56:59 [INFO] [vadomain.com] acme: Obtaining bundled SAN certificate
2019/09/22 10:57:00 [INFO] [vadomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604675
2019/09/22 10:57:00 [INFO] [vadomain.com] acme: use tls-alpn-01 solver
2019/09/22 10:57:00 [INFO] [vadomain.com] acme: Trying to solve TLS-ALPN-01
2019/09/22 10:57:11 [INFO] Unable to deactivated authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604675
2019/09/22 10:57:11 [ERROR][vadomain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[vadomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url:
 (attempt 2/3; challenge=tls-alpn-01)
2019/09/22 10:57:12 [INFO] [vadomain.com] acme: Obtaining bundled SAN certificate
2019/09/22 10:57:13 [INFO] [vadomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604704
2019/09/22 10:57:13 [INFO] [vadomain.com] acme: use tls-alpn-01 solver
2019/09/22 10:57:13 [INFO] [vadomain.com] acme: Trying to solve TLS-ALPN-01
2019/09/22 10:57:25 [INFO] Unable to deactivated authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9604704
2019/09/22 10:57:25 [ERROR][vadomain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[vadomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url:
 (attempt 3/3; challenge=tls-alpn-01)
2019/09/22 10:57:26 failed to obtain certificate: acme: Error -> One or more domains had a problem:
[vadomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url:

Hi @VAD, welcome to the Caddy community.

Caddy has a special handler for the challenge requests that doesn’t require or use a challenge file in the web root. (It does create a file, but that file is placed in the CADDYPATH and serves solely to enable multiple Caddy servers to solve challenges in a distributed/fleet configuration.)

acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem)

This is a networking issue. LetsEncrypt cannot connect to your Caddy server. Double check firewalls, double check port forwarding if applicable.

You can test by running Caddy with a self-signed certificate and attempting to connect to it from the internet.

Test caddy with self_signed certificate and it work fine.

#Caddyfile
http://vadomain.com {
  redir https://{host}{uri}
}

https://vadomain.com {
	gzip	
	proxy /jenkins http://localhost:8080 {
        transparent
    }
	tls self_signed
}

Without tls self_signed, challenge for type http-01 is timeout “urn:ietf:params:acme:error:connection”
I think this might be acme/lego implementation not have right setting for window.
So I try get certificate through win-acme and it return back certificate file. Clearly, it is not networking issue.

For anyone who have the same trouble, you can manually set cert file tls CertFile KeyFile . If you use win-acme to get certificate.

I think this is sloppy debugging; the suggested solution and the posted error messages do not correspond. When you enable self_signed TLS or provide your own certificates, automatic HTTPS is not enabled, thus no ACME operations take place. There is a connectivity issue between Let’s Encrypt and your servers, as is clear from the error message, which is correct – something that you will have to resolve with your environment.

This is bad advice because it defeats the purpose of ACME entirely; and such efforts really should only be undertaken for temporary, debugging, and development purposes.

The correct fix for this problem is to diagnose why Let’s Encrypt is unable to reach the web server serving the ACME challenge.

I suspect there is a misconfiguration in the OS or network/firewall that is causing the problem.

Ok, I found the issue which was my fault.
My PC was behind 2 router which both forward port 80,443 to my static local ip address.
In which I accidentally change before using caddy, that’s why I can use win-acme to get cert because it use cache-certificate.

Change my local IP address from DHCP to static solve the issue.

Still it was unexpected that I can still host website even when request come in wrong ip.

Sorry for all the trouble.

2 Likes

Excellent, thank you for following-up! Glad it’s working for you now!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.