Trying to get DNS validation

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mynas9696.ml

I ran this command:service caddy restart

It produced this output:Timeout during connect (likely firewall problem), url: (attempt 1/3; challenge=http-01)
Jun 13 12:23:27 caddy caddy[6918]: 2020/06/13 12:23:27 [INFO] [mynas9696.ml] acme: Obtaining bundled SAN certificate
Jun 13 12:23:27 caddy caddy[6918]: 2020/06/13 12:23:27 [INFO] [mynas9696.ml] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5215644860
Jun 13 12:23:27 caddy caddy[6918]: 2020/06/13 12:23:27 [INFO] [mynas9696.ml] acme: Could not find solver for: tls-alpn-01
Jun 13 12:23:27 caddy caddy[6918]: 2020/06/13 12:23:27 [INFO] [mynas9696.ml] acme: use http-01 solver
Jun 13 12:23:27 caddy caddy[6918]: 2020/06/13 12:23:27 [INFO] [mynas9696.ml] acme: Trying to solve HTTP-01
Jun 13 12:23:39 caddy caddy[6918]: 2020/06/13 12:23:39 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5215644860
Jun 13 12:23:39 caddy caddy[6918]: 2020/06/13 12:23:39 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5215644860
Jun 13 12:23:39 caddy caddy[6918]: 2020/06/13 12:23:39 [ERROR][mynas9696.ml] failed to obtain certificate: acme: Error -> One or more domains had a problem:

My web server is (include version):Caddy 1.04

The operating system my web server runs on is (include version):
freenas 11.3U3
My hosting provider, if applicable, is:freenom and cloudflare

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):not using cerbot. using caddy

I trying to use DNS validation to create my certificate but I’m not have any luck. here is my Caddyfile
mynas9696.ml {
root /usr/local/www/html/
}
cloud.mynas9696.ml {
tls {
dns cloudflare
}
gzip
proxy / http://192.168.5.85 {
transparent
}

}

Hi @NasKar

that’s

the answer of a not working http validation.

See your url:

https://acme-v02.api.letsencrypt.org/acme/authz-v3/5215644860

Fetching http://mynas9696.ml/.well-known/acme-challenge/j8GbDaN8IQrDzNFCxXgxjj10JXfwDwpgpTwaA65-CVs: Timeout during connect (likely firewall problem)

  • switch really to dns validation (or)
  • the certificate isn’t a wildcard certificate, so you can use http validation. But a working port 80 is required
1 Like

I’m trying to use DNS validation so I don’t have to have port 80 open

1 Like

Have you set caddy_env to include your Cloudflare email address and Global API key in /etc/rc.conf?

Yes
I’m thinking it doesn’t work because I’m trying to do it in a Virtual Machine. I created a test jail in my Freenas. Now I’m getting the error “too many failed authorizations recently”. I’ll wait an hour and try again.

I don’t know how Caddy works. But Letsencrypt has checked your domain via http validation so Caddy has used the http challenge url, not the dns challenge url.

1 Like

The first line of the posted log excerpt confirms that Caddy’s doing http validation.

Here’s your problem. You’ve specified DNS validation for the cloud. subdomain, but the root domain is going to default to HTTP. You’d need to put a tls {} block in that section as well.

After 2 restarts I’m at the rate limit again. Here is the adjusted Caddyfile.
mynas9696.ml {
root /usr/local/www/html/
tls {
dns cloudflare
}
}
cloud.mynas9696.ml {
tls {
dns cloudflare
}
gzip
proxy / http://192.168.5.85 {
transparent
}

}

decided to simplify the Caddyfile and go with the one domain.
I get these errors. I’ve double checked the Global API and email in /etc/rc.conf
Jun 13 20:00:17 caddy caddy[49585]: 2020/06/13 20:00:17 [INFO] [cloud.mynas9696.ml] acme: Obtaining bundled SAN certificate
Jun 13 20:00:18 caddy caddy[49585]: 2020/06/13 20:00:18 [INFO] [cloud.mynas9696.ml] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5222277641
Jun 13 20:00:18 caddy caddy[49585]: 2020/06/13 20:00:18 [INFO] [cloud.mynas9696.ml] acme: Could not find solver for: tls-alpn-01
Jun 13 20:00:18 caddy caddy[49585]: 2020/06/13 20:00:18 [INFO] [cloud.mynas9696.ml] acme: Could not find solver for: http-01
Jun 13 20:00:18 caddy caddy[49585]: 2020/06/13 20:00:18 [INFO] [cloud.mynas9696.ml] acme: use dns-01 solver
Jun 13 20:00:18 caddy caddy[49585]: 2020/06/13 20:00:18 [INFO] [cloud.mynas9696.ml] acme: Preparing to solve DNS-01
Jun 13 20:00:18 caddy caddy[49585]: 2020/06/13 20:00:18 [INFO] [cloud.mynas9696.ml] acme: Cleaning DNS-01 challenge
Jun 13 20:00:18 caddy caddy[49585]: 2020/06/13 20:00:18 [WARN] [cloud.mynas9696.ml] acme: error cleaning up: cloudflare: unknown record ID for ‘_acme-challenge.cloud.mynas9696.ml.’
Jun 13 20:00:19 caddy caddy[49585]: 2020/06/13 20:00:19 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5222277641
Jun 13 20:00:19 caddy caddy[49585]: 2020/06/13 20:00:19 [ERROR][cloud.mynas9696.ml] failed to obtain certificate: acme: Error -> One or more domains had a problem:
Jun 13 20:00:19 caddy caddy[49585]: [cloud.mynas9696.ml] [cloud.mynas9696.ml] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 401: invalid credentials (attempt 3/3; challenge=dns-01)
Jun 13 20:00:20 caddy caddy[49585]: 2020/06/13 20:00:20 failed to obtain certificate: acme: Error -> One or more domains had a problem:

My Caddyfile
cloud.mynas9696.ml {
root /usr/local/www/html/
tls {
dns cloudflare
}
gzip
proxy / http://192.168.5.85 {
transparent
}

}

If you’re on a Cloudflare free plan, you can’t use the DNS API with the Freenom domains (tk, ml, ga, etc). They disabled that recently due to abuse.

Is that going forward or are they turning DNS off for all domains previously using DNS with Freenom?

It affects existing domains, yes. DNS continues to function, just the API access was removed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.