caddy
caddy copied to clipboard
caddyserver
Caddy 2.10.0 on-demand wildcard sites break other separate sites matching the wildcard
Also the caddy documentation is out of date. Where TF do I put tls force_automate??
What does "doesn't work" mean? Here's a template to fill out to get more details, hopefully it will help us understand what you mean:
It's not immediately clear to me what is going on, so I'll need your help to understand it better.
Ideally, we need to be able to reproduce the bug in the most minimal way possible using the latest version of Caddy. This allows us to write regression tests to verify the fix is working. If we can't reproduce it, then you'll have to test our changes for us until it's fixed -- and then we can't add test cases, either.
I've attached a template below that will help make this easier and faster! This will require some effort on your part -- please understand that we will be dedicating time to fix the bug you are reporting if you can just help us understand it and reproduce it easily.
This template will ask for some information you've already provided; that's OK, just fill it out the best you can. :+1: I've also included some helpful tips below the template. Feel free to let me know if you have any questions!
Thank you again for your report, we look forward to resolving it!
Template
## 1. Environment
### 1a. Operating system and version
```
paste here
```
### 1b. Caddy version (run `caddy version` or paste commit SHA)
This should be the latest version of Caddy:
```
paste here
```
## 2. Description
### 2a. What happens (briefly explain what is wrong)
### 2b. Why it's a bug (if it's not obvious)
### 2c. Log output
```
paste terminal output or logs here
```
### 2d. Workaround(s)
### 2e. Relevant links
## 3. Tutorial (minimal steps to reproduce the bug)
Instructions -- please heed otherwise we cannot help you (help us help you!)
-
Environment: Please fill out your OS and Caddy versions, even if you don't think they are relevant. (They are always relevant.) If you built Caddy from source, provide the commit SHA and specify your exact Go version.
-
Description: Describe at a high level what the bug is. What happens? Why is it a bug? Not all bugs are obvious, so convince readers that it's actually a bug.
- 2c) Log output: Paste terminal output and/or complete logs in a code block. DO NOT REDACT INFORMATION except for credentials. Please enable debug and access logs.
- 2d) Workaround: What are you doing to work around the problem in the meantime? This can help others who encounter the same problem, until we implement a fix.
- 2e) Relevant links: Please link to any related issues, pull requests, docs, and/or discussion. This can add crucial context to your report.
-
Tutorial: What are the minimum required specific steps someone needs to take in order to experience the same bug? Your goal here is to make sure that anyone else can have the same experience with the bug as you do. You are writing a tutorial, so make sure to carry it out yourself before posting it. Please:
- Start with an empty config. Add only the lines/parameters that are absolutely required to reproduce the bug.
- Do not run Caddy inside containers.
- Run Caddy manually in your terminal; do not use systemd or other init systems.
- If making HTTP requests, avoid web browsers. Use a simpler HTTP client instead, like
curl. - Do not redact any information from your config (except credentials). Domain names are public knowledge and often necessary for quick resolution of an issue!
- Note that ignoring this advice may result in delays, or even in your issue being closed. 😞 Only actionable issues are kept open, and if there is not enough information or clarity to reproduce the bug, then the report is not actionable.
Example of a tutorial:
Create a config file:{ ... }Open terminal and run Caddy:
$ caddy ...Make an HTTP request:
$ curl ...Notice that the result is ___ but it should be ___.
1. Environment
1a. Operating system and version
debian 12
1b. Caddy version (run caddy version or paste commit SHA)
This should be the latest version of Caddy:
v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=
2. Description
2a. What happens (briefly explain what is wrong)
A site does not get a TLS certificate if there is another site with a matching wildcard and on-demand TLS enabled
2b. Why it's a bug (if it's not obvious)
The site is unusable; the functionality of a site should not be affected by another site
2c. Log output
below
2d. Workaround(s)
tls force_automate in the site that doesn't work
2e. Relevant links
https://github.com/caddyserver/caddy/releases/tag/v2.10.0
3. Tutorial (minimal steps to reproduce the bug)
Caddyfile
root@test:/etc/caddy# cat Caddyfile
{
on_demand_tls {
ask http://localhost:3000/tls-check
}
}
*.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io {
tls {
on_demand
}
respond "foo"
}
foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io {
respond "bar"
}
Make tls-check server (node.js)
require("http").createServer((req, res) => {
console.log(req.socket.remoteAddress, req.url);
res.writeHead(200);
res.end();
}).listen(3000);
Try to load https://foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io, browser gets SSL error
log output
2025/05/02 21:13:13.935 DEBUG events event {"name": "tls_get_certificate", "id": "6a79f96b-7521-45fa-8fdd-c83de486c1d0", "origin": "tls", "data": {"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[23130,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"RemoteAddr":{"IP":"2602:47:2674:4c01:9da2:65f2:438e:1aa3","Port":32398,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.sslip.io"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.io"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.*"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "remote_port": "32398", "server_name": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "remote": "[2602:47:2674:4c01:9da2:65f2:438e:1aa3]:32398", "identifier": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "cipher_suites": [64250, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0, "load_or_obtain_if_necessary": true, "on_demand": false}
2025/05/02 21:13:13.935 DEBUG http.stdlib http: TLS handshake error from [2602:47:2674:4c01:9da2:65f2:438e:1aa3]:32398: no certificate available for 'foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io'
NO request is logged by the tls-check server.
Now try to load https://barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io: tls-check server logs request
::1 /tls-check?domain=barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io
and the site works properly.
whole caddy log:
root@test:/etc/caddy# caddy run
2025/05/02 21:13:01.957 INFO maxprocs: Leaving GOMAXPROCS=20: CPU quota undefined
2025/05/02 21:13:01.957 INFO GOMEMLIMIT is updated {"package": "github.com/KimMachineGun/automemlimit/memlimit", "GOMEMLIMIT": 91050695884, "previous": 9223372036854775807}
2025/05/02 21:13:01.957 INFO using adjacent Caddyfile
2025/05/02 21:13:01.958 INFO adapted config to JSON {"adapter": "caddyfile"}
2025/05/02 21:13:01.958 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies {"adapter": "caddyfile", "file": "Caddyfile", "line": 8}
2025/05/02 21:13:01.959 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/05/02 21:13:01.960 INFO http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2025/05/02 21:13:01.960 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000713480"}
2025/05/02 21:13:01.960 INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2025/05/02 21:13:01.960 DEBUG http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"]},{"subjects":["*.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"],"on_demand":true},{}],"on_demand":{}}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"bar","handler":"static_response"}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"foo","handler":"static_response"}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2025/05/02 21:13:01.960 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false}
2025/05/02 21:13:01.960 WARN http HTTP/2 skipped because it requires TLS {"network": "tcp", "addr": ":80"}
2025/05/02 21:13:01.960 WARN http HTTP/3 skipped because it requires TLS {"network": "tcp", "addr": ":80"}
2025/05/02 21:13:01.960 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2025/05/02 21:13:01.960 DEBUG http starting server loop {"address": "[::]:443", "tls": true, "http3": false}
2025/05/02 21:13:01.960 INFO http enabling HTTP/3 listener {"addr": ":443"}
2025/05/02 21:13:01.960 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 4882 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2025/05/02 21:13:01.960 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/05/02 21:13:01.960 INFO http enabling automatic TLS certificate management {"domains": ["*.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"]}
2025/05/02 21:13:01.961 DEBUG events event {"name": "started", "id": "bb222f27-5f20-406b-a2ab-80840e68113b", "origin": "", "data": null}
2025/05/02 21:13:01.961 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2025/05/02 21:13:01.961 INFO serving initial configuration
2025/05/02 21:13:01.964 INFO tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:/root/.local/share/caddy", "instance": "e80a8626-8b8f-447b-984c-b2b370610912", "try_again": "2025/05/03 21:13:01.964", "try_again_in": 86399.999999115}
2025/05/02 21:13:01.964 INFO tls finished cleaning storage units
2025/05/02 21:13:13.935 DEBUG events event {"name": "tls_get_certificate", "id": "6a79f96b-7521-45fa-8fdd-c83de486c1d0", "origin": "tls", "data": {"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[23130,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"RemoteAddr":{"IP":"2602:47:2674:4c01:9da2:65f2:438e:1aa3","Port":32398,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.sslip.io"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.io"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.*"}
2025/05/02 21:13:13.935 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "remote_port": "32398", "server_name": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "remote": "[2602:47:2674:4c01:9da2:65f2:438e:1aa3]:32398", "identifier": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "cipher_suites": [64250, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0, "load_or_obtain_if_necessary": true, "on_demand": false}
2025/05/02 21:13:13.935 DEBUG http.stdlib http: TLS handshake error from [2602:47:2674:4c01:9da2:65f2:438e:1aa3]:32398: no certificate available for 'foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io'
2025/05/02 21:13:13.946 DEBUG events event {"name": "tls_get_certificate", "id": "8da4e31c-863d-4d01-a46c-984aa15425fa", "origin": "tls", "data": {"client_hello":{"CipherSuites":[60138,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[19018,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[39578,772,771],"RemoteAddr":{"IP":"2602:47:2674:4c01:9da2:65f2:438e:1aa3","Port":32399,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:13.946 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:13.946 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:13.946 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.sslip.io"}
2025/05/02 21:13:13.946 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.io"}
2025/05/02 21:13:13.946 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.*"}
2025/05/02 21:13:13.946 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "remote_port": "32399", "server_name": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "remote": "[2602:47:2674:4c01:9da2:65f2:438e:1aa3]:32399", "identifier": "foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "cipher_suites": [60138, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0, "load_or_obtain_if_necessary": true, "on_demand": false}
2025/05/02 21:13:13.947 DEBUG http.stdlib http: TLS handshake error from [2602:47:2674:4c01:9da2:65f2:438e:1aa3]:32399: no certificate available for 'foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io'
2025/05/02 21:13:27.676 DEBUG events event {"name": "tls_get_certificate", "id": "70d1c480-76f9-4517-8b06-c2aad0090584", "origin": "tls", "data": {"client_hello":{"CipherSuites":[27242,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[64250,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[47802,772,771],"RemoteAddr":{"IP":"2602:47:2674:4c01:9da2:65f2:438e:1aa3","Port":32404,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:27.676 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.676 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.676 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.sslip.io"}
2025/05/02 21:13:27.676 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.io"}
2025/05/02 21:13:27.676 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.*"}
2025/05/02 21:13:27.676 DEBUG tls.handshake all external certificate managers yielded no certificates and no errors {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "remote_port": "32404", "sni": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.676 DEBUG tls asking for permission for on-demand certificate {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "domain": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.676 DEBUG tls.permission.http asking permission endpoint {"remote": "[2602:47:2674:4c01:9da2:65f2:438e:1aa3]:32404", "domain": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "url": "http://localhost:3000/tls-check?domain=barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.694 DEBUG tls.permission.http response from permission endpoint {"remote": "[2602:47:2674:4c01:9da2:65f2:438e:1aa3]:32404", "domain": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "url": "http://localhost:3000/tls-check?domain=barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "status": 200}
2025/05/02 21:13:27.694 DEBUG tls.handshake did not load cert from storage {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "remote_port": "32404", "server_name": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "error": "no matching certificate to load for barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io: open /root/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io/wildcard_.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io.key: no such file or directory"}
2025/05/02 21:13:27.694 INFO tls.on_demand obtaining new certificate {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "remote_port": "32404", "server_name": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.698 INFO tls.obtain acquiring lock {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.703 INFO tls.obtain lock acquired {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.703 INFO tls.obtain obtaining certificate {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:27.703 DEBUG events event {"name": "cert_obtaining", "id": "02011c79-bf3e-4b46-83d8-e6daf945c671", "origin": "tls", "data": {"identifier":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}}
2025/05/02 21:13:27.703 DEBUG tls created CSR {"identifiers": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "san_dns_names": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "san_emails": [], "common_name": "", "extra_extensions": 0}
2025/05/02 21:13:27.704 DEBUG tls.obtain trying issuer 1/1 {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2025/05/02 21:13:27.704 INFO tls creating new account because no account for configured email is known to us {"email": "", "ca": "https://acme-v02.api.letsencrypt.org/directory", "error": "open /root/.local/share/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/default/default.json: no such file or directory"}
2025/05/02 21:13:27.704 INFO tls ACME account has empty status; registering account with ACME server {"contact": [], "location": ""}
2025/05/02 21:13:27.708 INFO tls creating new account because no account for configured email is known to us {"email": "", "ca": "https://acme-v02.api.letsencrypt.org/directory", "error": "open /root/.local/share/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/default/default.json: no such file or directory"}
2025/05/02 21:13:27.957 DEBUG http request {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["1012"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:27 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:27.995 DEBUG http request {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 02 May 2025 21:13:27 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["aJoEAs1IB4S5PqdjlmSTqYbIoyXhMMC1v_k97lMHsVAIOL3GVN8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:28.066 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["236"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:28 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/2376210347"],"Replay-Nonce":["aJoEAs1I6jpAEmTORdmCPKJkTimEvViQU8ikVk-FzuRfxQH5F6w"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2025/05/02 21:13:28.067 INFO tls new ACME account registered {"contact": [], "status": "valid"}
2025/05/02 21:13:28.073 INFO tls waiting on internal rate limiter {"identifiers": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2025/05/02 21:13:28.073 INFO tls done waiting on internal rate limiter {"identifiers": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2025/05/02 21:13:28.073 INFO tls using ACME account {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/2376210347", "account_contact": []}
2025/05/02 21:13:28.073 DEBUG creating order {"account": "https://acme-v02.api.letsencrypt.org/acme/acct/2376210347", "identifiers": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"]}
2025/05/02 21:13:28.188 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["387"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:28 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/2376210347/380182390987"],"Replay-Nonce":["aJoEAs1IIHk0Dd0_g_Go1UslQKI4IKtBXFYsyw76FYHzORdMHqU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2025/05/02 21:13:28.232 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2376210347/514553746797", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["861"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:28 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["aJoEAs1IGir3m23UrWbflIrvDDiv-0Osxjt7xY-ELr7NP4DHu3o"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:28.233 DEBUG no solver configured {"challenge_type": "dns-01"}
2025/05/02 21:13:28.233 INFO trying to solve challenge {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2025/05/02 21:13:28.237 DEBUG waiting for solver before continuing {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge_type": "tls-alpn-01"}
2025/05/02 21:13:28.238 DEBUG done waiting for solver {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge_type": "tls-alpn-01"}
2025/05/02 21:13:28.238 DEBUG http.stdlib http: TLS handshake error from 127.0.0.1:45394: EOF
2025/05/02 21:13:28.279 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2376210347/514553746797/0Ko6hw", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["199"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:28 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz/2376210347/514553746797>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall/2376210347/514553746797/0Ko6hw"],"Replay-Nonce":["aJoEAs1ItaC4l_PMqtWNcSfEI6GrzVYADaupOAFDs2QCL-5VgzM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:28.279 DEBUG challenge accepted {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge_type": "tls-alpn-01"}
2025/05/02 21:13:28.503 DEBUG events event {"name": "tls_get_certificate", "id": "8303806a-21a5-4740-8d1b-27ebcc540db9", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:3000:2710:200::81","Port":34885,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:28.503 INFO tls served key authentication certificate {"server_name": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge": "tls-alpn-01", "remote": "[2600:3000:2710:200::81]:34885", "distributed": false}
2025/05/02 21:13:28.572 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2376210347/514553746797", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["861"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:28 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["aJoEAs1IxLXc7WgOcVHfuOjwnLciV_MXrSb153Go80_HwI5-rCM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:28.658 DEBUG events event {"name": "tls_get_certificate", "id": "5b1daea3-82c6-46f0-b3e0-36fec0ac869e", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:1f14:804:fd00:93a2:923d:24d0:6446","Port":10522,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:28.658 INFO tls served key authentication certificate {"server_name": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge": "tls-alpn-01", "remote": "[2600:1f14:804:fd00:93a2:923d:24d0:6446]:10522", "distributed": false}
2025/05/02 21:13:28.867 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2376210347/514553746797", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["861"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:28 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["FIfrddYQyBFRzd91bzQ57qp74SgNWDeedmIbElYToVE3Qo2V9xg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:28.919 DEBUG events event {"name": "tls_get_certificate", "id": "bd52033f-eb6a-4815-97ab-7253920cf08d", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:1f16:269:da00:971e:544b:b15e:7bb5","Port":49830,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:28.919 INFO tls served key authentication certificate {"server_name": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge": "tls-alpn-01", "remote": "[2600:1f16:269:da00:971e:544b:b15e:7bb5]:49830", "distributed": false}
2025/05/02 21:13:29.043 DEBUG events event {"name": "tls_get_certificate", "id": "cf5bc9e4-8f25-4142-b709-55d330a2b541", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2a05:d016:39f:3101:fd14:32ae:3ed3:abd5","Port":42188,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:29.043 INFO tls served key authentication certificate {"server_name": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge": "tls-alpn-01", "remote": "[2a05:d016:39f:3101:fd14:32ae:3ed3:abd5]:42188", "distributed": false}
2025/05/02 21:13:29.156 DEBUG events event {"name": "tls_get_certificate", "id": "df43d464-29b8-416c-a356-8587d6242791", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2406:da18:85:1402:1b1e:cdbb:62d8:5aac","Port":43750,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:29.156 INFO tls served key authentication certificate {"server_name": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "challenge": "tls-alpn-01", "remote": "[2406:da18:85:1402:1b1e:cdbb:62d8:5aac]:43750", "distributed": false}
2025/05/02 21:13:29.164 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2376210347/514553746797", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["861"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:29 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["aJoEAs1IOCqOlFOJ3ofPdiDOJYhvwlml0ZBHlYR33wum8UCtasc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:29.472 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2376210347/514553746797", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["861"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:29 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["FIfrddYQtyHMmonIjbZcOFLx4hhfbOLWEy8SSi2x1i7MEjjQQgo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:29.765 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2376210347/514553746797", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["861"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:29 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["FIfrddYQx3o-AVmSdRaYcstgwkJRvH42euaI2rgdJZm5S_KkI80"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:30.057 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2376210347/514553746797", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["783"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:30 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["aJoEAs1IRpLEDI3eVh7Xwc1PZ7At5PMSZwnCRViD3XAse2Q7bRE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:30.058 INFO authorization finalized {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "authz_status": "valid"}
2025/05/02 21:13:30.058 INFO validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/2376210347/380182390987"}
2025/05/02 21:13:30.299 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/finalize/2376210347/380182390987", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2376210347"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["489"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:30 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/2376210347/380182390987"],"Replay-Nonce":["aJoEAs1Ijd3IV3Dpa_S5I-gUiQMTs6hX4ThAUth8BoSYp1w1fNs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:30.342 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/cert/0542fd2d0548b49c1a9dbeee3e568979c698", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["3007"],"Content-Type":["application/pem-certificate-chain"],"Date":["Fri, 02 May 2025 21:13:30 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/0542fd2d0548b49c1a9dbeee3e568979c698/1>;rel=\"alternate\""],"Replay-Nonce":["aJoEAs1ICqVhu_m9MqYx6C-a8lC-CjjxpzF2DQnZeFoxQhQUbGI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:30.343 DEBUG getting renewal info {"names": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"]}
2025/05/02 21:13:30.398 DEBUG http request {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo/nytfzzwhT50Et-0rLMTGcIvS1w0.BUL9LQVItJwanb7uPlaJecaY", "headers": {"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:30 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:30.399 INFO got renewal info {"names": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "window_start": "2025/06/30 22:59:04.000", "window_end": "2025/07/02 18:09:53.000", "selected_time": "2025/07/01 15:07:42.000", "recheck_after": "2025/05/03 03:13:30.399", "explanation_url": ""}
2025/05/02 21:13:30.464 DEBUG http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/cert/0542fd2d0548b49c1a9dbeee3e568979c698/1", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2438"],"Content-Type":["application/pem-certificate-chain"],"Date":["Fri, 02 May 2025 21:13:30 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/0542fd2d0548b49c1a9dbeee3e568979c698/0>;rel=\"alternate\""],"Replay-Nonce":["FIfrddYQytUqqyLiUOCkFbi8wmqLAOySiJAtB5_EhLcZfStetes"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:30.464 DEBUG getting renewal info {"names": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"]}
2025/05/02 21:13:30.509 DEBUG http request {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo/nytfzzwhT50Et-0rLMTGcIvS1w0.BUL9LQVItJwanb7uPlaJecaY", "headers": {"User-Agent":["Caddy/2.10.0 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Fri, 02 May 2025 21:13:30 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/05/02 21:13:30.510 INFO got renewal info {"names": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "window_start": "2025/06/30 22:59:04.000", "window_end": "2025/07/02 18:09:53.000", "selected_time": "2025/07/01 17:56:58.000", "recheck_after": "2025/05/03 03:13:30.510", "explanation_url": ""}
2025/05/02 21:13:30.510 INFO successfully downloaded available certificate chains {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/0542fd2d0548b49c1a9dbeee3e568979c698"}
2025/05/02 21:13:30.510 DEBUG tls selected certificate chain {"url": "https://acme-v02.api.letsencrypt.org/acme/cert/0542fd2d0548b49c1a9dbeee3e568979c698"}
2025/05/02 21:13:30.524 INFO tls.obtain certificate obtained successfully {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "issuer": "acme-v02.api.letsencrypt.org-directory"}
2025/05/02 21:13:30.524 DEBUG events event {"name": "cert_obtained", "id": "a52732a6-b3eb-4d17-bd4d-07e77d742f22", "origin": "tls", "data": {"certificate_path":"certificates/acme-v02.api.letsencrypt.org-directory/barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io/barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io.crt","csr_pem":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkR6Q0J0UUlCQURBQU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUNYUWZXL1ovVGFnUQp4cC9Ma1p5Q1o0cjdFMnhKNFZzazVoQWEvaVpMSWZiRjFFaG9sdXNRaTYzWFFNaGVUZE9xeHBmNlF4MzE4UDBnClZHdVJ6NHNncktCVE1GRUdDU3FHU0liM0RRRUpEakZFTUVJd1FBWURWUjBSQkRrd040STFZbUZ5Wm05dkxqSTIKTURJdE5EY3RNalkzTkMwMFl6QXpMVEV5TmpZdE5tRm1aaTFtWldFekxXUmtPR1l1YzNOc2FYQXVhVzh3Q2dZSQpLb1pJemowRUF3SURTUUF3UmdJaEFKM29sR1IwdFVOamdwZXArSlpGM29QOHIvWThmcEFZSzRUaHQrdWRXZjhsCkFpRUFpSWU0M0xpTTloMmxZTUFCSUZVVnVqNXN5ckwxZ3EvZU4zTDNyaW43bGxBPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K","identifier":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","issuer":"acme-v02.api.letsencrypt.org-directory","metadata_path":"certificates/acme-v02.api.letsencrypt.org-directory/barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io/barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io.json","private_key_path":"certificates/acme-v02.api.letsencrypt.org-directory/barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io/barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io.key","renewal":false,"storage_path":"certificates/acme-v02.api.letsencrypt.org-directory/barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}}
2025/05/02 21:13:30.524 INFO tls.obtain releasing lock {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"}
2025/05/02 21:13:30.654 DEBUG tls.cache added certificate to cache {"subjects": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "expiration": "2025/07/31 20:15:00.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "0608d35cd227dc8fc46592ac6468c51c9a9d7fb9e1d54765439c3a280f9c0737", "cache_size": 1, "cache_capacity": 10000}
2025/05/02 21:13:30.654 DEBUG events event {"name": "cached_managed_cert", "id": "e532c67d-00c9-44ff-add7-3ea9ad485214", "origin": "tls", "data": {"sans":["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"]}}
2025/05/02 21:13:30.654 DEBUG tls.on_demand loaded certificate from storage {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "remote_port": "32404", "subjects": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "managed": true, "expiration": "2025/07/31 20:15:00.000", "hash": "0608d35cd227dc8fc46592ac6468c51c9a9d7fb9e1d54765439c3a280f9c0737"}
2025/05/02 21:13:30.809 DEBUG events event {"name": "tls_get_certificate", "id": "2c325c2a-4718-4165-a659-ea0e84e74a45", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[4588,29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"RemoteAddr":{"IP":"2602:47:2674:4c01:9da2:65f2:438e:1aa3","Port":55135,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:30.809 DEBUG tls.handshake choosing certificate {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "num_choices": 1}
2025/05/02 21:13:30.810 DEBUG tls.handshake default certificate selection results {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "subjects": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "0608d35cd227dc8fc46592ac6468c51c9a9d7fb9e1d54765439c3a280f9c0737"}
2025/05/02 21:13:30.810 DEBUG tls.handshake matched certificate in cache {"remote_ip": "2602:47:2674:4c01:9da2:65f2:438e:1aa3", "remote_port": "55135", "subjects": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "managed": true, "expiration": "2025/07/31 20:15:00.000", "hash": "0608d35cd227dc8fc46592ac6468c51c9a9d7fb9e1d54765439c3a280f9c0737"}
2025/05/02 21:13:40.228 DEBUG events event {"name": "tls_get_certificate", "id": "dc7e30e6-6623-4699-a553-522a6a797d8e", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53,49170,10,4865,4866,4867],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":40816,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:40.228 DEBUG tls.handshake choosing certificate {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "num_choices": 1}
2025/05/02 21:13:40.228 DEBUG tls.handshake default certificate selection results {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "subjects": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "0608d35cd227dc8fc46592ac6468c51c9a9d7fb9e1d54765439c3a280f9c0737"}
2025/05/02 21:13:40.228 DEBUG tls.handshake matched certificate in cache {"remote_ip": "2a03:b0c0:3:d0::1413:d001", "remote_port": "40816", "subjects": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "managed": true, "expiration": "2025/07/31 20:15:00.000", "hash": "0608d35cd227dc8fc46592ac6468c51c9a9d7fb9e1d54765439c3a280f9c0737"}
2025/05/02 21:13:40.734 DEBUG events event {"name": "tls_get_certificate", "id": "f71805a2-793d-4ff9-96cc-361bd188fa9a", "origin": "tls", "data": {"client_hello":{"CipherSuites":[22,51,103,49310,49314,158,57,107,49311,49315,159,69,190,136,196,154,49160,49161,49187,49324,49326,49195,49162,49188,49325,49327,49196,49266,49267,52393,4866,4865,52244,49159,49170,49171,49191,49199,49172,49192,49200,49248,49249,49270,49271,52392,4869,4868,4867,52243,49169,10,47,60,49308,49312,156,53,61,49309,49313,157,65,186,132,192,7,4,5],"ServerName":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["hq","h2c","h2","spdy/3","spdy/2","spdy/1","http/1.1","http/1.0","http/0.9"],"SupportedVersions":[771,770,769],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":40828,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:40.736 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "2602:47:2674:4c03:1266:6aff:fea3:dd8f"}
2025/05/02 21:13:40.737 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*"}
2025/05/02 21:13:40.737 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40828: idna: disallowed rune U+003A
2025/05/02 21:13:41.074 DEBUG events event {"name": "tls_get_certificate", "id": "f2cbb92d-dae4-489e-8cc2-0330b39e3062", "origin": "tls", "data": {"client_hello":{"CipherSuites":[5,4,7,192,132,186,65,157,49313,49309,61,53,156,49312,49308,60,47,10,49169,52243,4867,4868,4869,52392,49271,49270,49249,49248,49200,49192,49172,49199,49191,49171,49170,49159,52244,4865,4866,52393,49267,49266,49196,49327,49325,49188,49162,49195,49326,49324,49187,49161,49160,154,196,136,190,69,159,49315,49311,107,57,158,49314,49310,103,51,22],"ServerName":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["http/0.9","http/1.0","http/1.1","spdy/1","spdy/2","spdy/3","h2","h2c","hq"],"SupportedVersions":[769,770,771],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":40838,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:41.074 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "2602:47:2674:4c03:1266:6aff:fea3:dd8f"}
2025/05/02 21:13:41.074 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*"}
2025/05/02 21:13:41.074 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40838: idna: disallowed rune U+003A
2025/05/02 21:13:41.409 DEBUG events event {"name": "tls_get_certificate", "id": "7fa3bd6e-9c87-4722-9cda-6e125b0cb32b", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49170,49159,52244,4865,4866,52393,49267,49266,49196,49327,49325,49188,49162,49195,49326,49324,49187,49161,49160,154,196,136,190,69,159,49315,49311,107,57,158,49314,49310,103,51,22],"ServerName":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["http/0.9","http/1.0","http/1.1","spdy/1","spdy/2","spdy/3","h2","h2c","hq"],"SupportedVersions":[771,770,769],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":40842,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:41.409 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "2602:47:2674:4c03:1266:6aff:fea3:dd8f"}
2025/05/02 21:13:41.409 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*"}
2025/05/02 21:13:41.409 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40842: idna: disallowed rune U+003A
2025/05/02 21:13:41.761 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40852: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])
2025/05/02 21:13:42.114 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40868: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])
2025/05/02 21:13:42.449 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40876: tls: client offered only unsupported versions: [302 301]
2025/05/02 21:13:43.797 DEBUG events event {"name": "tls_get_certificate", "id": "63e2e293-5dc2-4bb9-b5c9-648cc4f61e85", "origin": "tls", "data": {"client_hello":{"CipherSuites":[22,51,103,49310,49314,158,57,107,49311,49315,159,69,190,136,196,154,49160,49161,49187,49324,49326,49195,49162,49188,49325,49327,49196,49266,49267,52393,4866,4865,52244,49159,49170,49171,49191,49199,49172,49192,49200,49248,49249,49270,49271,52392,4869,4868,4867,52243,49169,10,47,60,49308,49312,156,53,61,49309,49313,157,65,186,132,192,7,4,5],"ServerName":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["hq","h2c","h2","spdy/3","spdy/2","spdy/1","http/1.1","http/1.0","http/0.9"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":40880,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:43.798 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "2602:47:2674:4c03:1266:6aff:fea3:dd8f"}
2025/05/02 21:13:43.798 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*"}
2025/05/02 21:13:43.798 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40880: idna: disallowed rune U+003A
2025/05/02 21:13:44.133 DEBUG events event {"name": "tls_get_certificate", "id": "4edd9d66-e5d6-4471-b72b-b79ede98c69a", "origin": "tls", "data": {"client_hello":{"CipherSuites":[5,4,7,192,132,186,65,157,49313,49309,61,53,156,49312,49308,60,47,10,49169,52243,4867,4868,4869,52392,49271,49270,49249,49248,49200,49192,49172,49199,49191,49171,49170,49159,52244,4865,4866,52393,49267,49266,49196,49327,49325,49188,49162,49195,49326,49324,49187,49161,49160,154,196,136,190,69,159,49315,49311,107,57,158,49314,49310,103,51,22],"ServerName":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["http/0.9","http/1.0","http/1.1","spdy/1","spdy/2","spdy/3","h2","h2c","hq"],"SupportedVersions":[769,770,771,772],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":40890,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:44.133 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "2602:47:2674:4c03:1266:6aff:fea3:dd8f"}
2025/05/02 21:13:44.133 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*"}
2025/05/02 21:13:44.133 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40890: idna: disallowed rune U+003A
2025/05/02 21:13:44.472 DEBUG events event {"name": "tls_get_certificate", "id": "71fe9858-e803-4633-bcbb-a8f4e9a91910", "origin": "tls", "data": {"client_hello":{"CipherSuites":[22,51,103,49310,49314,158,57,107,49311,49315,159,69,190,136,196,154,49160,49161,49187,49324,49326,49195,49162,49188,49325,49327,49196,49266,49267,52393,52244,49159,49170,49171,49191,49199,49172,49192,49200,49248,49249,49270,49271,52392,52243,49169,10,47,60,49308,49312,156,53,61,49309,49313,157,65,186,132,192,7,4,5],"ServerName":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["http/0.9","http/1.0","http/1.1","spdy/1","spdy/2","spdy/3","h2","h2c","hq"],"SupportedVersions":[769,770,771,772],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":40896,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:44.472 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "2602:47:2674:4c03:1266:6aff:fea3:dd8f"}
2025/05/02 21:13:44.472 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*"}
2025/05/02 21:13:44.472 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40896: idna: disallowed rune U+003A
2025/05/02 21:13:44.809 DEBUG events event {"name": "tls_get_certificate", "id": "3a53d7bb-75c2-496d-b0c2-fcbeacd1746f", "origin": "tls", "data": {"client_hello":{"CipherSuites":[27242,49170,49171,49159,49191,52244,49199,4865,49172,4866,49192,52393,49200,49267,49248,49266,49249,49196,49270,49327,49271,49325,52392,49188,4869,49162,4868,49195,4867,49326,52243,49324,49169,49187,10,49161,47,49160,60,154,49308,196,49312,136,156,190,53,69,61,159,49309,49315,49313,49311,157,107,65,57,186,158,132,49314,192,49310,7,103,4,51,5,22],"ServerName":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["hq","h2c","h2","spdy/3","spdy/2","spdy/1","http/1.1","http/1.0","http/0.9"],"SupportedVersions":[60138,772,771,770,769],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":40898,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:44.809 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "2602:47:2674:4c03:1266:6aff:fea3:dd8f"}
2025/05/02 21:13:44.809 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*"}
2025/05/02 21:13:44.809 DEBUG http.stdlib http: TLS handshake error from [2a03:b0c0:3:d0::1413:d001]:40898: idna: disallowed rune U+003A
2025/05/02 21:13:45.147 DEBUG events event {"name": "tls_get_certificate", "id": "d6612a6a-3e96-47d6-8156-69e7e1686ba7", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53,49170,10,4865,4866,4867],"ServerName":"barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::1413:d001","Port":59160,"Zone":""},"LocalAddr":{"IP":"2602:47:2674:4c03:1266:6aff:fea3:dd8f","Port":443,"Zone":""}}}}
2025/05/02 21:13:45.147 DEBUG tls.handshake choosing certificate {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "num_choices": 1}
2025/05/02 21:13:45.147 DEBUG tls.handshake default certificate selection results {"identifier": "barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io", "subjects": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "0608d35cd227dc8fc46592ac6468c51c9a9d7fb9e1d54765439c3a280f9c0737"}
2025/05/02 21:13:45.147 DEBUG tls.handshake matched certificate in cache {"remote_ip": "2a03:b0c0:3:d0::1413:d001", "remote_port": "59160", "subjects": ["barfoo.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io"], "managed": true, "expiration": "2025/07/31 20:15:00.000", "hash": "0608d35cd227dc8fc46592ac6468c51c9a9d7fb9e1d54765439c3a280f9c0737"}
^C2025/05/02 21:13:48.695 INFO shutting down {"signal": "SIGINT"}
2025/05/02 21:13:48.695 WARN exiting; byeee!! 👋 {"signal": "SIGINT"}
2025/05/02 21:13:48.695 DEBUG events event {"name": "stopping", "id": "31aafbcd-d78d-4267-b2d1-825bb997afb2", "origin": "", "data": null}
2025/05/02 21:13:48.696 INFO http servers shutting down with eternal grace period
2025/05/02 21:14:18.697 INFO admin stopped previous server {"address": "localhost:2019"}
2025/05/02 21:14:18.697 INFO shutdown complete {"signal": "SIGINT", "exit_code": 0}
In order to make it work properly like caddy versions before 2.10, you must add tls force_automate to each site that doesn't work:
{
debug
on_demand_tls {
ask http://localhost:3000/tls-check
}
}
*.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io {
tls {
on_demand
}
respond "foo"
}
foobar.2602-47-2674-4c03-1266-6aff-fea3-dd8f.sslip.io {
tls force_automate
respond "bar"
}
Ah, well, I think that's just because tls on-demand is parsed as your ACME account email being on-demand, it doesn't enable on-demand TLS. The proper syntax is in your working Caddyfile at the end of your post.
oops, I pasted it before I fixed it, that doesn't work, it said Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': single argument must either be 'internal', 'force_automate', or an email address, at Caddyfile:9 (that's how I figured out how tls force_automate is supposed to be used)
BTW why is it like that anyway? Seems inconsistent and unintuitive, why can't we do tls on_demand?
Is there anything else in your config that is not as it actually is when you run it and get this log output? (To avoid wasting time)
This config is exactly what I tested with and got this log output
(I just want to point out, it's obviously not, because
tls {
on-demand
}
is also incorrect, it should be on_demand -- though I suppose in this case it's just a typo since presumably you did the edit manually -- it just makes it hard for me to trust the rest of what you've posted.)
From what I understand you're saying, if on-demand TLS is enabled, then the non-wildcard site won't have a certificate until after a handshake is completed using the wildcard domain, correct?
even simpler reproduction you can do on your pc since it doesn't get a cert with the bug
{
debug
on_demand_tls {
ask http://nonexistant:3/
}
}
*.example.com {
tls {
on_demand
}
respond "a"
}
foo.example.com {
respond "b"
}
PS C:\Users\me\Desktop\caddy> .\caddy_windows_amd64.exe version
v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=
PS C:\Users\me\Desktop\caddy> .\caddy_windows_amd64.exe run
2025/05/02 21:55:55.515 INFO maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined
2025/05/02 21:55:55.516 INFO GOMEMLIMIT is updated {"package": "github.com/KimMachineGun/automemlimit/memlimit", "GOMEMLIMIT": 30769311744, "previous": 9223372036854775807}
2025/05/02 21:55:55.516 INFO using adjacent Caddyfile
2025/05/02 21:55:55.517 INFO adapted config to JSON {"adapter": "caddyfile"}
2025/05/02 21:55:55.517 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies {"adapter": "caddyfile", "file": "Caddyfile", "line": 17}
2025/05/02 21:55:55.526 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/05/02 21:55:55.526 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0005f6980"}
2025/05/02 21:55:55.526 INFO http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2025/05/02 21:55:55.526 INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2025/05/02 21:55:55.526 DEBUG http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["foo.example.com"]},{"subjects":["*.example.com"],"on_demand":true},{}],"on_demand":{}}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"b","handler":"static_response"}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"a","handler":"static_response"}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2025/05/02 21:55:55.526 DEBUG http starting server loop {"address": "[::]:443", "tls": true, "http3": false}
2025/05/02 21:55:55.526 INFO http enabling HTTP/3 listener {"addr": ":443"}
2025/05/02 21:55:55.527 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/05/02 21:55:55.527 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false}
2025/05/02 21:55:55.527 WARN http HTTP/2 skipped because it requires TLS {"network": "tcp", "addr": ":80"}
2025/05/02 21:55:55.527 WARN http HTTP/3 skipped because it requires TLS {"network": "tcp", "addr": ":80"}
2025/05/02 21:55:55.527 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2025/05/02 21:55:55.527 INFO http enabling automatic TLS certificate management {"domains": ["foo.example.com", "*.example.com"]}
2025/05/02 21:55:55.527 DEBUG events event {"name": "started", "id": "c49172d8-7f42-43e3-a1ce-5fc5bb4f8efb", "origin": "", "data": null}
2025/05/02 21:55:55.529 INFO autosaved config (load with --resume flag) {"file": "C:\\Users\\me\\AppData\\Roaming\\Caddy\\autosave.json"}
2025/05/02 21:55:55.529 INFO serving initial configuration
2025/05/02 21:55:55.551 INFO tls cleaning storage unit {"storage": "FileStorage:C:\\Users\\me\\AppData\\Roaming\\Caddy"}
2025/05/02 21:55:55.561 INFO tls certificate expired beyond grace period; cleaning up {"storage": "FileStorage:C:\\Users\\me\\AppData\\Roaming\\Caddy", "asset_key": "certificates/local/127.0.0.1/127.0.0.1.crt", "expired_for": 29377610.5616836, "grace_period": 1209600}
2025/05/02 21:55:55.561 INFO tls deleting asset because resource expired {"storage": "FileStorage:C:\\Users\\me\\AppData\\Roaming\\Caddy", "asset_key": "certificates/local/127.0.0.1/127.0.0.1.crt"}
2025/05/02 21:55:55.561 INFO tls deleting asset because resource expired {"storage": "FileStorage:C:\\Users\\me\\AppData\\Roaming\\Caddy", "asset_key": "certificates/local/127.0.0.1/127.0.0.1.key"}
2025/05/02 21:55:55.562 INFO tls deleting asset because resource expired {"storage": "FileStorage:C:\\Users\\me\\AppData\\Roaming\\Caddy", "asset_key": "certificates/local/127.0.0.1/127.0.0.1.json"}
2025/05/02 21:55:55.562 INFO tls deleting site folder because key is empty {"storage": "FileStorage:C:\\Users\\me\\AppData\\Roaming\\Caddy", "site_key": "certificates/local/127.0.0.1"}
2025/05/02 21:55:55.565 INFO tls finished cleaning storage units
other tab:
PS C:\Users\me> curl.exe --resolve "foo.example.com:443:127.0.0.1" https://foo.example.com/
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
2025/05/02 21:57:41.234 DEBUG events event {"name": "tls_get_certificate", "id": "a0689b4e-94ce-46d5-9cce-5bea4f7ac8ac", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49196,49195,49200,49199,159,158,49188,49187,49192,49191,49162,49161,49172,49171,157,156,61,60,53,47,10],"ServerName":"foo.example.com","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[2052,2053,2054,1025,1281,513,1027,1283,515,514,1537,1539],"SupportedProtos":["http/1.1"],"SupportedVersions":[771,770,769],"RemoteAddr":{"IP":"127.0.0.1","Port":33387,"Zone":""},"LocalAddr":{"IP":"127.0.0.1","Port":443,"Zone":""}}}}
2025/05/02 21:57:41.234 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "foo.example.com"}
2025/05/02 21:57:41.235 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.example.com"}
2025/05/02 21:57:41.235 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.com"}
2025/05/02 21:57:41.235 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*"}
2025/05/02 21:57:41.235 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "127.0.0.1", "remote_port": "33387", "server_name": "foo.example.com", "remote": "127.0.0.1:33387", "identifier": "foo.example.com", "cipher_suites": [49196, 49195, 49200, 49199, 159, 158, 49188, 49187, 49192, 49191, 49162, 49161, 49172, 49171, 157, 156, 61, 60, 53, 47, 10], "cert_cache_fill": 0, "load_or_obtain_if_necessary": true, "on_demand": false}
2025/05/02 21:57:41.235 DEBUG http.stdlib http: TLS handshake error from 127.0.0.1:33387: no certificate available for 'foo.example.com'
From what I understand you're saying, if on-demand TLS is enabled, then the non-wildcard site won't have a certificate until after a handshake is completed using the wildcard domain, correct?
No, the non-wildcard site does not get a certificate at all. Ever. Doesn't matter if you load some other subdomains from the wildcard site beforehand.