Hi !
1. The problem I’m having:
I’m having problem requesting a Zero SSL certificate via Caddy v2.8.4 (issue not present in Caddy 2.7.6).
The ZeroSSL API returns :
API error 2836: csr_cn_is_invalid
I believe it is related to Zerossl issuance error after upgrade to Caddy v2.8.0 - Help - Caddy Community.
I tested several domain names with length and characters and I was able to narrow a bit the issue.
It appears it only happens when the FQDN is longer than 64 characters : I can get a certificate for a FQDN of 64 characters long, but not 65.
In the logs below, I put a default example domain name, but of course it happens with real ones.
The FQDN that fail respect the maximum number of labels and maximum number of characters for a label.
2. Error messages and/or full log output:
reverse-proxy_1 | {"level":"info","ts":1723555102.8689609,"logger":"tls.obtain","msg":"lock acquired","identifier":"ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com"}
reverse-proxy_1 | {"level":"info","ts":1723555102.8691015,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com"}
reverse-proxy_1 | {"level":"info","ts":1723555102.8701446,"logger":"tls.issuance.zerossl","msg":"creating certificate","identifiers":["ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com"]}
reverse-proxy_1 | {"level":"error","ts":1723555103.5465333,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com","issuer":"zerossl","error":"creating certificate: POST https://api.zerossl.com/certificates?access_key=redacted: HTTP 200: API error 2836: csr_cn_is_invalid (details=map[]) (raw={\"success\":false,\"error\":{\"code\":2836,\"type\":\"csr_cn_is_invalid\"}} decode_error=json: unknown field \"success\")"}
reverse-proxy_1 | {"level":"error","ts":1723555103.5466719,"logger":"tls.obtain","msg":"will retry","error":"[ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com] Obtain: creating certificate: POST https://api.zerossl.com/certificates?access_key=redacted: HTTP 200: API error 2836: csr_cn_is_invalid (details=map[]) (raw={\"success\":false,\"error\":{\"code\":2836,\"type\":\"csr_cn_is_invalid\"}} decode_error=json: unknown field \"success\")","attempt":1,"retrying_in":60,"elapsed":0.677673042,"max_duration":2592000}
reverse-proxy_1 | {"level":"info","ts":1723555163.544303,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com"}
reverse-proxy_1 | {"level":"info","ts":1723555163.5449717,"logger":"tls.issuance.zerossl","msg":"creating certificate","identifiers":["ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com"]}
reverse-proxy_1 | {"level":"error","ts":1723555164.6836975,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com","issuer":"zerossl","error":"creating certificate: POST https://api.zerossl.com/certificates?access_key=redacted: HTTP 200: API error 2836: csr_cn_is_invalid (details=map[]) (raw={\"success\":false,\"error\":{\"code\":2836,\"type\":\"csr_cn_is_invalid\"}} decode_error=json: unknown field \"success\")"}
reverse-proxy_1 | {"level":"error","ts":1723555164.6839156,"logger":"tls.obtain","msg":"will retry","error":"[ed1ee7f6-9fa3-464f-884e-b07f690cc0d6.mysubdomainexample.mydomain.com] Obtain: creating certificate: POST https://api.zerossl.com/certificates?access_key=redacted: HTTP 200: API error 2836: csr_cn_is_invalid (details=map[]) (raw={\"success\":false,\"error\":{\"code\":2836,\"type\":\"csr_cn_is_invalid\"}} decode_error=json: unknown field \"success\")","attempt":2,"retrying_in":120,"elapsed":61.818627261,"max_duration":2592000}
3. Caddy version:
Docker image : caddy/caddy:2.8.4-alpine
Caddy version inside image : v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
This issue presented here is not present on Caddy v2.7.6
and below
4. How I installed and ran Caddy:
a. System environment:
No relevant
b. Command:
docker-compose up reverse-proxy
c. Compose file:
volumes:
reverse_proxy_data:
reverse_proxy_config:
networks:
rp:
services:
reverse-proxy:
image: caddy/caddy:2.8.4-alpine
ports:
- 80:80
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- reverse_proxy_data:/data
- reverse_proxy_config:/config
environment:
- PUBLIC_HOST=${PUBLIC_HOST}
- ZEROSSL_API_KEY=${ZEROSSL_API_KEY}
networks:
- rp
host
image: mycustomimage:1.0.0
networks:
- rp
d. My complete Caddy config:
{
cert_issuer zerossl {$ZEROSSL_API_KEY}
}
{$PUBLIC_HOST} {
reverse_proxy http://host:3000
}
5. Links to relevant resources:
API Error Codes - ZeroSSL
Zerossl issuance error after upgrade to Caddy v2.8.0 - Help - Caddy Community