I recently migrated about 50 domains from one system to another. The server fetched about 45 certificates correctly then suddenly stopped working. This was on 30/10 and now a week later nothing has changed. I thought I maybe hit a weekly rate limit, but it doesn’t seem so. I created another setup with the exact same configuration and there certificates gets fetched just fine. It feels like I’m being ip rate limited.
Just recently tried with this new domain which still gives the same result.
I’m running caddy with on demand tls, so if you hit the domain, It’ll try again.
Error creating a TLS-Connection: IANA TLS Alert No. 80, internal_error. An internal error unrelated to the peer or the correctness of the protocol (such as a memory allocation failure) makes it impossible to continue. SSL_ERROR_INTERNAL_ERROR_ALERT (Mozilla) / ERR_SSL_PROTOCOL_ERROR (Chrome)
So it's impossible that Letsencrypt validates the file (if your caddy uses something like webroot).
Minimal two options:
remove the redirect http -> https
create a self signed certificate and use that with https, so you have a minimal working https configuration
Sadly that’s the only logs I got. I’ve made an issue about that.
This is how the logs look when it actually works:
[mydomain.com] acme: Obtaining bundled SAN certificate
[mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxx
[mydomain.com] acme: use tls-alpn-01 solver
[mydomain.com] acme: Trying to solve TLS-ALPN-01
[mydomain.com] The server validated our request
[mydomain.com] acme: Validations succeeded; requesting certificates
[mydomain.com] Server responded with a certificate.
So it doesn’t even get to the AuthURL part.
Caddy should remove that http -> https redirect when it requests a certificate automatically. But I’ve removed it now.
I have the same configuration with the http -> https redirect on another server, and there it works fine though.
Creating a self signed certificate is a bit tricky. I have many certificates on this system which works fine, currently live. So it is a working https configuration.
@JuergenAuer Do you have any idea of what the issue could be? I’m really struggling with this one. How it can work fine and then suddenly stop makes no sense to me.
The solution seems to be in the direction of first NOT redirecting the challenge requests to HTTPS.
How that is done it a bit different/specific to each web server.
I see it’s using: Server: Caddy
Can you show the config in use?
That needs to also include /.well-known/acme-challenge (in the exclude) I don't speak Caddy, so I can't be certain about the syntax... But it should be doable.
Perhaps with "and"
if {path} not /caddyping and {path} not /.well-known/acme-challenge
or "not in"
if {path} not in [/caddyping, /.well-known/acme-challenge]
or nested ifs
if {path} not /caddyping
if {path} not /.well-known/acme-challenge
https://{host}{uri}
Best of luck.
Let us know which (if any) solved this problem