Enabling get_certificate should disable cert automation #5415
Description
I set the get_certificate section in caddyfile, caddy verified all parameters and directly goes to HTTP-01 challenge.
here's my procedure to reproduce the issue:
- pull the latest version of caddy image and create a fileserver, and serve /etc/caddy as root
docker pull caddy
docker run --rm --hostname cert.mysite -p 80:80 -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug
root@demo:/test# docker run --rm --hostname cert.mysite -p 80:80 -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug
2023/03/03 09:50:13.498 WARN admin admin endpoint disabled
2023/03/03 09:50:13.499 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0003fae00"}
2023/03/03 09:50:13.499 WARN http server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "static", "http_port": 80}
2023/03/03 09:50:13.499 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"}
2023/03/03 09:50:13.499 INFO tls finished cleaning storage units
2023/03/03 09:50:13.499 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:50:13.499 INFO http.log server running {"name": "static", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:50:13.499 INFO Caddy serving static files on :80
- open another terminal and copy the hosts file from cert.mysite
mkdir -p /test && cd /test
docker cp certmgr:/etc/hosts /test/hosts
- try to validate if http://cert.mysite/Caddyfile is avaliable in another container:
root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy wget -o /dev/null -O - cert.mysite/Caddyfile
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.
:80 {
# Set this path to your site's directory.
root * /usr/share/caddy
# Enable the static file server.
file_server
# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080
# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000
}
# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile
one record of log is printed by cert.mysite
root@demo:/test# docker run --rm --hostname cert.mysite -p 80:80 -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug
2023/03/03 09:50:13.498 WARN admin admin endpoint disabled
2023/03/03 09:50:13.499 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0003fae00"}
2023/03/03 09:50:13.499 WARN http server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "static", "http_port": 80}
2023/03/03 09:50:13.499 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"}
2023/03/03 09:50:13.499 INFO tls finished cleaning storage units
2023/03/03 09:50:13.499 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:50:13.499 INFO http.log server running {"name": "static", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:50:13.499 INFO Caddy serving static files on :80
2023/03/03 09:50:19.583 DEBUG http.handlers.file_server sanitized path join {"site_root": "/etc/caddy", "request_path": "/Caddyfile", "result": "/etc/caddy/Caddyfile"}
2023/03/03 09:50:19.583 DEBUG http.handlers.file_server opening file {"filename": "/etc/caddy/Caddyfile"}
- create /test/Caddyfile with:
{
debug
}
https://web.mysite {
tls {
get_certificate http http://cert.mysite/cert
}
file_server
root * /usr/share/caddy
}
- star anoter container for HTTP cert gatter:
root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy
2023/03/03 09:54:56.848 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
2023/03/03 09:54:56.849 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//[::1]:2019", "//127.0.0.1:2019", "//localhost:2019"]}
2023/03/03 09:54:56.850 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/03/03 09:54:56.850 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2023/03/03 09:54:56.850 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000119260"}
2023/03/03 09:54:56.850 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"}
2023/03/03 09:54:56.851 INFO tls finished cleaning storage units
2023/03/03 09:54:56.851 INFO http enabling HTTP/3 listener {"addr": ":443"}
2023/03/03 09:54:56.851 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/03/03 09:54:56.851 DEBUG http starting server loop {"address": "[::]:443", "tls": true, "http3": true}
2023/03/03 09:54:56.851 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:54:56.851 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:54:56.851 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:54:56.851 INFO http enabling automatic TLS certificate management {"domains": ["web.mysite"]}
2023/03/03 09:54:56.851 INFO autosaved config (load with --resume flag) {"file": "/config/caddy/autosave.json"}
2023/03/03 09:54:56.851 INFO serving initial configuration
2023/03/03 09:54:56.852 INFO tls.obtain acquiring lock {"identifier": "web.mysite"}
2023/03/03 09:54:56.852 INFO tls.obtain lock acquired {"identifier": "web.mysite"}
2023/03/03 09:54:56.852 INFO tls.obtain obtaining certificate {"identifier": "web.mysite"}
2023/03/03 09:54:56.853 DEBUG events event {"name": "cert_obtaining", "id": "5ee698ea-a7b0-42d4-8fd2-2d148a1bcf91", "origin": "tls", "data": {"identifier":"web.mysite"}}
2023/03/03 09:54:56.853 DEBUG tls.obtain trying issuer 1/2 {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2023/03/03 09:54:57.428 DEBUG tls.acme_client http request {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["756"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/03/03 09:54:57.607 DEBUG tls.acme_client http request {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["F977mkR7mwCLcOasyyIoTtnnqzTE5wOhhDe4xtpAylAi_Pc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/03/03 09:54:57.797 DEBUG tls.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["991443716"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["267"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/991443716"],"Replay-Nonce":["F70EyZ_pC24oN4PtiMWxr1NXVxWGzy0lP6GgbhBSUStj1tw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/03/03 09:54:57.798 INFO tls waiting on internal rate limiter {"identifiers": ["web.mysite"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/03 09:54:57.798 INFO tls done waiting on internal rate limiter {"identifiers": ["web.mysite"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/03 09:54:57.978 DEBUG tls.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["991443716"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["212"],"Content-Type":["application/problem+json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["F70EZ0AyzmBi1gJHVQOnVwxHCzrDIRBTmLFAHCqPZh1mMWo"],"Server":["nginx"]}, "status_code": 400}
2023/03/03 09:54:57.978 ERROR tls.obtain could not get certificate from issuer {"identifier": "web.mysite", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"web.mysite\": Domain name does not end with a valid public suffix (TLD)"}
2023/03/03 09:54:57.978 DEBUG tls.obtain trying issuer 2/2 {"issuer": "acme.zerossl.com-v2-DV90"}
2023/03/03 09:54:57.978 WARN tls missing email address for ZeroSSL; it is strongly recommended to set one for next time
2023/03/03 09:54:59.349 INFO tls generated EAB credentials {"key_id": "LLRR_JiXvnP1Gyxq8z_DJg"}
2023/03/03 09:55:00.338 DEBUG tls.acme_client http request {"method": "GET", "url": "https://acme.zerossl.com/v2/DV90", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:55:00 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/03/03 09:55:01.042 DEBUG tls.acme_client http request {"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Fri, 03 Mar 2023 09:55:00 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["choyu-v75RZ-bY957c7mtuaNcSeoRrEvG7HmRHJ7_Us"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/03/03 09:55:01.864 DEBUG tls.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newAccount", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["579"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:55:01 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Location":["https://acme.zerossl.com/v2/DV90/account/LLRR_JiXvnP1Gyxq8z_DJg"],"Replay-Nonce":["V4YzFYtZr4O5Kj-c-VBhxNZo5toNBIsaofRmEMM11AM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/03/03 09:55:01.865 INFO tls waiting on internal rate limiter {"identifiers": ["web.mysite"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2023/03/03 09:55:01.865 INFO tls done waiting on internal rate limiter {"identifiers": ["web.mysite"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2023/03/03 09:55:02.512 DEBUG tls.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["116"],"Content-Type":["application/problem+json"],"Date":["Fri, 03 Mar 2023 09:55:02 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["jQSBi7xGSLNSh3oaSYD3XZqo6XJkKRC4EEuYSOPB2wI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 400}
2023/03/03 09:55:02.512 ERROR tls.obtain could not get certificate from issuer {"identifier": "web.mysite", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [web.mysite]"}
2023/03/03 09:55:02.512 DEBUG events event {"name": "cert_failed", "id": "1298f96f-180f-4a9e-97c7-ccdc8854f8c0", "origin": "tls", "data": {"error":{},"identifier":"web.mysite","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
2023/03/03 09:55:02.512 ERROR tls.obtain will retry {"error": "[web.mysite] Obtain: [web.mysite] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [web.mysite] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 5.659666017, "max_duration": 2592000}
- no new log from cert.mysite, let's get the version of caddy in container:
root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy caddy version
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=