Do the IP addresses in the public DNS point to Caddy?
You can see HTTP-01 as the challenge type. Is this a Caddy log? Does that IP point to Caddy?
4 Likes
We were using TLS ALPN challenge , when it didn't work the configuration automatically tries HTTP challenge in Caddy unless you disable. The error that we are getting from our server is NO TLS ALPN negotiated. check the out put for OpenSSL Command.
ERROR tls.issuance.acme.acme_client challenge failed {"identifier": "FQDN", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "
Cannot negotiate ALPN protocol
"acme-tls/1" for tls-alpn-01 challenge", "instance": "", "subproblems": }}
2024/10/23 14:51:37.458 ERROR tls.issuance.acme.acme_client validating authorization {"identifier": "FQDN", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge", "instance": "", "subproblems": }, "order": "
https://acme-staging-v02.api.letsencrypt.org/acme/order/168355333/19931912543"
, "attempt": 1, "max_attempts": 3}
2024/10/23 14:51:38.774 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "FQDN2", "challenge_type": "http-01", "ca": "
https://acme-staging-v02.api.letsencrypt.org/directory"}
Open SSL response:
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 4005 bytes and written 471 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BF0AD79B18C06319962EA0E4149335CD3DF8E3AF21925A4280398D546B4605D8
Session-ID-ctx:
Master-Key: EFC34388F28F01FCE61F6985EDB3EF7BFB61B6D0B08005B5D0E4C9440B2959F2CDD50F29F7531B2048DF556C5C52DE98
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1729694631
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
Do the IP in the public DNS point to Caddy?
I can see from the order link that your domain name resolves to four different IP addresses. It is unusual for all 4 to point to Caddy. Do they?
Because Let's Encrypt Server sends the challenge to the IP in the public DNS. If that isn't Caddy then whatever system that is won't know how to reply to the TLS-ALPN challenge that Caddy prepared. Probably why you get the failure.
6 Likes
In my case, Caddy is at centralized server which is supposed to enable certificate renewal for my 40 nodes/servers. These 40 nodes are bucketed as FQDN's where there is a main FQDN and Sub-FQDN's.
No the IP doesn't point to Caddy. No that's the FQDN that points to 4 different IPs of the 4 nodes where I want to deploy or renew certificates
How do you expect Caddy to be able to satisfy the TLS-ALPN challenge, then?
6 Likes
Each node need to be configed to redirect or realtime mirrores challenge path (/.well-known/acme-challenge) of acme client
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.