I have spent the last few months getting familiar with Caddy and Let's Encrypt. During implementations I have learned a couple gotchas which might be helpful when Caddy doesn't work.

Domain Black List

If you're hosted on Azure, Amazon or other popular cloud providers, you might be issued a subdomain for your virtual host (i.e. http://yourname.eastus.cloudapp.azure.com). Let's Encrypt and Caddy may not issue a certificate to these subdomains because of blacklisting. I haven't been able to find specific documentation on the blacklist, but a representative on the Let's Encrypt forums sums it up:

"we have a list of high-risk domains for which we refuse to issue certificates. If you feel that your domain is not high-risk, you can request that it be removed."

My guess is that domains can be blacklisted either by request of the provider, or if abuse is detected.

Firewall Rules

Ports 80 and 443 need to be open on your firewalls in order for Caddy & Let's Encrypt to negotiate your certificate. Depending on your provider, there are likely several levels of firewall which need to be configured. Make sure to check firewall configurations with your

  • Cloud vendor
  • Physical appliance when applicable (router, switch, modem, etc)
  • 3rd party software/virus protection
  • Operating system

DNS Propagation

After purchasing a domain name, it can take up to 24 hours to propagate to common DNS servers. Even if your browser can navigate to the site, it doesn't mean Let's Encrypt can find it. The safest test would be to check with a completely separate machine on a different network. A mobile device with 4G might do the trick in this case.

Rate Limiting

Let's Encrypt limits you to 5 tries per week to request a duplicate certificate. This can be a problem when troubleshooting a new server or Caddy container. An example scenario would be

  1. Create and configure a Caddy container without using persisted storage for certificates
  2. Destroy that container and rebuild it

Each time you go through this process, you are requesting a new certificate from Let's Encrypt. You can only do this 5 times in a week! If you hit this limit you may see something in the Caddy logs like:

Too many certificates already issued for my.domain.com  

Make sure to understand the other rate limiting requirements & Configuration for Let's Encrypt and Caddy:

Logs

Check the caddy debug log for errors. Debug logs will be generated when you add the -log flag to the Caddy binary:

caddy -log=/var/caddy/log/caddy.log  

Other Issues

Double and Triple check your caddy config. While running Caddy through Docker I find that the container will crash if my config is invalid. Make sure the caddy file is functional and take frequent backups.

Resources

If you still can't get Caddy working with default SSL, there are some other options

Title Image: Leader lock by Sarah Joy / CC BY-SA 2.0