ACME client started failing for Namecheap

[0xjams]

OS: Ubuntu 20.04.3 LTS
Caddy Version: 2.4.6

Dockerfile:

FROM caddy:builder AS builder
WORKDIR .
RUN  xcaddy build --with github.com/caddy-dns/namecheap
FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Caddyfile header
#The staging and production urls were tested yielding the same results
{
email xxxx@xxx.xx
#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

Caddyfile (important part):

ntopng.cdv.jmoran.me {
    tls {
            #issuer acme {
            #dns lego_deprecated namecheap
            #}
        dns namecheap {
        api_key {env.NAMECHEAP_API_KEY}
        user {env.NAMECHEAP_API_USER}
        }
    }
    header / {

     Strict-Transport-Security "max-age=31536000; includeSubdomains"
     X-XSS-Protection "1; mode=block"
     X-Content-Type-Options "nosniff"
     X-Frame-Options "SAMEORIGIN"
     Referrer-Policy "no-referrer-when-downgrade"
    # Content-Security-Policy "default-src self http: https: data: blog: 'unsafe-inline'"
     -Server
    }
    reverse_proxy {
        to https://10.10.10.1:3000
        header_up Host {upstream_hostport}
            header_up X-Forwarded-Host {host}
        transport http {
        tls
        tls_insecure_skip_verify
        }
    }
}

Error that can be seen in docker logs:

caddy2              | {"level":"info","ts":1646273804.629268,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"ntopng.cdv.jmoran.me","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddy2              | {"level":"error","ts":1646273805.732329,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"ntopng.cdv.jmoran.me","challenge_type":"dns-01","error":"no memory of presenting a DNS record for ntopng.cdv.jmoran.me (probably OK if presenting failed)"}
caddy2              | {"level":"error","ts":1646273808.1837244,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"ntopng.cdv.jmoran.me","issuer":"acme.zerossl.com-v2-DV90","error":"[ntopng.cdv.jmoran.me] solving challenges: presenting for challenge: adding temporary record for zone jmoran.me.: expected element type <ApiResponse> but have <html> (order=https://acme.zerossl.com/v2/DV90/order/1XsBWDMZWGr8ULYJaUsQAw) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy2              | {"level":"error","ts":1646273808.183788,"logger":"tls.obtain","msg":"will retry","error":"[ntopng.cdv.jmoran.me] Obtain: [ntopng.cdv.jmoran.me] solving challenges: presenting for challenge: adding temporary record for zone jmoran.me.: expected element type <ApiResponse> but have <html> (order=https://acme.zerossl.com/v2/DV90/order/1XsBWDMZWGr8ULYJaUsQAw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":23.939634318,"max_duration":2592000}

I verified that my Namecheap credentials were right, in fact two weeks ago this configuration was working perfectly with another subdomain, I started having this issue today.

Any ideas?

[justinfenn]

I'm seeing something similar. The DNS challenge was working in January but is now failing. My error looks more like this though:

solving challenges: presenting for challenge: adding temporary record for zone subdomain.example.com.: namecheap api returned error in response. Err: Error0: Domain name not found

It seems to be related to the subdomain. When I run the integration tests using my credentials with the domain parameter set to the domain apex then it works. But when I change domain to include a subdomain, it starts failing with the "Domain name not found" error.

I guess something in the Namecheap API has changed recently, but the change log doesn't show anything after 2018.

[nrfox]

@justinfenn thank you for posting that info about the subdomain. That does sound like it could be the issue here. Probably will need to update handling of zone when it contains a subdomain and do some translation into the format that the namecheap API wants. It does seem like something changed with how the namecheap API handles subdomains earlier this year though since this library hasn't been changed in that time.

[mholt]

Could it be related to libdns/libdns@348effc upstream?