caddy: ssl certs failure

1. What version of Caddy are you running (caddy -version)?

Caddy (untracked dev build) (last commit hash bbf954c)

2. What are you trying to do?

Rebooted my machine and let caddy run agin

3. What is your entire Caddyfile?

prolly not relevant (yet)

4. How did you run Caddy (give the full command and describe the execution environment)?

ExecStart=/opt/bin/caddy -pidfile /var/www/caddy.pid -agree=true -email \
    miek@miek.nl -conf=/etc/caddy/Caddyfile -log stdout

5. What did you expect to see?

Not the following

6. What did you see instead (give full error messages and/or log)?

-- Logs begin at Fri 2016-09-30 19:54:00 UTC. --
Oct 01 20:23:39 deb caddy[5591]: 2016/10/01 20:23:39 http: TLS handshake error from 85.25.210.234:21233: tls: client offered an unsupported, maximum protocol version of 301
Oct 01 20:23:40 deb caddy[5591]: 2016/10/01 20:23:40 http: TLS handshake error from 85.25.210.234:13864: tls: client offered an unsupported, maximum protocol version of 301
Oct 01 20:23:40 deb caddy[5591]: 2016/10/01 20:23:40 http: TLS handshake error from 85.25.210.234:17874: tls: client offered an unsupported, maximum protocol version of 301
Oct 01 20:24:36 deb caddy[5591]: 2016/10/01 20:24:36 http: TLS handshake error from 106.120.173.99:46438: tls: first record does not look like a TLS handshake
Oct 01 20:25:36 deb caddy[5591]: 2016/10/01 20:25:36 http: TLS handshake error from [2a02:908:b40:a0:5c79:4d07:c5a9:3d83]:61116: tls: client offered an unsupported, maximum protocol version of 301
Oct 01 20:31:03 deb caddy[5591]: 2016/10/01 20:31:03 http: TLS handshake error from [2001:1a50:11:0:5f:8f:ac0c:1]:41341: tls: client offered an unsupported, maximum protocol version of 301
Oct 01 20:34:11 deb caddy[5591]: 2016/10/01 20:34:11 http: TLS handshake error from 54.221.81.125:40546: tls: client offered an unsupported, maximum protocol version of 301
Oct 01 20:34:11 deb caddy[5591]: 2016/10/01 20:34:11 http: TLS handshake error from 54.221.81.125:40625: tls: client offered an unsupported, maximum protocol version of 301
Oct 01 20:42:15 deb caddy[5591]: 2016/10/01 20:42:15 http: TLS handshake error from 173.48.168.206:51582: EOF
Oct 01 20:43:51 deb caddy[5591]: 2016/10/01 20:43:51 http: TLS handshake error from 180.153.73.63:45483: tls: unsupported SSLv2 handshake received
Oct 01 20:44:25 deb caddy[5591]: 2016/10/01 20:44:25 http: TLS handshake error from 113.160.154.138:44733: tls: unsupported SSLv2 handshake received

After which I restarted Caddy, resulting in the following:

-- Logs begin at Fri 2016-09-30 19:54:00 UTC, end at Sat 2016-10-01 20:45:48 UTC. --
Sep 30 19:54:04 deb systemd[1]: Starting Caddy HTTP/2 web server...
Sep 30 19:54:04 deb systemd[1]: Started Caddy HTTP/2 web server.
Sep 30 19:54:05 deb caddy[5591]: 2016/09/30 19:54:04 [INFO] NLgids localhost: nlgids@deb.atoom.net
Sep 30 19:54:08 deb caddy[5591]: Activating privacy features... done.
Sep 30 19:54:08 deb caddy[5591]: https://miek.nl
Sep 30 19:54:08 deb caddy[5591]: https://www.miek.nl
Sep 30 19:54:08 deb caddy[5591]: https://archive.miek.nl
Sep 30 19:54:08 deb caddy[5591]: https://nlgids.london
Sep 30 19:54:08 deb caddy[5591]: https://www.nlgids.london
Sep 30 19:54:08 deb caddy[5591]: https://coredns.io
Sep 30 19:54:08 deb caddy[5591]: https://www.coredns.io
Sep 30 19:54:08 deb caddy[5591]: https://blog.coredns.io
Sep 30 19:54:08 deb caddy[5591]: https://dnssex.nl
Sep 30 19:54:08 deb caddy[5591]: https://www.dnssex.nl
Sep 30 19:54:08 deb caddy[5591]: https://www.berkestoffering.nl
Sep 30 19:54:08 deb caddy[5591]: https://berkestoffering.nl
Sep 30 19:54:08 deb caddy[5591]: https://atoom.net
Sep 30 19:54:08 deb caddy[5591]: https://www.atoom.net
Sep 30 19:54:08 deb caddy[5591]: https://isitinfra.net
Sep 30 19:54:08 deb caddy[5591]: https://www.isitinfra.net
Sep 30 19:54:08 deb caddy[5591]: http://wereldstadsgidsen.com
Sep 30 19:54:08 deb caddy[5591]: http://www.wereldstadsgiden.com
Sep 30 19:54:08 deb caddy[5591]: http://wereldstadgidsen.nl
Sep 30 19:54:08 deb caddy[5591]: http://www.wereldstadgidsen.nl
Sep 30 19:54:08 deb caddy[5591]: http://wereldstadgidsen.be
Sep 30 19:54:08 deb caddy[5591]: http://www.wereldstadgidsen.be
Sep 30 19:54:08 deb caddy[5591]: http://miek.nl
Sep 30 19:54:08 deb caddy[5591]: http://www.miek.nl
Sep 30 19:54:08 deb caddy[5591]: http://archive.miek.nl
Sep 30 19:54:08 deb caddy[5591]: http://nlgids.london
Sep 30 19:54:08 deb caddy[5591]: http://www.nlgids.london
Sep 30 19:54:08 deb caddy[5591]: http://coredns.io
Sep 30 19:54:08 deb caddy[5591]: http://www.coredns.io
Sep 30 19:54:08 deb caddy[5591]: http://blog.coredns.io
Sep 30 19:54:08 deb caddy[5591]: http://dnssex.nl
Sep 30 19:54:08 deb caddy[5591]: http://www.dnssex.nl
Sep 30 19:54:08 deb caddy[5591]: http://www.berkestoffering.nl
Sep 30 19:54:08 deb caddy[5591]: http://berkestoffering.nl
Sep 30 19:54:08 deb caddy[5591]: http://atoom.net
Sep 30 19:54:08 deb caddy[5591]: http://www.atoom.net
Sep 30 19:54:08 deb caddy[5591]: http://isitinfra.net
Sep 30 19:54:08 deb caddy[5591]: http://www.isitinfra.net
Sep 30 19:55:03 deb caddy[5591]: 92.12.221.148 - miek.nl GET /rss.xml HTTP/1.1 404 1252 -
Sep 30 19:55:30 deb caddy[5591]: 50.90.21.165 - miek.nl GET /images/apple.jpg HTTP/2.0 200 298876 https://www.google.com/
Sep 30 19:55:35 deb caddy[5591]: 2016/09/30 19:55:35 http: TLS handshake error from 65.19.138.35:27189: tls: client offered an unsupported, maximum protocol version of 30
Sep 30 19:55:36 deb caddy[5591]: 2016/09/30 19:55:36 http: TLS handshake error from 8.29.198.27:42107: tls: client offered an unsupported, maximum protocol version of 301
Sep 30 19:55:36 deb caddy[5591]: 2016/09/30 19:55:36 http: TLS handshake error from 8.29.198.27:14930: tls: client offered an unsupported, maximum protocol version of 300
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET / HTTP/2.0 200 1609 -
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET /css/style.css HTTP/2.0 200 3557 https://miek.nl/
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET /css/monosocialiconsfont.css HTTP/2.0 200 368 https://miek.nl/
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET /css/highlight.css HTTP/2.0 200 629 https://miek.nl/
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET /images/avatar.jpg HTTP/2.0 200 35651 https://miek.nl/
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET /js/main.js HTTP/2.0 200 406 https://miek.nl/
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET /fonts/MonoSocialIconsFont-1.10.ttf HTTP/2.0 200 146660 https://miek.nl/css/monosoci
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET /js/highlight.js HTTP/2.0 200 23415 https://miek.nl/
Sep 30 19:56:07 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - miek.nl GET /images/favicon.ico HTTP/2.0 200 5182 https://miek.nl/
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET / HTTP/2.0 200 2660 -
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /img/coredns-logo.png HTTP/2.0 200 1347 https://coredns.io/
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /css/landing-page.css HTTP/2.0 200 987 https://coredns.io/
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /js/jquery.easing.min.js HTTP/2.0 200 1857 https://coredns.io/
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /js/landing-page.js HTTP/2.0 200 471 https://coredns.io/
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /font-awesome-4.1.0/css/font-awesome.min.css HTTP/2.0 200 4684 https://coredns.io
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /js/bootstrap.min.js HTTP/2.0 200 8544 https://coredns.io/
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /css/bootstrap.min.css HTTP/2.0 200 18109 https://coredns.io/
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /js/jquery-1.11.0.js HTTP/2.0 200 33391 https://coredns.io/
Sep 30 19:56:10 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /img/lava.jpg HTTP/2.0 200 198893 https://coredns.io/
Sep 30 19:56:11 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /font-awesome-4.1.0/fonts/fontawesome-webfont.woff HTTP/2.0 200 83760 https://cor
Sep 30 19:56:11 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /img/html-code.jpg HTTP/2.0 200 119296 https://coredns.io/
Sep 30 19:56:11 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /img/cloud.jpg HTTP/2.0 200 435545 https://coredns.io/
Sep 30 19:56:11 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /img/disk.jpg HTTP/2.0 200 757713 https://coredns.io/
Sep 30 19:56:11 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /img/intro-bg.jpg HTTP/2.0 200 435545 https://coredns.io/css/landing-page.css
Sep 30 19:56:11 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /img/contact-bg.jpg HTTP/2.0 200 544154 https://coredns.io/css/landing-page.css
Sep 30 19:56:12 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /img/mountain.jpg HTTP/2.0 200 1332881 https://coredns.io/
Sep 30 19:56:12 deb caddy[5591]: 2001:8b0:bf59:4c3f:a796:8189:437c:4729 - coredns.io GET /favicon.ico HTTP/2.0 404 0 https://coredns.io/
Sep 30 19:56:56 deb caddy[5591]: 49.128.61.142 - miek.nl GET /favicon.ico HTTP/2.0 404 3919 https://miek.nl/downloads/2015/go.pdf
Sep 30 19:56:56 deb caddy[5591]: 80.100.158.12 - miek.nl GET /feeds/all.atom.xml HTTP/2.0 404 1252 -
Sep 30 19:56:57 deb caddy[5591]: 49.128.61.142 - miek.nl GET /downloads/2015/go.pdf HTTP/2.0 200 994890 http://dave.cheney.net/resources-for-new-go-programmers
Sep 30 19:56:57 deb caddy[5591]: 49.128.61.142 - miek.nl GET /downloads/2015/go.pdf HTTP/2.0 206 634442 https://miek.nl/downloads/2015/go.pdf
Sep 30 19:57:02 deb caddy[5591]: 2607:8400:2010:2:c90a:ae38:f60a:3756 - www.miek.nl GET /rss.xml HTTP/1.1 404 1252 -
Sep 30 19:57:05 deb caddy[5591]: 2016/09/30 19:57:05 http2: server: error reading preface from client 49.128.61.142:53745: timeout waiting for client preface
Sep 30 19:57:06 deb caddy[5591]: 2016/09/30 19:57:06 http: TLS handshake error from 49.128.61.142:53747: EOF
Sep 30 19:57:38 deb caddy[5591]: 86.105.55.25 - miek.nl GET /feeds/all.atom.xml HTTP/1.1 404 1252 -
Sep 30 19:58:14 deb caddy[5591]: 66.249.76.120 - www.nlgids.london GET /specials.html HTTP/1.1 200 4797 -
Sep 30 19:58:18 deb caddy[5591]: 180.76.15.7 - archive.miek.nl GET /downloads/pubs/secreg-report.pdf HTTP/1.1 200 94343 -
Sep 30 19:58:29 deb caddy[5591]: 49.128.61.142 - miek.nl GET / HTTP/2.0 200 1609 -
Sep 30 19:58:29 deb caddy[5591]: 49.128.61.142 - miek.nl GET /css/highlight.css HTTP/2.0 200 629 https://miek.nl/
Sep 30 19:58:29 deb caddy[5591]: 49.128.61.142 - miek.nl GET /css/style.css HTTP/2.0 200 3557 https://miek.nl/
...skipping...
Oct 01 20:23:36 deb caddy[5591]: 2016/10/01 20:23:36 http: TLS handshake error from 85.25.210.234:42145: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:36 deb caddy[5591]: 2016/10/01 20:23:36 http: TLS handshake error from 85.25.210.234:34234: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:37 deb caddy[5591]: 2016/10/01 20:23:37 http: TLS handshake error from 85.25.210.234:40256: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:38 deb caddy[5591]: 2016/10/01 20:23:38 http: TLS handshake error from 85.25.210.234:62341: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:38 deb caddy[5591]: 2016/10/01 20:23:38 http: TLS handshake error from 85.25.210.234:34146: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:38 deb caddy[5591]: 2016/10/01 20:23:38 http: TLS handshake error from 85.25.210.234:58432: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:39 deb caddy[5591]: 2016/10/01 20:23:39 http: TLS handshake error from 85.25.210.234:41085: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:39 deb caddy[5591]: 2016/10/01 20:23:39 http: TLS handshake error from 85.25.210.234:21233: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:40 deb caddy[5591]: 2016/10/01 20:23:40 http: TLS handshake error from 85.25.210.234:13864: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:23:40 deb caddy[5591]: 2016/10/01 20:23:40 http: TLS handshake error from 85.25.210.234:17874: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:24:36 deb caddy[5591]: 2016/10/01 20:24:36 http: TLS handshake error from 106.120.173.99:46438: tls: first record does not look like a TLS handshake
Oct 01 20:25:36 deb caddy[5591]: 2016/10/01 20:25:36 http: TLS handshake error from [2a02:908:b40:a0:5c79:4d07:c5a9:3d83]:61116: tls: client offered an unsupported, maxim
Oct 01 20:31:03 deb caddy[5591]: 2016/10/01 20:31:03 http: TLS handshake error from [2001:1a50:11:0:5f:8f:ac0c:1]:41341: tls: client offered an unsupported, maximum proto
Oct 01 20:34:11 deb caddy[5591]: 2016/10/01 20:34:11 http: TLS handshake error from 54.221.81.125:40546: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:34:11 deb caddy[5591]: 2016/10/01 20:34:11 http: TLS handshake error from 54.221.81.125:40625: tls: client offered an unsupported, maximum protocol version of 3
Oct 01 20:42:15 deb caddy[5591]: 2016/10/01 20:42:15 http: TLS handshake error from 173.48.168.206:51582: EOF
Oct 01 20:43:51 deb caddy[5591]: 2016/10/01 20:43:51 http: TLS handshake error from 180.153.73.63:45483: tls: unsupported SSLv2 handshake received
Oct 01 20:44:25 deb caddy[5591]: 2016/10/01 20:44:25 http: TLS handshake error from 113.160.154.138:44733: tls: unsupported SSLv2 handshake received
Oct 01 20:45:39 deb systemd[1]: Stopping Caddy HTTP/2 web server...
Oct 01 20:45:39 deb systemd[1]: Stopped Caddy HTTP/2 web server.
Oct 01 20:45:39 deb systemd[1]: Starting Caddy HTTP/2 web server...
Oct 01 20:45:39 deb systemd[1]: Started Caddy HTTP/2 web server.
Oct 01 20:45:39 deb caddy[26635]: 2016/10/01 20:45:39 [INFO] NLgids localhost: nlgids@deb.atoom.net
Oct 01 20:45:42 deb caddy[26635]: Activating privacy features...2016/10/01 20:45:42 [INFO] Certificate for [www.dnssex.nl] expires in 699h15m17.206609051s; attempting ren
Oct 01 20:45:43 deb caddy[26635]: 2016/10/01 20:45:43 [INFO][www.dnssex.nl] acme: Trying renewal with 699 hours remaining
Oct 01 20:45:43 deb caddy[26635]: 2016/10/01 20:45:43 [INFO][www.dnssex.nl] acme: Obtaining bundled SAN certificate
Oct 01 20:45:43 deb caddy[26635]: 2016/10/01 20:45:43 [INFO][www.dnssex.nl] acme: Trying to solve TLS-SNI-01
Oct 01 20:45:45 deb caddy[26635]: 2016/10/01 20:45:45 [INFO][www.dnssex.nl] The server validated our request
Oct 01 20:45:45 deb caddy[26635]: 2016/10/01 20:45:45 [INFO][www.dnssex.nl] acme: Validations succeeded; requesting certificates
Oct 01 20:45:45 deb caddy[26635]: 2016/10/01 20:45:45 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:45:46 deb caddy[26635]: 2016/10/01 20:45:46 [INFO][www.dnssex.nl] Server responded with a certificate.
Oct 01 20:45:46 deb caddy[26635]: 2016/10/01 20:45:46 [INFO] Certificate for [www.isitinfra.net] expires in 699h21m13.896591197s; attempting renewal
Oct 01 20:45:46 deb caddy[26635]: 2016/10/01 20:45:46 [INFO][www.isitinfra.net] acme: Trying renewal with 699 hours remaining
Oct 01 20:45:46 deb caddy[26635]: 2016/10/01 20:45:46 [INFO][www.isitinfra.net] acme: Obtaining bundled SAN certificate
Oct 01 20:45:46 deb caddy[26635]: 2016/10/01 20:45:46 [INFO][www.isitinfra.net] acme: Trying to solve HTTP-01
Oct 01 20:45:47 deb caddy[26635]: 2016/10/01 20:45:47 [INFO][www.isitinfra.net] Served key authentication
Oct 01 20:45:48 deb caddy[26635]: 2016/10/01 20:45:48 [INFO][www.isitinfra.net] The server validated our request
Oct 01 20:45:48 deb caddy[26635]: 2016/10/01 20:45:48 [INFO][www.isitinfra.net] acme: Validations succeeded; requesting certificates
Oct 01 20:45:48 deb caddy[26635]: 2016/10/01 20:45:48 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:45:48 deb caddy[26635]: 2016/10/01 20:45:48 [INFO][www.isitinfra.net] Server responded with a certificate.
Oct 01 20:45:48 deb caddy[26635]: 2016/10/01 20:45:48 [INFO] Certificate for [miek.nl ] expires in 699h14m11.202888651s; attempting renewal
Oct 01 20:45:48 deb caddy[26635]: 2016/10/01 20:45:48 [INFO][miek.nl] acme: Trying renewal with 699 hours remaining
Oct 01 20:45:49 deb caddy[26635]: 2016/10/01 20:45:49 [INFO][miek.nl] acme: Obtaining bundled SAN certificate
Oct 01 20:45:49 deb caddy[26635]: 2016/10/01 20:45:49 [INFO][miek.nl] acme: Trying to solve TLS-SNI-01
deb# journalctl -fu caddy
-- Logs begin at Fri 2016-09-30 19:54:00 UTC. --
Oct 01 20:46:00 deb caddy[26635]: 2016/10/01 20:46:00 [INFO][www.berkestoffering.nl] acme: Obtaining bundled SAN certificate
Oct 01 20:46:01 deb caddy[26635]: 2016/10/01 20:46:01 [INFO][www.berkestoffering.nl] acme: Trying to solve HTTP-01
Oct 01 20:46:01 deb caddy[26635]: 2016/10/01 20:46:01 [INFO][www.berkestoffering.nl] Served key authentication
Oct 01 20:46:02 deb caddy[26635]: 2016/10/01 20:46:02 [INFO][www.berkestoffering.nl] The server validated our request
Oct 01 20:46:02 deb caddy[26635]: 2016/10/01 20:46:02 [INFO][www.berkestoffering.nl] acme: Validations succeeded; requesting certificates
Oct 01 20:46:03 deb caddy[26635]: 2016/10/01 20:46:03 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:46:03 deb caddy[26635]: 2016/10/01 20:46:03 [INFO][www.berkestoffering.nl] Server responded with a certificate.
Oct 01 20:46:03 deb caddy[26635]: 2016/10/01 20:46:03 [INFO] Certificate for [www.atoom.net] expires in 699h18m56.277058473s; attempting renewal
Oct 01 20:46:03 deb caddy[26635]: 2016/10/01 20:46:03 [INFO][www.atoom.net] acme: Trying renewal with 699 hours remaining
Oct 01 20:46:04 deb caddy[26635]: 2016/10/01 20:46:04 [INFO][www.atoom.net] acme: Obtaining bundled SAN certificate
Oct 01 20:46:04 deb caddy[26635]: 2016/10/01 20:46:04 [INFO][www.atoom.net] acme: Trying to solve HTTP-01
Oct 01 20:46:05 deb caddy[26635]: 2016/10/01 20:46:05 [INFO][www.atoom.net] Served key authentication
Oct 01 20:46:06 deb caddy[26635]: 2016/10/01 20:46:06 [INFO][www.atoom.net] The server validated our request
Oct 01 20:46:06 deb caddy[26635]: 2016/10/01 20:46:06 [INFO][www.atoom.net] acme: Validations succeeded; requesting certificates
Oct 01 20:46:06 deb caddy[26635]: 2016/10/01 20:46:06 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:46:06 deb caddy[26635]: 2016/10/01 20:46:06 [INFO][www.atoom.net] Server responded with a certificate.
Oct 01 20:46:06 deb caddy[26635]: 2016/10/01 20:46:06 [INFO] Certificate for [isitinfra.net] expires in 699h18m53.361987199s; attempting renewal
Oct 01 20:46:06 deb caddy[26635]: 2016/10/01 20:46:06 [INFO][isitinfra.net] acme: Trying renewal with 699 hours remaining
Oct 01 20:46:07 deb caddy[26635]: 2016/10/01 20:46:07 [INFO][isitinfra.net] acme: Obtaining bundled SAN certificate
Oct 01 20:46:07 deb caddy[26635]: 2016/10/01 20:46:07 [INFO][isitinfra.net] acme: Trying to solve HTTP-01
Oct 01 20:46:07 deb caddy[26635]: 2016/10/01 20:46:07 [INFO][isitinfra.net] Served key authentication
Oct 01 20:46:08 deb caddy[26635]: 2016/10/01 20:46:08 [INFO][isitinfra.net] The server validated our request
Oct 01 20:46:08 deb caddy[26635]: 2016/10/01 20:46:08 [INFO][isitinfra.net] acme: Validations succeeded; requesting certificates
Oct 01 20:46:09 deb caddy[26635]: 2016/10/01 20:46:09 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:46:09 deb caddy[26635]: 2016/10/01 20:46:09 [INFO][isitinfra.net] Server responded with a certificate.
Oct 01 20:46:09 deb caddy[26635]: 2016/10/01 20:46:09 [INFO] Certificate for [archive.miek.nl] expires in 699h14m50.622164874s; attempting renewal
Oct 01 20:46:09 deb caddy[26635]: 2016/10/01 20:46:09 [INFO][archive.miek.nl] acme: Trying renewal with 699 hours remaining
Oct 01 20:46:09 deb caddy[26635]: 2016/10/01 20:46:09 [INFO][archive.miek.nl] acme: Obtaining bundled SAN certificate
Oct 01 20:46:10 deb caddy[26635]: 2016/10/01 20:46:10 [INFO][archive.miek.nl] acme: Could not find solver for: dns-01
Oct 01 20:46:10 deb caddy[26635]: 2016/10/01 20:46:10 [INFO][archive.miek.nl] acme: Trying to solve TLS-SNI-01
Oct 01 20:46:11 deb caddy[26635]: 2016/10/01 20:46:11 [INFO][archive.miek.nl] The server validated our request
Oct 01 20:46:11 deb caddy[26635]: 2016/10/01 20:46:11 [INFO][archive.miek.nl] acme: Validations succeeded; requesting certificates
Oct 01 20:46:12 deb caddy[26635]: 2016/10/01 20:46:12 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:46:12 deb caddy[26635]: 2016/10/01 20:46:12 [INFO][archive.miek.nl] Server responded with a certificate.
Oct 01 20:46:12 deb caddy[26635]: 2016/10/01 20:46:12 [INFO] Certificate for [nlgids.london] expires in 699h14m47.650614623s; attempting renewal
Oct 01 20:46:12 deb caddy[26635]: 2016/10/01 20:46:12 [INFO][nlgids.london] acme: Trying renewal with 699 hours remaining
Oct 01 20:46:12 deb caddy[26635]: 2016/10/01 20:46:12 [INFO][nlgids.london] acme: Obtaining bundled SAN certificate
Oct 01 20:46:13 deb caddy[26635]: 2016/10/01 20:46:13 [INFO][nlgids.london] acme: Trying to solve TLS-SNI-01
Oct 01 20:46:15 deb caddy[26635]: 2016/10/01 20:46:15 [INFO][nlgids.london] The server validated our request
Oct 01 20:46:15 deb caddy[26635]: 2016/10/01 20:46:15 [INFO][nlgids.london] acme: Validations succeeded; requesting certificates
Oct 01 20:46:15 deb caddy[26635]: 2016/10/01 20:46:15 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:46:15 deb caddy[26635]: 2016/10/01 20:46:15 [INFO][nlgids.london] Server responded with a certificate.
Oct 01 20:46:15 deb caddy[26635]: 2016/10/01 20:46:15 [INFO] Certificate for [berkestoffering.nl] expires in 699h14m44.235123573s; attempting renewal
Oct 01 20:46:15 deb caddy[26635]: 2016/10/01 20:46:15 [INFO][berkestoffering.nl] acme: Trying renewal with 699 hours remaining
Oct 01 20:46:16 deb caddy[26635]: 2016/10/01 20:46:16 [INFO][berkestoffering.nl] acme: Obtaining bundled SAN certificate
Oct 01 20:46:16 deb caddy[26635]: 2016/10/01 20:46:16 [INFO][berkestoffering.nl] acme: Trying to solve HTTP-01
Oct 01 20:46:17 deb caddy[26635]: 2016/10/01 20:46:17 [INFO][berkestoffering.nl] Served key authentication
Oct 01 20:46:18 deb caddy[26635]: 2016/10/01 20:46:18 [INFO][berkestoffering.nl] The server validated our request
Oct 01 20:46:18 deb caddy[26635]: 2016/10/01 20:46:18 [INFO][berkestoffering.nl] acme: Validations succeeded; requesting certificates
Oct 01 20:46:20 deb caddy[26635]: 2016/10/01 20:46:20 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:46:20 deb caddy[26635]: 2016/10/01 20:46:20 [INFO][berkestoffering.nl] Server responded with a certificate.
Oct 01 20:46:20 deb caddy[26635]: 2016/10/01 20:46:20 [INFO] Certificate for [atoom.net] expires in 699h18m39.180178862s; attempting renewal
Oct 01 20:46:21 deb caddy[26635]: 2016/10/01 20:46:21 [INFO][atoom.net] acme: Trying renewal with 699 hours remaining
Oct 01 20:46:21 deb caddy[26635]: 2016/10/01 20:46:21 [INFO][atoom.net] acme: Obtaining bundled SAN certificate
Oct 01 20:46:21 deb caddy[26635]: 2016/10/01 20:46:21 [INFO][atoom.net] acme: Trying to solve HTTP-01
Oct 01 20:46:22 deb caddy[26635]: 2016/10/01 20:46:22 [INFO][atoom.net] Served key authentication
Oct 01 20:46:23 deb caddy[26635]: 2016/10/01 20:46:23 [INFO][atoom.net] The server validated our request
Oct 01 20:46:23 deb caddy[26635]: 2016/10/01 20:46:23 [INFO][atoom.net] acme: Validations succeeded; requesting certificates
Oct 01 20:46:23 deb caddy[26635]: 2016/10/01 20:46:23 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Oct 01 20:46:23 deb caddy[26635]: 2016/10/01 20:46:23 [INFO][atoom.net] Server responded with a certificate.
Oct 01 20:46:26 deb caddy[26635]:  done.
Oct 01 20:46:26 deb caddy[26635]: https://miek.nl
Oct 01 20:46:26 deb caddy[26635]: https://www.miek.nl
Oct 01 20:46:26 deb caddy[26635]: https://archive.miek.nl
Oct 01 20:46:26 deb caddy[26635]: https://nlgids.london
Oct 01 20:46:26 deb caddy[26635]: https://www.nlgids.london
Oct 01 20:46:26 deb caddy[26635]: https://coredns.io
Oct 01 20:46:26 deb caddy[26635]: https://www.coredns.io
Oct 01 20:46:26 deb caddy[26635]: https://blog.coredns.io
Oct 01 20:46:26 deb caddy[26635]: https://dnssex.nl
Oct 01 20:46:26 deb caddy[26635]: https://www.dnssex.nl
Oct 01 20:46:26 deb caddy[26635]: https://www.berkestoffering.nl
Oct 01 20:46:26 deb caddy[26635]: https://berkestoffering.nl
Oct 01 20:46:26 deb caddy[26635]: https://atoom.net
Oct 01 20:46:26 deb caddy[26635]: https://www.atoom.net
Oct 01 20:46:26 deb caddy[26635]: https://isitinfra.net
Oct 01 20:46:26 deb caddy[26635]: https://www.isitinfra.net
Oct 01 20:46:26 deb caddy[26635]: http://wereldstadsgidsen.com
Oct 01 20:46:26 deb caddy[26635]: http://www.wereldstadsgiden.com
Oct 01 20:46:26 deb caddy[26635]: http://wereldstadgidsen.nl
Oct 01 20:46:26 deb caddy[26635]: http://www.wereldstadgidsen.nl
Oct 01 20:46:26 deb caddy[26635]: http://wereldstadgidsen.be
Oct 01 20:46:26 deb caddy[26635]: http://www.wereldstadgidsen.be
Oct 01 20:46:26 deb caddy[26635]: http://miek.nl
Oct 01 20:46:26 deb caddy[26635]: http://www.miek.nl
Oct 01 20:46:26 deb caddy[26635]: http://archive.miek.nl
Oct 01 20:46:26 deb caddy[26635]: http://nlgids.london
Oct 01 20:46:26 deb caddy[26635]: http://www.nlgids.london
Oct 01 20:46:26 deb caddy[26635]: http://coredns.io
Oct 01 20:46:26 deb caddy[26635]: http://www.coredns.io
Oct 01 20:46:26 deb caddy[26635]: http://blog.coredns.io
Oct 01 20:46:26 deb caddy[26635]: http://dnssex.nl
Oct 01 20:46:26 deb caddy[26635]: http://www.dnssex.nl
Oct 01 20:46:26 deb caddy[26635]: http://www.berkestoffering.nl
Oct 01 20:46:26 deb caddy[26635]: http://berkestoffering.nl
Oct 01 20:46:26 deb caddy[26635]: http://atoom.net
Oct 01 20:46:26 deb caddy[26635]: http://www.atoom.net
Oct 01 20:46:26 deb caddy[26635]: http://isitinfra.net
Oct 01 20:46:26 deb caddy[26635]: http://www.isitinfra.net

7. How can someone who is starting from scratch reproduce this behavior as minimally as possible?

Good question.

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 3
  • Comments: 95 (36 by maintainers)

Most upvoted comments

To close this off. I saw a successful cert upgrade:

Nov 30 22:49:34 deb caddy[17021]: 2016/11/30 22:49:34 [INFO][www.isitinfra.net] Server responded with a certificate.
Nov 30 22:49:34 deb caddy[17021]: 2016/11/30 22:49:34 [INFO] Certificate for [www.miek.nl] expires in 716h56m25.933548018s; attempti
Nov 30 22:49:34 deb caddy[17021]: 2016/11/30 22:49:34 [INFO][www.miek.nl] acme: Trying renewal with 716 hours remaining
Nov 30 22:49:34 deb caddy[17021]: 2016/11/30 22:49:34 [INFO][www.miek.nl] acme: Obtaining bundled SAN certificate
Nov 30 22:49:34 deb caddy[17021]: 2016/11/30 22:49:34 [INFO][www.miek.nl] acme: Could not find solver for: dns-01
Nov 30 22:49:34 deb caddy[17021]: 2016/11/30 22:49:34 [INFO][www.miek.nl] acme: Trying to solve HTTP-01
Nov 30 22:49:35 deb caddy[17021]: 2016/11/30 22:49:35 [INFO][www.miek.nl] Served key authentication
Nov 30 22:49:36 deb caddy[17021]: 2016/11/30 22:49:36 [INFO][www.miek.nl] The server validated our request
Nov 30 22:49:36 deb caddy[17021]: 2016/11/30 22:49:36 [INFO][www.miek.nl] acme: Validations succeeded; requesting certificates
Nov 30 22:49:36 deb caddy[17021]: 2016/11/30 22:49:36 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/
Nov 30 22:49:36 deb caddy[17021]: 2016/11/30 22:49:36 [INFO][www.miek.nl] Server responded with a certificate.

This is thus due to running some random git release of the deps of caddy, which had “some” bug.

Thanks @mholt for you patience and this has nothing to do with systemd 👍

+3
miekg on Nov 30, 2016

Full renewel seen, everything looks good !

Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Scanning for expiring certificates
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [miek.nl] expires in 718h2m22.986286409s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [dnssex.nl] expires in 718h2m22.985427385s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [www.dnssex.nl] expires in 709h29m22.985405469s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [miek.nl ] expires in 718h2m22.985389262s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [www.berkestoffering.nl] expires in 718h2m22.985373744s; attempting renewa
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [atoom.net] expires in 718h2m22.985276862s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [nlgids.london] expires in 718h2m22.985267275s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [archive.miek.nl] expires in 709h29m22.985261929s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [www.nlgids.london] expires in 718h2m22.985253253s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [www.atoom.net] expires in 718h2m22.985151733s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [www.miek.nl] expires in 709h29m22.985137867s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO] Certificate for [berkestoffering.nl] expires in 718h2m22.985132931s; attempting renewal
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO][miek.nl] acme: Trying renewal with 718 hours remaining
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO][miek.nl] acme: Obtaining bundled SAN certificate
Jan 30 08:20:37 deb caddy[14281]: 2017/01/30 08:20:37 [INFO][miek.nl] acme: Trying to solve HTTP-01
Jan 30 08:20:39 deb caddy[14281]: 2017/01/30 08:20:39 [INFO][miek.nl] Served key authentication
Jan 30 08:20:39 deb caddy[14281]: 2017/01/30 08:20:39 [INFO][miek.nl] The server validated our request
Jan 30 08:20:39 deb caddy[14281]: 2017/01/30 08:20:39 [INFO][miek.nl] acme: Validations succeeded; requesting certificates
Jan 30 08:20:39 deb caddy[14281]: 2017/01/30 08:20:39 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Jan 30 08:20:40 deb caddy[14281]: 2017/01/30 08:20:40 [INFO][miek.nl] Server responded with a certificate.
Jan 30 08:20:40 deb caddy[14281]: 2017/01/30 08:20:40 [INFO][dnssex.nl] acme: Trying renewal with 718 hours remaining
Jan 30 08:20:40 deb caddy[14281]: 2017/01/30 08:20:40 [INFO][dnssex.nl] acme: Obtaining bundled SAN certificate
Jan 30 08:20:41 deb caddy[14281]: 2017/01/30 08:20:41 [INFO][dnssex.nl] acme: Trying to solve TLS-SNI-01
Jan 30 08:20:42 deb caddy[14281]: 2017/01/30 08:20:42 [INFO][dnssex.nl] The server validated our request
Jan 30 08:20:42 deb caddy[14281]: 2017/01/30 08:20:42 [INFO][dnssex.nl] acme: Validations succeeded; requesting certificates
Jan 30 08:20:43 deb caddy[14281]: 2017/01/30 08:20:43 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
Jan 30 08:20:43 deb caddy[14281]: 2017/01/30 08:20:43 [INFO][dnssex.nl] Server responded ....
...
+2
miekg on Jan 30, 2017

[ Quoting notifications@github.com in “Re: [mholt/caddy] ssl certs failure…” ]

@miekg I think it’s strange that some, but not all, of those errors happen after (during?) a TLS-SNI-01 challenge. I started digging into the lego/acme package which facilitates this for Caddy, and found what I think is a couple of leaked file descriptors. Maybe? Feel free to verify or debunk my claim: https://github.com/xenolf/lego/pull/341

Thanks. That PR def. fixes a leak. I left a comment.

So, I don’t know if that has anything to do with what you’re seeing. It seems unlikely, and it definitely wouldn’t resolve a race that might be happening between Caddy and the Go standard library.

I my current test with go1.8rc1 also fails, I will proceed in instrumenting the go std lib as well, and hopefully get more debugging info.

I’m continuing to investigate any other aspect of the TLS-SNI challenge that might be buggy.

Thanks!

/Miek

– Miek Gieben

+1
miekg on Jan 14, 2017

@miekg Great, good to have closure. 😃 Sorry for the trouble – glad you resolved it.

(Strange, I wonder what dependency was outdated or something that was causing your issue.)

+1
mholt on Nov 30, 2016

Ok, running under tmux now - let’s see.

+1
miekg on Nov 17, 2016

[ Quoting notifications@github.com in “Re: [mholt/caddy] ssl certs failure…” ]

@miekg Any update on this?

I haven’t seen it anymore. Probably because I need to wait 90days…

Feel free to close - if I find a smoking gun I will update this (closed) bug.

+1
miekg on Nov 2, 2016
Read more comments on GitHub
← caddy: Some proxied POST requests fail or hang when upstream does not consume body
caddy: stream xxx canceled by remote with error code 268 →