Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed to obtain certificate #2510

Closed
samcro1967 opened this issue Mar 9, 2019 · 7 comments
Closed

failed to obtain certificate #2510

samcro1967 opened this issue Mar 9, 2019 · 7 comments

Comments

@samcro1967
Copy link

samcro1967 commented Mar 9, 2019
edited
Loading

1. Which version of Caddy are you using (caddy -version)?

Caddy 0.11.5 (non-commercial use only)

2. What are you trying to do?

Launch Caddy

3. What is your Caddyfile?

tv1.domain.net http://tv.local {
tls user@domain.net        # Email for Let's Encrypt Verification
  gzip
  log "C:\Users\user\Documents\caddy\logs\tv_access.log" {
    rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }
  errors "C:\Users\user\Documents\caddy\logs\tv_error.log" {
    rotate_size 1          # Set max size 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }
  proxy / 192.168.1.103:8989 {          # https://tv.local/
      transparent
  }
}

4. How did you run Caddy (give the full command and describe the execution environment)?

From a DOS Command Prompt

5. Please paste any relevant HTTP request(s) here.

6. What did you expect to see?

Caddy running successfully and proxying requests

7. What did you see instead (give full error messages and/or log)?

Activating privacy features... 2019/03/08 22:00:39 [INFO] [tv1.osuhickeys.net] acme: Obtaining bundled SAN certificate
2019/03/08 22:00:40 [INFO] [tv.domain.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/yqmRGsrokocgvPVddyz9avh3w_kHH0RDodVAHtH3waE
2019/03/08 22:00:40 [INFO] [tv.domain.net] acme: use tls-alpn-01 solver
2019/03/08 22:00:40 [INFO] [tv.domain.net] acme: Trying to solve TLS-ALPN-01
[tv1.osuhickeys.net] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[tv1.osuhickeys.net] acme: error: 400 :: urn:ietf:params:acme:error:tls :: remote error: tls: internal error, url:
@tobya
Copy link
Collaborator

tobya commented Mar 9, 2019

Hi You will probably get better help for a setup question like this at our forum https://caddy.community

Often issues like this are due to Network or site configuration issues. For example when I try to go to tv1.osuhickeys.ne I get a name cannot be resolved error suggesting there is an issue with where the DNS points.

Also please provide the full error output, you seem to be missing some text fof the end.

@samcro1967
Copy link
Author

samcro1967 commented Mar 9, 2019
edited
Loading

The URL is tv.domain.net. You were missing the "t" at the end.

Pinging tv.domain.net [71.81.139.61] with 32 bytes of data:
Reply from 71.81.139.61: bytes=32 time<1ms TTL=64
Reply from 71.81.139.61: bytes=32 time<1ms TTL=64
Reply from 71.81.139.61: bytes=32 time<1ms TTL=64
Reply from 71.81.139.61: bytes=32 time<1ms TTL=64

The log file it generates only contains one line:
"2019/03/08 22:00:39 [INFO][FileStorage:C:\Users\user.caddy] Started certificate maintenance routine"

@whitestrake
Copy link
Collaborator

It looks like #2451 to me, as you've noted on that thread.

Try with the -disable-tls-alpn-challenge?

Could also try the other workarounds listed in that thread, too.

@samcro1967 samcro1967 mentioned this issue Mar 11, 2019
Closed
@samcro1967
Copy link
Author

-disable-tls-alpn-challenge gave different error messages, but still does not launch.

Not sure how I am trying to do this will even work. I copied my caddy folder from one machine to another and attempted to launch it. I probably need to download a clean copy, create new DNS entries, and then launch it. Guessing the cert is tied to a specific machine and it needs to be created from scratch with a new URL for it to work properly.

I was able to get it working on Windows 10 build 1809 so do not really need to have this working on another machine to help troubleshoot that issues any longer so I will close this issue. Appreciate the help.

@mholt
Copy link
Member

mholt commented Mar 11, 2019

Guessing the cert is tied to a specific machine and it needs to be created from scratch with a new URL for it to work properly.

Nope, fortunately, that's not correct -- the only thing that needs to be tied to that machine is the DNS records need to point to it.

Looks simply like your DNS records were pointing to the wrong machines.

@samcro1967
Copy link
Author

Ah, I see what you are saying now. I was trying to test internally only so I never updated my port forward on my router to the test machine. Once I did that it now starts on the other machine. I did not realize the certificate validation needed communication back to the source machine making the request. I was guessing it just needed a valid DNS entry and external IP that responded.

@mholt
Copy link
Member

mholt commented Mar 11, 2019

External communication is necessary by default, but enabling the DNS challenge does what you want: https://caddyserver.com/docs/automatic-https

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tobya @mholt @samcro1967 @whitestrake