Skip to content

Enabling get_certificate should disable cert automation #5415

Closed
#5533
Closed
Enabling get_certificate should disable cert automation#5415
#5533
Assignees
mholt
Labels
bug 🐞Something isn't working
Milestone
v2.7.0
@BioEvo

Description

@BioEvo
BioEvo
opened on Mar 3, 2023

I set the get_certificate section in caddyfile, caddy verified all parameters and directly goes to HTTP-01 challenge.

here's my procedure to reproduce the issue:

  1. pull the latest version of caddy image and create a fileserver, and serve /etc/caddy as root
docker pull caddy
docker run --rm --hostname cert.mysite -p 80:80  -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug

root@demo:/test# docker run --rm --hostname cert.mysite -p 80:80  -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug
2023/03/03 09:50:13.498	WARN	admin	admin endpoint disabled
2023/03/03 09:50:13.499	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc0003fae00"}
2023/03/03 09:50:13.499	WARN	http	server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server	{"server_name": "static", "http_port": 80}
2023/03/03 09:50:13.499	INFO	tls	cleaning storage unit	{"description": "FileStorage:/data/caddy"}
2023/03/03 09:50:13.499	INFO	tls	finished cleaning storage units
2023/03/03 09:50:13.499	DEBUG	http	starting server loop	{"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:50:13.499	INFO	http.log	server running	{"name": "static", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:50:13.499	INFO	Caddy serving static files on :80
  1. open another terminal and copy the hosts file from cert.mysite
mkdir -p /test && cd /test
docker cp certmgr:/etc/hosts /test/hosts
  1. try to validate if http://cert.mysite/Caddyfile is avaliable in another container:
root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy wget -o /dev/null  -O - cert.mysite/Caddyfile
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

:80 {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

one record of log is printed by cert.mysite

root@demo:/test# docker run --rm --hostname cert.mysite -p 80:80  -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug
2023/03/03 09:50:13.498	WARN	admin	admin endpoint disabled
2023/03/03 09:50:13.499	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc0003fae00"}
2023/03/03 09:50:13.499	WARN	http	server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server	{"server_name": "static", "http_port": 80}
2023/03/03 09:50:13.499	INFO	tls	cleaning storage unit	{"description": "FileStorage:/data/caddy"}
2023/03/03 09:50:13.499	INFO	tls	finished cleaning storage units
2023/03/03 09:50:13.499	DEBUG	http	starting server loop	{"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:50:13.499	INFO	http.log	server running	{"name": "static", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:50:13.499	INFO	Caddy serving static files on :80
2023/03/03 09:50:19.583	DEBUG	http.handlers.file_server	sanitized path join	{"site_root": "/etc/caddy", "request_path": "/Caddyfile", "result": "/etc/caddy/Caddyfile"}
2023/03/03 09:50:19.583	DEBUG	http.handlers.file_server	opening file	{"filename": "/etc/caddy/Caddyfile"}
  1. create /test/Caddyfile with:
{
	debug
}
https://web.mysite {
	tls {
		get_certificate http http://cert.mysite/cert
	}
	file_server
	root * /usr/share/caddy
}
  1. star anoter container for HTTP cert gatter:
root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy
2023/03/03 09:54:56.848	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
2023/03/03 09:54:56.849	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["//[::1]:2019", "//127.0.0.1:2019", "//localhost:2019"]}
2023/03/03 09:54:56.850	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2023/03/03 09:54:56.850	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2023/03/03 09:54:56.850	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc000119260"}
2023/03/03 09:54:56.850	INFO	tls	cleaning storage unit	{"description": "FileStorage:/data/caddy"}
2023/03/03 09:54:56.851	INFO	tls	finished cleaning storage units
2023/03/03 09:54:56.851	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2023/03/03 09:54:56.851	INFO	failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/03/03 09:54:56.851	DEBUG	http	starting server loop	{"address": "[::]:443", "tls": true, "http3": true}
2023/03/03 09:54:56.851	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:54:56.851	DEBUG	http	starting server loop	{"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:54:56.851	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:54:56.851	INFO	http	enabling automatic TLS certificate management	{"domains": ["web.mysite"]}
2023/03/03 09:54:56.851	INFO	autosaved config (load with --resume flag)	{"file": "/config/caddy/autosave.json"}
2023/03/03 09:54:56.851	INFO	serving initial configuration
2023/03/03 09:54:56.852	INFO	tls.obtain	acquiring lock	{"identifier": "web.mysite"}
2023/03/03 09:54:56.852	INFO	tls.obtain	lock acquired	{"identifier": "web.mysite"}
2023/03/03 09:54:56.852	INFO	tls.obtain	obtaining certificate	{"identifier": "web.mysite"}
2023/03/03 09:54:56.853	DEBUG	events	event	{"name": "cert_obtaining", "id": "5ee698ea-a7b0-42d4-8fd2-2d148a1bcf91", "origin": "tls", "data": {"identifier":"web.mysite"}}
2023/03/03 09:54:56.853	DEBUG	tls.obtain	trying issuer 1/2	{"issuer": "acme-v02.api.letsencrypt.org-directory"}
2023/03/03 09:54:57.428	DEBUG	tls.acme_client	http request	{"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["756"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/03/03 09:54:57.607	DEBUG	tls.acme_client	http request	{"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["F977mkR7mwCLcOasyyIoTtnnqzTE5wOhhDe4xtpAylAi_Pc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/03/03 09:54:57.797	DEBUG	tls.acme_client	http request	{"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["991443716"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["267"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/991443716"],"Replay-Nonce":["F70EyZ_pC24oN4PtiMWxr1NXVxWGzy0lP6GgbhBSUStj1tw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/03/03 09:54:57.798	INFO	tls	waiting on internal rate limiter	{"identifiers": ["web.mysite"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/03 09:54:57.798	INFO	tls	done waiting on internal rate limiter	{"identifiers": ["web.mysite"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/03 09:54:57.978	DEBUG	tls.acme_client	http request	{"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["991443716"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["212"],"Content-Type":["application/problem+json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["F70EZ0AyzmBi1gJHVQOnVwxHCzrDIRBTmLFAHCqPZh1mMWo"],"Server":["nginx"]}, "status_code": 400}
2023/03/03 09:54:57.978	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "web.mysite", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"web.mysite\": Domain name does not end with a valid public suffix (TLD)"}
2023/03/03 09:54:57.978	DEBUG	tls.obtain	trying issuer 2/2	{"issuer": "acme.zerossl.com-v2-DV90"}
2023/03/03 09:54:57.978	WARN	tls	missing email address for ZeroSSL; it is strongly recommended to set one for next time
2023/03/03 09:54:59.349	INFO	tls	generated EAB credentials	{"key_id": "LLRR_JiXvnP1Gyxq8z_DJg"}
2023/03/03 09:55:00.338	DEBUG	tls.acme_client	http request	{"method": "GET", "url": "https://acme.zerossl.com/v2/DV90", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:55:00 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/03/03 09:55:01.042	DEBUG	tls.acme_client	http request	{"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Fri, 03 Mar 2023 09:55:00 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["choyu-v75RZ-bY957c7mtuaNcSeoRrEvG7HmRHJ7_Us"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/03/03 09:55:01.864	DEBUG	tls.acme_client	http request	{"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newAccount", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["579"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:55:01 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Location":["https://acme.zerossl.com/v2/DV90/account/LLRR_JiXvnP1Gyxq8z_DJg"],"Replay-Nonce":["V4YzFYtZr4O5Kj-c-VBhxNZo5toNBIsaofRmEMM11AM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/03/03 09:55:01.865	INFO	tls	waiting on internal rate limiter	{"identifiers": ["web.mysite"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2023/03/03 09:55:01.865	INFO	tls	done waiting on internal rate limiter	{"identifiers": ["web.mysite"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2023/03/03 09:55:02.512	DEBUG	tls.acme_client	http request	{"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["116"],"Content-Type":["application/problem+json"],"Date":["Fri, 03 Mar 2023 09:55:02 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["jQSBi7xGSLNSh3oaSYD3XZqo6XJkKRC4EEuYSOPB2wI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 400}
2023/03/03 09:55:02.512	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "web.mysite", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [web.mysite]"}
2023/03/03 09:55:02.512	DEBUG	events	event	{"name": "cert_failed", "id": "1298f96f-180f-4a9e-97c7-ccdc8854f8c0", "origin": "tls", "data": {"error":{},"identifier":"web.mysite","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
2023/03/03 09:55:02.512	ERROR	tls.obtain	will retry	{"error": "[web.mysite] Obtain: [web.mysite] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [web.mysite] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 5.659666017, "max_duration": 2592000}
  1. no new log from cert.mysite, let's get the version of caddy in container:
root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy caddy version
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

Metadata

Metadata

Assignees

Labels

bug 🐞Something isn't working

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions