caddy: WildCard SSL doesnt' work. "acme: cleaning up failed: no memory of presenting a DNS record for ..."

1. Environment

1a. Operating system and version

Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64 GNU/Linux

1b. Caddy version (run caddy version or paste commit SHA)

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

1c. Go version (if building Caddy from source; run go version)

go version go1.14.4 linux/amd64

2. Description

2a. What happens (briefly explain what is wrong)

TLS Configure works for xxx.xx and www.xxx.xx, it also works for

xxx.xx www.xxx.xx {
    tls {
    ...
    }
}

but it doesn’t work for

*.xxx.xx {
    tls {
    ...
    }
}

2b. Why it’s a bug (if it’s not obvious)

2c. Log output

Jun 05 02:10:04 ONEVPS200530075317 caddy[30426]: {"level":"info","ts":1591323004.6141896,"msg":"serving initial configuration"}
Jun 05 02:10:04 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:04 [INFO][cache:0xc0006bd860] Started certificate maintenance routine
Jun 05 02:10:04 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:04 [INFO][*.rseco.cf] Obtain certificate; acquiring lock...
Jun 05 02:10:04 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:04 [INFO][*.rseco.cf] Obtain: Lock acquired; proceeding...
Jun 05 02:10:05 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:05 [INFO][*.rseco.cf] Waiting on rate limiter...
Jun 05 02:10:05 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:05 [INFO][*.rseco.cf] Done waiting
Jun 05 02:10:05 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:05 [INFO] [*.rseco.cf] acme: Obtaining bundled SAN certificate given a CSR
Jun 05 02:10:06 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:06 [INFO] [*.rseco.cf] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5026703172
Jun 05 02:10:06 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:06 [INFO] [*.rseco.cf] acme: use dns-01 solver
Jun 05 02:10:06 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:06 [INFO] [*.rseco.cf] acme: Preparing to solve DNS-01
Jun 05 02:10:06 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:06 [INFO] [*.rseco.cf] acme: Preparing to solve DNS-01
Jun 05 02:10:06 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:06 [INFO] [*.rseco.cf] acme: Cleaning DNS-01 challenge
Jun 05 02:10:06 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:06 [WARN] [*.rseco.cf] acme: cleaning up failed: no memory of presenting a DNS record for rseco.cf
Jun 05 02:10:07 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:07 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5026703172
Jun 05 02:10:07 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:07 [ERROR] error: one or more domains had a problem:
Jun 05 02:10:07 ONEVPS200530075317 caddy[30426]: [*.rseco.cf] [*.rseco.cf] acme: error presenting token: got error status: HTTP 401: []
Jun 05 02:10:07 ONEVPS200530075317 caddy[30426]:  (challenge=dns-01 remaining=[])
Jun 05 02:10:09 ONEVPS200530075317 caddy[30426]: 2020/06/05 02:10:09 [ERROR] attempt 1: [*.rseco.cf] Obtain: [*.rseco.cf] error: one or more domains had a problem:
Jun 05 02:10:09 ONEVPS200530075317 caddy[30426]: [*.rseco.cf] [*.rseco.cf] acme: error presenting token: got error status: HTTP 401: []
Jun 05 02:10:09 ONEVPS200530075317 caddy[30426]:  - retrying in 1m0s (4.745202486s/720h0m0s elapsed)...

2d. Workaround(s)

xcaddy build --with github.com/caddy-dns/cloudflare

Already check the token but it still doesn’t work. https://github.com/libdns/cloudflare

3. Tutorial (minimal steps to reproduce the bug)

Caddyfile

*.rseco.cf {
        tls {
                 dns cloudflare {env.CLOUDFLARE_API_TOKEN}
       }
        @www {
                host www.rseco.cf
        }
        reverse_proxy @www localhost
}

rseco.cf {
        log {
                output file /var/log/caddy/caddy.log
        }
        root * /var/www/html
                encode zstd gzip
                file_server
}

caddy.service

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment=CLOUDFLARE_EMAIL="my email"   
Environment=CLOUDFLARE_API_TOKEN="my taken"        


[Install]
WantedBy=multi-user.target

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 19 (11 by maintainers)

Most upvoted comments

I have the same problem too. Since the code and documents are all bad. I look through the forum and GitHub issues, there is no way to fix it, even no none-direct way. This problem here for me only happens when using caddy2 with Cloudflare compiled by xcaddy. The caddy2 installed via apt doesn’t have the problem for me. In this time, the caddy2 even doesn’t support go-1.5, which sucks.

Here is the solution for me which is a little bit complicated but works:

Solution

Turn the Proxy status into DNS only

  • installed the caddy2 via apt
  • replace Caddyfile
      tls {
      dns cloudflare YOUR_CF_KEY
  }

with the normal one:


  tls YOUR_EMAIL

  • run caddy, it will produce the the key and cert for your domain and store it on ~/.local/share/ caddy or /var/lib/caddy or ~/.caddy, etc, sucks.

  • then, compile the caddy with cloudflare module by xcaddy, then you get new caddy. Move the new caddy to /usr/bin, and just replace the old install location.

  • finally, you can replace your Caddyfile back with

    tls {
        dns cloudflare YOUR_CF_KEY
    }

Turn back Proxy status into Proxied

How I find the solution?

To use caddy2 with Cloudflare, I follow the documents and find xcaddy. Then, xcaddy needs go installed, actually higher go version installed. The default one via apt is 1.1, then updated to the lastest one 1.5. However, it is too hight for caddy2. Not go-1.5, have to downgrade to go-1.4.

Then finally for me, to use caddy2 with Cloudflare. Everything works well at that time, so, I follow the document: https://caddyserver.com/docs/conventions#file-locations, and try to find where the new location is. But I soon cannot find where are my key and cert. Where these two guys think it’s still good. https://caddy.community/t/caddy-v2-location-of-certificatefile-and-keyfile/9486/6. Now I can see why the problem still not be fixed for months.

Follow the logs, I find out where it is. And get to know why it appears on a wired location. (/var/lib/caddy, No mentioned on documents.) The caddy2 I installed via apt specify the USER caddy on the /lib/systemd/system/caddy.service. So I removed the caddy user on /lib/systemd/system/caddy.service. Then I meet the same problem WildCard SSL doesnt’ work. “acme: cleaning up failed: no memory of presenting a DNS record for …”.

I checked back the old location for the cert and key file. I surprisedly find that there are key and cert already been generated, without error. Then I tried to find the solution, and figure out the ugly way but works.

+1
Mon-ius on Aug 18, 2020
Read more comments on GitHub
← caddy: Websocket fails with rancher
certmagic: Empty lockfile, likely previous process crashed or storage medium failure; treating as stale →