I recently migrated about 50 domains from one system to another. The server fetched about 45 certificates correctly then suddenly stopped working. This was on 30/10 and now a week later nothing has changed. I thought I maybe hit a weekly rate limit, but it doesn’t seem so. I created another setup with the exact same configuration and there certificates gets fetched just fine. It feels like I’m being ip rate limited.
Just recently tried with this new domain which still gives the same result.
I’m running caddy with on demand tls, so if you hit the domain, It’ll try again.
Error creating a TLS-Connection: IANA TLS Alert No. 80, internal_error. An internal error unrelated to the peer or the correctness of the protocol (such as a memory allocation failure) makes it impossible to continue. SSL_ERROR_INTERNAL_ERROR_ALERT (Mozilla) / ERR_SSL_PROTOCOL_ERROR (Chrome)
So it's impossible that Letsencrypt validates the file (if your caddy uses something like webroot).
Minimal two options:
remove the redirect http -> https
create a self signed certificate and use that with https, so you have a minimal working https configuration
Sadly that’s the only logs I got. I’ve made an issue about that.
This is how the logs look when it actually works:
[mydomain.com] acme: Obtaining bundled SAN certificate
[mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxx
[mydomain.com] acme: use tls-alpn-01 solver
[mydomain.com] acme: Trying to solve TLS-ALPN-01
[mydomain.com] The server validated our request
[mydomain.com] acme: Validations succeeded; requesting certificates
[mydomain.com] Server responded with a certificate.
So it doesn’t even get to the AuthURL part.
Caddy should remove that http -> https redirect when it requests a certificate automatically. But I’ve removed it now.
I have the same configuration with the http -> https redirect on another server, and there it works fine though.
Creating a self signed certificate is a bit tricky. I have many certificates on this system which works fine, currently live. So it is a working https configuration.
The solution seems to be in the direction of first NOT redirecting the challenge requests to HTTPS.
How that is done it a bit different/specific to each web server.
I see it’s using: Server: Caddy
Can you show the config in use?