ACME Challenge Failed: Error 400

So I have recently taken a new job and when I started, one of our subdomains was down. I have been trying to figure out what is wrong with it. For some context, the application is running on a VM hosted by DigitalOcean, we are using Cloudflare for DNS, and reverse proxying through Caddy. This is my first time managing a website, so this has been a learning experience for me. From my understanding, the two main issues I am facing currently are:

1: Caddy isn't listening on ports 80 or 443.
2: When I try and run the application, it appears that my site's DNS isn't resolving correctly and therefore I can't get my certificate. I have existing A and AAAA DNS records on Cloudflare for this subdomain, but I don't know if they may be misconfigured.

My domain is: food.maconchd.org

I ran this command:

docker-compose -f production.yml up

in order to get my application running in a container.

It produced quite a bit of output to set up the application, but at the end it threw the error code:

Activating privacy features... 2024/02/26 20:21:53 [INFO][www.food.maconchd.org] acme: Obtaining bundled SAN certificate
caddy_1     | 2024/02/26 20:21:53 [INFO][www.food.maconchd.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/319810223277
caddy_1     | 2024/02/26 20:21:53 [INFO][www.food.maconchd.org] acme: Trying to solve HTTP-01
caddy_1     | 2024/02/26 20:21:58 [www.food.maconchd.org] failed to get certificate: acme: Error 400 - urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for www.food.maconchd.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.food.maconchd.org - check that a DNS record exists for this domain

My web server is (include version):Caddy 0.11.0

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): Yes, I am able to SSH in via port 22.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):I don't believe that I am using a control panel to manage the site. Not 100% sure though.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not sure what this refers to. I don't have certbot installed and don't know what my system equivalent would be, I will look into this.

There is a good chance that I haven't provided enough context, so if there is anything else I can add that would be useful, let me know.

Thank you.

Hello @FoxK, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields these results https://letsdebug.net/food.maconchd.org/1816840

CloudflareCDN
WARNING
The domain food.maconchd.org is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

Please see this line from the WARNING "It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled."

That is a VERY old version of Caddy btw, it is no longer supported or maintained. Like... 6 years old.

Please upgrade Caddy to the latest version. I beg you.

Note that www.food.maconchd.org and food.maconchd.org are two different and indipendent domain names.

Yeah... this whole application is deprecated and in need of lots of upgrades. I don't think anybody has maintained it for a very long time. I am hoping to get the site back up and functioning before I go through and start upgrading everything.

I appreciate the insight. I am not sure why the ACME challenge is looking for DNS records for www.food.maconchd.org instead of food.maconchd.org. Should I continue trying to configure the application to check against the proper domain or would it be easy to set up the subdomain www.food.maconchd.org and just host my application on that site instead of the food.maconchd.org?

I assume it's looking for both. You can tell your server or your acme client if you only want one of those.

I created a DNS record for www.food.maconchd.org and that seems to have solved my issue. I am just redirecting www.food traffic to the food subdomain. Thank you for pointing out the difference.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.