caddy: Could not start HTTPS server for challenge, bind: address already in use
1. What version of Caddy are you running (caddy -version)?
Caddy 0.9.3
2. What are you trying to do?
Using Caddy to on-demand request SSL certificates.
3. What is your entire Caddyfile?
redacted.tld {
bind 9.9.9.9
# Caddy doesn't support binding two addresses :-(
# bind [redacted]
# Skip authentication for public services
proxy / [::1]:8080 {
transparent
}
}
cloud.redacted.tld *.cloud.redacted.tld *.*.*.*.cloud.redacted.tld {
bind 9.9.9.9
# Caddy doesn't support binding two addresses :-(
# bind [redacted]
# Authenticate through oauth2_proxy and then go to NGINX
proxy / [::1]:8081 {
transparent
}
tls {
max_certs 100
}
}
4. How did you run Caddy (give the full command and describe the execution environment)?
$ grep -vE '^;' /lib/systemd/system/caddy.service
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network.target
Wants=network.target
[Service]
Restart=on-failure
User=www-data
Group=www-data
ExecStart=/usr/local/bin/caddy -log stderr -agree=true -conf=/etc/Caddyfile -root=/var/tmp -email dns@redacted.tld
ExecReload=/bin/kill -USR1 $MAINPID
PrivateTmp=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LimitNOFILE=8192
[Install]
WantedBy=multi-user.target
5. What did you expect to see?
I expect any request to the matched vhosts to have an SSL certificate generated and used to serve the traffic.
6. What did you see instead (give full error messages and/or log)?
Some domains work, until it doesn’t. After some point no more domains succeed. It’s almost as if it’s the Let’s Encrypt limit, but as the error doesn’t even mention that I’m guessing it’s not.
When trying to connect to a domain that has no previous certificate Chrome reports:
This site can’t provide a secure connection
foobar.cloud.redacted.tld sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
Caddy logs:
Nov 12 15:40:34 border caddy[30222]: 2016/11/12 15:40:34 [INFO] Obtaining new certificate for foobar.cloud.redacted.tld
Nov 12 15:40:34 border caddy[30222]: 2016/11/12 15:40:34 [INFO][foobar.cloud.redacted.tld] acme: Obtaining bundled SAN certificate
Nov 12 15:40:35 border caddy[30222]: 2016/11/12 15:40:35 [INFO][foobar.cloud.redacted.tld] acme: Trying to solve TLS-SNI-01
Nov 12 15:40:35 border caddy[30222]: 2016/11/12 15:40:35 http: TLS handshake error from 1.2.3.4:24707: [foobar.cloud.redacted.tld] failed to get certificate: [foobar.cloud.redacted.tld] error presenting token: Could not start HTTPS server for challenge -> listen tcp 9.9.9.9:443: bind: address already in use
7. How can someone who is starting from scratch reproduce this behavior as minimally as possible?
Not sure.
Maybe related to the “bind” statement as nobody else seems to have reported the issue. When testing now I have nothing else running on port 443 (on any IP).
I’m quite stumped on why this happens, but happy to help to test any configuration or provide non-redacted logs and config in a non-public forum.
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 15 (4 by maintainers)
Commits related to this issue
- Fix issue #1258 — committed to caddyserver/caddy by elcore 8 years ago
confirming that it fixed it for me, too! Awesome work guys! 😃
BINGO. That does it.
Your fix seems to work for me too. Thanks!
Confirmed to fix the issue for me 😃
Hi,
I am really busy right now 😢 , but I´d like to point you all in the “right” direction 😄 !
I “guess” it has something to do with the TLS-SNI-01 challenge:
https://github.com/xenolf/lego/blob/master/acme/tls_sni_challenge_server.go#L41-L44
https://github.com/golang/go/blob/master/src/crypto/tls/tls.go#L70-L71
There is no such issue with the HTTP-01 challenge!