Skip to content

ARI unable to handle negative remaining values #7843

Description

@Tyrasuki

Issue Details

Howdy,

I've ran into a peculiar bug recently, where due to misconfiguration that I did not notice, the A and AAAA records pointing to www. of my domain were invalid, and caused the certificate for it unable to be renewed.

I noticed this only once the certificate expired, and fixed it.

However, upon doing so, Caddy reported the following in the logs:

2026/06/26 15:35:06.322	ERROR	validating authorization	{"identifier": "www.red-panda.be", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for www.red-panda.be; no valid AAAA records found for www.red-panda.be", "instance": "", "subproblems": null}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxx/xxxx", "attempt": 2, "max_attempts": 3}
github.com/mholt/acmez/v3.(*Client).ObtainCertificate
	github.com/mholt/acmez/v3@v3.1.6/client.go:165
github.com/caddyserver/certmagic.(*ACMEIssuer).doIssue
	github.com/caddyserver/certmagic@v0.25.2/acmeissuer.go:498
github.com/caddyserver/certmagic.(*ACMEIssuer).Issue
	github.com/caddyserver/certmagic@v0.25.2/acmeissuer.go:391
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue
	github.com/caddyserver/caddy/v2@v2.11.1/modules/caddytls/acmeissuer.go:292
github.com/caddyserver/certmagic.(*Config).renewCert.func2
	github.com/caddyserver/certmagic@v0.25.2/config.go:952
github.com/caddyserver/certmagic.doWithRetry
	github.com/caddyserver/certmagic@v0.25.2/async.go:104
github.com/caddyserver/certmagic.(*Config).renewCert
	github.com/caddyserver/certmagic@v0.25.2/config.go:1028
github.com/caddyserver/certmagic.(*Config).RenewCertAsync
	github.com/caddyserver/certmagic@v0.25.2/config.go:804
github.com/caddyserver/certmagic.(*Cache).queueRenewalTask.func1
	github.com/caddyserver/certmagic@v0.25.2/maintain.go:250
github.com/caddyserver/certmagic.(*jobManager).worker
	github.com/caddyserver/certmagic@v0.25.2/async.go:73
2026/06/26 15:35:06.323	ERROR	tls.renew	could not get certificate from issuer	{"identifier": "www.red-panda.be", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for www.red-panda.be; no valid AAAA records found for www.red-panda.be"}
2026/06/26 15:35:06.324	ERROR	tls.renew	will retry	{"error": "[www.red-panda.be] Renew: [www.red-panda.be] solving challenge: www.red-panda.be: [www.red-panda.be] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for www.red-panda.be; no valid AAAA records found for www.red-panda.be (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 42, "retrying_in": 21600, "elapsed": 432169.704322758, "max_duration": 2592000}
2026/06/26 15:42:16.096	INFO	tls	certificate needs renewal based on ARI window	{"subjects": ["www.red-panda.be"], "expiration": "2026/06/24 22:56:45.000", "ari_cert_id": xxxx", "next_ari_update": "2026/06/26 18:26:43.139", "renew_check_interval": 600, "window_start": "2026/06/21 13:50:34.000", "window_end": "2026/06/21 17:01:24.000", "selected_time": "2026/06/21 15:34:30.000", "renewal_cutoff": "2026/06/21 15:24:30.000"}
2026/06/26 15:42:16.623	INFO	tls.cache.maintenance	certificate expires soon; queuing for renewal	{"identifiers": ["www.red-panda.be"], "remaining": -146731.623667521}
2026/06/26 15:52:16.100	INFO	tls	certificate needs renewal based on ARI window	{"subjects": ["www.red-panda.be"], "expiration": "2026/06/24 22:56:45.000", "ari_cert_id": "xxxx", "next_ari_update": "2026/06/26 18:26:43.139", "renew_check_interval": 600, "window_start": "2026/06/21 13:50:34.000", "window_end": "2026/06/21 17:01:24.000", "selected_time": "2026/06/21 15:34:30.000", "renewal_cutoff": "2026/06/21 15:24:30.000"}
2026/06/26 15:52:16.105	INFO	tls.cache.maintenance	certificate expires soon; queuing for renewal	{"identifiers": ["www.red-panda.be"], "remaining": -147331.105844417}
2026/06/26 16:02:16.100	INFO	tls	certificate needs renewal based on ARI window	{"subjects": ["www.red-panda.be"], "expiration": "2026/06/24 22:56:45.000", "ari_cert_id": "xxxx", "next_ari_update": "2026/06/26 18:26:43.139", "renew_check_interval": 600, "window_start": "2026/06/21 13:50:34.000", "window_end": "2026/06/21 17:01:24.000", "selected_time": "2026/06/21 15:34:30.000", "renewal_cutoff": "2026/06/21 15:24:30.000"}
2026/06/26 16:02:16.104	INFO	tls.cache.maintenance	certificate expires soon; queuing for renewal	{"identifiers": ["www.red-panda.be"], "remaining": -147931.104482085}
2026/06/26 16:12:16.096	INFO	tls	certificate needs renewal based on ARI window	{"subjects": ["www.red-panda.be"], "expiration": "2026/06/24 22:56:45.000", "ari_cert_id": "xxxx", "next_ari_update": "2026/06/26 18:26:43.139", "renew_check_interval": 600, "window_start": "2026/06/21 13:50:34.000", "window_end": "2026/06/21 17:01:24.000", "selected_time": "2026/06/21 15:34:30.000", "renewal_cutoff": "2026/06/21 15:24:30.000"}
2026/06/26 16:12:16.624	INFO	tls.cache.maintenance	certificate expires soon; queuing for renewal	{"identifiers": ["www.red-panda.be"], "remaining": -148531.624387828}
2026/06/26 16:15:42.973	INFO	http	servers shutting down with eternal grace period

Even a reboot of caddy did not fix the issue, and I had to remove the certificate for it to realize and renew.

[tyrasuki@web01-dse ~]$ rm /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/www.red-panda.be/www.red-panda.be.crt
[tyrasuki@web01-dse ~]$ systemctl restart caddy

After doing so, the cert renews as normal:

...
2026/06/26 16:15:43.935	INFO	tls.obtain	acquiring lock	{"identifier": "www.red-panda.be"}
2026/06/26 16:15:43.944	INFO	tls.obtain	lock acquired	{"identifier": "www.red-panda.be"}
2026/06/26 16:15:43.946	INFO	tls.obtain	obtaining certificate	{"identifier": "www.red-panda.be"}
2026/06/26 16:15:43.968	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["www.red-panda.be"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "xxx@xxx.xxx"}
2026/06/26 16:15:43.968	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["www.red-panda.be"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "xxx@xxx.xxx"}
2026/06/26 16:15:43.968	INFO	tls.issuance.acme	using ACME account	{"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxxxx", "account_contact": ["mailto:xxx@xxx.xxx"]}
...
2026/06/26 16:15:44.118	INFO	tls	storage cleaning happened too recently; skipping for now	{"storage": "FileStorage:/var/lib/caddy/.local/share/caddy", "instance": "xx-xx-xx-xx", "try_again": "2026/06/27 16:15:44.118", "try_again_in": 86399.999991454}
2026/06/26 16:15:44.120	INFO	tls	finished cleaning storage units
2026/06/26 16:15:45.328	INFO	trying to solve challenge	{"identifier": "www.red-panda.be", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2026/06/26 16:15:45.339	INFO	got renewal info	{"names": ["www.tyrasuki.be"], "window_start": "2026/06/28 10:07:39.000", "window_end": "2026/06/28 13:18:28.000", "selected_time": "2026/06/28 12:17:33.000", "recheck_after": "2026/06/26 21:58:06.339", "explanation_url": ""}
2026/06/26 16:15:45.351	INFO	tls	updated and stored ACME renewal information	{"identifiers": ["www.tyrasuki.be"], "cert_hash": "125b490a7789db56efae726fff9dfb1c4ed8e2e56069bd205286c1d3e5c1c073", "ari_unique_id": "xxx, "cert_expiry": "2026/07/01 19:13:49.000", "selected_time": "2026/06/28 12:28:28.000", "next_update": "2026/06/26 21:58:06.339", "explanation_url": ""}
2026/06/26 16:15:46.038	INFO	tls.issuance.acme	served key authentication	{"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2600:3000:2710:200::81]:40283", "distributed": false}
2026/06/26 16:15:46.329	INFO	tls.issuance.acme	served key authentication	{"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2a05:d016:39f:3100:293a:77d1:40a8:dd1f]:40486", "distributed": false}
2026/06/26 16:15:46.551	INFO	tls.issuance.acme	served key authentication	{"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2600:1f16:269:da02:527a:536e:c090:356c]:32870", "distributed": false}
2026/06/26 16:15:46.760	INFO	tls.issuance.acme	served key authentication	{"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2600:1f14:804:fd02:5362:483e:39e:5e20]:38652", "distributed": false}
2026/06/26 16:15:46.923	INFO	tls.issuance.acme	served key authentication	{"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2406:da18:85:1401:e75d:9c74:59d4:a4ce]:59320", "distributed": false}
2026/06/26 16:15:48.841	INFO	authorization finalized	{"identifier": "www.red-panda.be", "authz_status": "valid"}
2026/06/26 16:15:48.841	INFO	validations succeeded; finalizing order	{"order": "https://acme-v02.api.letsencrypt.org/acme/order/xxxx/xxxx"}
2026/06/26 16:15:49.918	INFO	got renewal info	{"names": ["www.red-panda.be"], "window_start": "2026/06/29 22:11:07.000", "window_end": "2026/06/30 01:21:57.000", "selected_time": "2026/06/30 01:13:36.000", "recheck_after": "2026/06/26 21:16:10.918", "explanation_url": ""}
2026/06/26 16:15:50.228	INFO	got renewal info	{"names": ["www.red-panda.be"], "window_start": "2026/06/29 22:11:07.000", "window_end": "2026/06/30 01:21:57.000", "selected_time": "2026/06/30 00:36:55.000", "recheck_after": "2026/06/26 21:05:12.228", "explanation_url": ""}
2026/06/26 16:15:50.544	INFO	got renewal info	{"names": ["www.red-panda.be"], "window_start": "2026/06/29 22:11:07.000", "window_end": "2026/06/30 01:21:57.000", "selected_time": "2026/06/30 00:32:04.000", "recheck_after": "2026/06/26 22:28:58.544", "explanation_url": ""}
2026/06/26 16:15:50.546	INFO	successfully downloaded available certificate chains	{"count": 3, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/0580dd65831937092e61610726498a5df2ed"}
2026/06/26 16:15:50.570	INFO	tls.obtain	certificate obtained successfully	{"identifier": "www.red-panda.be", "issuer": "acme-v02.api.letsencrypt.org-directory"}
2026/06/26 16:15:50.572	INFO	tls.obtain	releasing lock	{"identifier": "www.red-panda.be"}
2026/06/26 16:15:50.580	WARN	tls	stapling OCSP	{"identifiers": ["www.red-panda.be"]}

I would've expected caddy to see this, realize the A and AAAA records are set correctly now, and try to renew by itself. Or is this expected behaviour? :)

Kind regards,
Jori Vanneste / Tyrasuki

Assistance Disclosure

AI not used

If AI was used, describe the extent to which it was used.

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug 🐞Something isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions