we don't have a record for studio.openedx.univ-bejaia.dz in the DNS. We configured the DNS as follows:
Internal DNS
openedx IN A our internal IP address
*.openedx CNAME openedx.univ-bejaia.dz.
External DNS
openedx A 41.111.207.114
*.openedx CNAME openedx.univ-bejaia.dz.
should we also add in the DNS the following sub domains ?
studio.openedx.univ-bejaia.dz
apps.openedx.univ-bejaia.dz
meilisearch.openedx.univ-bejaia.dz
When I ran the command below, I found no service listening on port 443.
(env) openedx@openedx:~$ nc -zv localhost 443
localhost [127.0.0.1] 443 (https) : Connection refused
The command below also returns nothing.
(env) openedx@openedx:~$ ss -tulpn | grep ':80|:443'
(env) openedx@openedx:~$
The caddy doesn't seem to have a port
You should probably expose one, then. Two, really: 80 and 443 (and 443/udp). Consult the Caddy docs or support channels for more on how to do that.
I solved the problem but I still can't generate a certificate:
Can you help me fix the problem ?
bellow some of the los generated by caddy (I apologize for the length of the message):
caddy-1 | {"level":"error","ts":1778768831.1829667,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"openedx.univ-bejaia.dz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 41.111.207.114: Fetching https://openedx.univ-bejaia.dz:443/.well-known/acme-challenge/MDDB9NumYyRPMF23cvmNHlZ8oLWl5w_00fZa9PuSOgQ: Error getting validation data"}
caddy-1 | {"level":"warn","ts":1778768831.1830883,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy-1 | {"level":"error","ts":1778768831.8087902,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"openedx.univ-bejaia.dz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)"}
caddy-1 | {"level":"error","ts":1778768831.80901,"logger":"tls.obtain","msg":"will retry","error":"[openedx.univ-bejaia.dz] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":1,"retrying_in":60,"elapsed":10.195853689,"max_duration":2592000}
caddy-1 | {"level":"error","ts":1778768832.1108418,"logger":"http.acme_client","msg":"challenge failed","identifier":"meilisearch.openedx.univ-bejaia.dz","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"41.111.207.114: Fetching https://meilisearch.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/TeRMrgTMidDLvBUErpt5jjNERFCAjSxAHHMgG1QXn7Q: Error getting validation data","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778768832.11089,"logger":"http.acme_client","msg":"validating authorization","identifier":"meilisearch.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"41.111.207.114: Fetching https://meilisearch.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/TeRMrgTMidDLvBUErpt5jjNERFCAjSxAHHMgG1QXn7Q: Error getting validation data","instance":"","subproblems":},"order":"https://acme-v02.api.letsencrypt.org/acme/order/3334780226/510776789156","attempt":2,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778768832.1109133,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"meilisearch.openedx.univ-bejaia.dz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 41.111.207.114: Fetching https://meilisearch.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/TeRMrgTMidDLvBUErpt5jjNERFCAjSxAHHMgG1QXn7Q: Error getting validation data"}
caddy-1 | {"level":"warn","ts":1778768832.1110094,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy-1 | {"level":"error","ts":1778768832.297565,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"meilisearch.openedx.univ-bejaia.dz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)"}
caddy-1 | {"level":"error","ts":1778768832.2976158,"logger":"tls.obtain","msg":"will retry","error":"[meilisearch.openedx.univ-bejaia.dz] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":1,"retrying_in":60,"elapsed":10.684478901,"max_duration":2592000}
caddy-1 | {"level":"error","ts":1778768832.939397,"logger":"http.acme_client","msg":"challenge failed","identifier":"apps.openedx.univ-bejaia.dz","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"41.111.207.114: Fetching https://apps.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/l4BLroO6Qm7Vu_lR-qLptw5bgCdzhc8FzzUBT00HxIU: Error getting validation data","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778768832.939444,"logger":"http.acme_client","msg":"validating authorization","identifier":"apps.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"41.111.207.114: Fetching https://apps.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/l4BLroO6Qm7Vu_lR-qLptw5bgCdzhc8FzzUBT00HxIU: Error getting validation data","instance":"","subproblems":},"order":"https://acme-v02.api.letsencrypt.org/acme/order/3334780206/510776791046","attempt":2,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778768832.9394724,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"apps.openedx.univ-bejaia.dz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 41.111.207.114: Fetching https://apps.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/l4BLroO6Qm7Vu_lR-qLptw5bgCdzhc8FzzUBT00HxIU: Error getting validation data"}
caddy-1 | {"level":"warn","ts":1778768832.9395719,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy-1 | {"level":"error","ts":1778768833.1246226,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"apps.openedx.univ-bejaia.dz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)"}
caddy-1 | {"level":"error","ts":1778768833.1246614,"logger":"tls.obtain","msg":"will retry","error":"[apps.openedx.univ-bejaia.dz] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":1,"retrying_in":60,"elapsed":11.511526126,"max_duration":2592000}
caddy-1 | {"level":"error","ts":1778768833.2936373,"logger":"http.acme_client","msg":"challenge failed","identifier":"studio.openedx.univ-bejaia.dz","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"41.111.207.114: Fetching https://studio.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/QuDzLvjz98N9eTFKOZ5Up3wOwvPYaOhyO88ROnLCb8Q: Error getting validation data","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778768833.293678,"logger":"http.acme_client","msg":"validating authorization","identifier":"studio.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"41.111.207.114: Fetching https://studio.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/QuDzLvjz98N9eTFKOZ5Up3wOwvPYaOhyO88ROnLCb8Q: Error getting validation data","instance":"","subproblems":},"order":"https://acme-v02.api.letsencrypt.org/acme/order/3334780196/510776788576","attempt":2,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778768833.2936983,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"studio.openedx.univ-bejaia.dz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 41.111.207.114: Fetching https://studio.openedx.univ-bejaia.dz:443/.well-known/acme-challenge/QuDzLvjz98N9eTFKOZ5Up3wOwvPYaOhyO88ROnLCb8Q: Error getting validation data"}
You have your client set for ZeroSSL. Thats why its erroring out.
Try changing to Lets Encrypt.
I am pretty sure Caddy tries with multiple CA. Which explains why the below Let's Encrypt error appears in their error log. It looks like ZeroSSL fails as it wasn't setup right (EAB) but that would not affect Let's Encrypt.
When I try to visit this URL, I'm getting an expired certificate for a Fortinet firewall, which makes it sound like the firewall continues to be an issue.
I do too. Interesting that HTTP requests are redirected to HTTPS just fine. It is the HTTPS request that gets blocked by Fortinet.
I should note that some systems (like my AWS servers) get a 403 Forbidden with any HTTP request but other systems (like Let's Debug or check-host.net) get redirected. The Let's Encrypt primary validation center must also get redirected otherwise we would have seen the HTTP URL in the error message.
In short, the firewall is still heavily involved.
@pipa_85 While it is legal to redirect a cert HTTP Challenge to HTTPS it is not required. I don't know Caddy well enough to know if that is how it handles that but I suspect not. It is not as efficient and adds complexity and I don't think Caddy would design for that.
