caddy: [Gandi] Unable to obtain certificates HTTPS certificates
I’m unable to obtain certificates from staging nor production 😞 BUT I can see some TXT records on my domain. And, the Let’s Encrypt URL seems to be frozen at staging environment…
@ 10800 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1602253807 10800 3600 604800 10800
*.cloud 300 IN CNAME cloud.skynewz.dev.
@ 300 IN A 185.199.108.153
@ 300 IN A 185.199.109.153
@ 300 IN A 185.199.110.153
@ 300 IN A 185.199.111.153
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 300 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "1MXf_ZXP2fsqcL5aoHRp7lEKlFKKfF80nRrqQ_U9KXI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "41fqxzBfjOf60IdI8IwIEX_3re4aEYpJj_1lGBCuu6s"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "41fqxzBfjOf60IdI8IwIEX_3re4aEYpJj_1lGBCuu6s"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "CazgFDn_IrmDw0KXVqs4Kl5-Vv8MKvUwKT_YQzBoz0o"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "KYCFYVONLOBSUoDgM6KZp55POKlZxouvu7WqxR-EfSo"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "VtcQKWe7NBIqe2aBvR5Wy6NBrgP3Q8yIS5yRCmIZ1TI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "VtcQKWe7NBIqe2aBvR5Wy6NBrgP3Q8yIS5yRCmIZ1TI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "VtcQKWe7NBIqe2aBvR5Wy6NBrgP3Q8yIS5yRCmIZ1TI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "VtcQKWe7NBIqe2aBvR5Wy6NBrgP3Q8yIS5yRCmIZ1TI"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "fafuT42wKuL1AjHUOtDuuH0jABkwmdRk1lFl_O9qKmc"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "gswLJvKEqFcuyDgUriNoE_hlgf71USFm4AePzj-NHJ4"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "hVzS2nnXTErK6Xv8D4xGO15q96V2OO5uJT41d4i2Tro"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "slAdKF1G9qWnPknE9Tua1aVg9yux9JWB-ObtBGfx4Uc"
_acme-challenge.cloud.skynewz.dev 10800 IN TXT "tTmFZ_um62V4jNCnirwWB533pq-esRsOCxfDmWvi1As"
cloud 300 IN A 51.15.212.58
…
My caddy log
Oct 09 14:18:54 caddy caddy[5323]: {"level":"debug","ts":1602253134.7423246,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/7775020661","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.2.0 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Boulder-Requester":["98834490"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["799"],"Content-Type":["application/json"],"Date":["Fri, 09 Oct 2020 14:18:54 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0104mlYmN_nBKomq2y4UJ3wuge1XJfiw6dbLJxbM4dyUnkw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
Oct 09 14:18:54 caddy caddy[5323]: {"level":"error","ts":1602253134.7438054,"logger":"tls.obtain","msg":"will retry","error":"[cloud.skynewz.dev] Obtain: [cloud.skynewz.dev] solving challenges: waiting for solver *certmagic.DNS01Solver to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/98834490/5601961055) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":123.299836857,"max_duration":2592000}
Oct 09 14:19:55 caddy caddy[5323]: {"level":"debug","ts":1602253195.3428767,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.2.0 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["724"],"Content-Type":["application/json"],"Date":["Fri, 09 Oct 2020 14:19:55 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
Oct 09 14:19:55 caddy caddy[5323]: {"level":"debug","ts":1602253195.4860983,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.2.0 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 09 Oct 2020 14:19:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002N8f12el4ULLbthKKH9Q4buVJNV5_YX_unIL-S2VOKd0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
Oct 09 14:19:55 caddy caddy[5323]: {"level":"debug","ts":1602253195.6575475,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.2.0 CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Boulder-Requester":["16035029"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["361"],"Content-Type":["application/json"],"Date":["Fri, 09 Oct 2020 14:19:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/16035029/164345359"],"Replay-Nonce":["0003tLg4KEqPFmM0XoYNwUDMzzROwohwnMLvkxX2Jv12PpE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
Oct 09 14:19:55 caddy caddy[5323]: {"level":"debug","ts":1602253195.8043296,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/129224421","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.2.0 CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Boulder-Requester":["16035029"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["816"],"Content-Type":["application/json"],"Date":["Fri, 09 Oct 2020 14:19:55 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0004IM5K7_Ina6typUlSztskb-Kq1SbSoPV4EnEcHe257zU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
Oct 09 14:19:55 caddy caddy[5323]: {"level":"debug","ts":1602253195.8046875,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
Oct 09 14:19:55 caddy caddy[5323]: {"level":"debug","ts":1602253195.8047078,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"http-01"}
Oct 09 14:19:55 caddy caddy[5323]: {"level":"info","ts":1602253195.8047197,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cloud.skynewz.dev","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
I tried:
- With a single domain
- With my (orignal) domain + wildcard
- Try to change the
acme_ca
Caddyfile
{
# Enable Debug mode
debug
# Disable admin console
admin off
# Default email for tls
email contact@skynewz.dev
acme_ca https://acme-v02.api.letsencrypt.org/directory
}
:80 {
header -Server
}
cloud.skynewz.dev {
# https://caddyserver.com/docs/caddyfile/directives/push
push
# https://caddyserver.com/docs/caddyfile/directives/encode
encode zstd gzip
# https://caddyserver.com/docs/caddyfile/directives/metrics
metrics /metrics
# https://caddyserver.com/docs/caddyfile/directives/tls
tls {
dns gandi {env.GANDI_API_TOKEN}
}
# https://caddyserver.com/docs/caddyfile/directives/header
header {
# Hide "Server: Caddy"
-Server
# prevent attacks such as Cross Site Scripting (XSS)
Content-Security-Policy default-src 'self' cloud.skynewz.dev
# enable the cross-site scripting (XSS) filter built into modern web browsers
X-XSS-Protection 1; mode=block
# ensures the connection cannot be establish through an insecure HTTP connection
Strict-Transport-Security max-age=31536000; includeSubDomains; preload
# clickjacking protection
X-Frame-Options DENY
# provides clickjacking protection. Disable iframes
X-Frame-Options: SAMEORIGIN
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
# https://caddyserver.com/docs/caddyfile/directives/respond
# Replace backends health checks and provide one for this LB
# respond /health 200
# https://caddyserver.com/docs/caddyfile/directives/log
log {
output stdout
format console
}
# https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
reverse_proxy * {
# Specify backend here
to 10.70.12.85:30438
to 10.69.102.65:30438
lb_policy round_robin
lb_try_duration 1s
lb_try_interval 250ms
# health_path /health # Backend health check path
# health_port 80 # Default same as backend port
# health_interval 10s
# health_timeout 2s
# health_status 200
# health_body "OK"
fail_duration 2s
max_fails 2
unhealthy_status 5xx
unhealthy_latency 10s
unhealthy_request_count 10
}
}
https://crt.sh/?q=cloud.skynewz.dev&dir=^&sort=1&group=none https://github.com/libdns/gandi/issues/1
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 21 (6 by maintainers)
@SkYNewZ I read through the logs you provided. The records TXT records
_acme-challengeare created successfully so the Gandi plugin is working as expected. The rest depends of the ACME plugin within caddy which must fetch these DNS records to prove ownership of the domain.I’m suspecting an issue related to DNS propagation. The ACME challenge must be cleared within 60 seconds but I believe the DNS propagation of the new TXT records haven’t reached your DNS server by that time or the cache of your DNS server is not updated within 60s.
I would recommend to switch to another DNS server in your
/etc/resolv.confto confirm this hypothesis, I’m using1.1.1.1as a reference, give it a try.Issue solved https://github.com/caddyserver/certmagic/issues/105#issuecomment-708614567
Hmmm, not sure, I don’t use Gandi. Perhaps @obynio would be able to help debug?