Issue Details
Howdy,
I've ran into a peculiar bug recently, where due to misconfiguration that I did not notice, the A and AAAA records pointing to www. of my domain were invalid, and caused the certificate for it unable to be renewed.
I noticed this only once the certificate expired, and fixed it.
However, upon doing so, Caddy reported the following in the logs:
2026/06/26 15:35:06.322 ERROR validating authorization {"identifier": "www.red-panda.be", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "no valid A records found for www.red-panda.be; no valid AAAA records found for www.red-panda.be", "instance": "", "subproblems": null}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxx/xxxx", "attempt": 2, "max_attempts": 3}
github.com/mholt/acmez/v3.(*Client).ObtainCertificate
github.com/mholt/acmez/v3@v3.1.6/client.go:165
github.com/caddyserver/certmagic.(*ACMEIssuer).doIssue
github.com/caddyserver/certmagic@v0.25.2/acmeissuer.go:498
github.com/caddyserver/certmagic.(*ACMEIssuer).Issue
github.com/caddyserver/certmagic@v0.25.2/acmeissuer.go:391
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue
github.com/caddyserver/caddy/v2@v2.11.1/modules/caddytls/acmeissuer.go:292
github.com/caddyserver/certmagic.(*Config).renewCert.func2
github.com/caddyserver/certmagic@v0.25.2/config.go:952
github.com/caddyserver/certmagic.doWithRetry
github.com/caddyserver/certmagic@v0.25.2/async.go:104
github.com/caddyserver/certmagic.(*Config).renewCert
github.com/caddyserver/certmagic@v0.25.2/config.go:1028
github.com/caddyserver/certmagic.(*Config).RenewCertAsync
github.com/caddyserver/certmagic@v0.25.2/config.go:804
github.com/caddyserver/certmagic.(*Cache).queueRenewalTask.func1
github.com/caddyserver/certmagic@v0.25.2/maintain.go:250
github.com/caddyserver/certmagic.(*jobManager).worker
github.com/caddyserver/certmagic@v0.25.2/async.go:73
2026/06/26 15:35:06.323 ERROR tls.renew could not get certificate from issuer {"identifier": "www.red-panda.be", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for www.red-panda.be; no valid AAAA records found for www.red-panda.be"}
2026/06/26 15:35:06.324 ERROR tls.renew will retry {"error": "[www.red-panda.be] Renew: [www.red-panda.be] solving challenge: www.red-panda.be: [www.red-panda.be] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for www.red-panda.be; no valid AAAA records found for www.red-panda.be (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 42, "retrying_in": 21600, "elapsed": 432169.704322758, "max_duration": 2592000}
2026/06/26 15:42:16.096 INFO tls certificate needs renewal based on ARI window {"subjects": ["www.red-panda.be"], "expiration": "2026/06/24 22:56:45.000", "ari_cert_id": xxxx", "next_ari_update": "2026/06/26 18:26:43.139", "renew_check_interval": 600, "window_start": "2026/06/21 13:50:34.000", "window_end": "2026/06/21 17:01:24.000", "selected_time": "2026/06/21 15:34:30.000", "renewal_cutoff": "2026/06/21 15:24:30.000"}
2026/06/26 15:42:16.623 INFO tls.cache.maintenance certificate expires soon; queuing for renewal {"identifiers": ["www.red-panda.be"], "remaining": -146731.623667521}
2026/06/26 15:52:16.100 INFO tls certificate needs renewal based on ARI window {"subjects": ["www.red-panda.be"], "expiration": "2026/06/24 22:56:45.000", "ari_cert_id": "xxxx", "next_ari_update": "2026/06/26 18:26:43.139", "renew_check_interval": 600, "window_start": "2026/06/21 13:50:34.000", "window_end": "2026/06/21 17:01:24.000", "selected_time": "2026/06/21 15:34:30.000", "renewal_cutoff": "2026/06/21 15:24:30.000"}
2026/06/26 15:52:16.105 INFO tls.cache.maintenance certificate expires soon; queuing for renewal {"identifiers": ["www.red-panda.be"], "remaining": -147331.105844417}
2026/06/26 16:02:16.100 INFO tls certificate needs renewal based on ARI window {"subjects": ["www.red-panda.be"], "expiration": "2026/06/24 22:56:45.000", "ari_cert_id": "xxxx", "next_ari_update": "2026/06/26 18:26:43.139", "renew_check_interval": 600, "window_start": "2026/06/21 13:50:34.000", "window_end": "2026/06/21 17:01:24.000", "selected_time": "2026/06/21 15:34:30.000", "renewal_cutoff": "2026/06/21 15:24:30.000"}
2026/06/26 16:02:16.104 INFO tls.cache.maintenance certificate expires soon; queuing for renewal {"identifiers": ["www.red-panda.be"], "remaining": -147931.104482085}
2026/06/26 16:12:16.096 INFO tls certificate needs renewal based on ARI window {"subjects": ["www.red-panda.be"], "expiration": "2026/06/24 22:56:45.000", "ari_cert_id": "xxxx", "next_ari_update": "2026/06/26 18:26:43.139", "renew_check_interval": 600, "window_start": "2026/06/21 13:50:34.000", "window_end": "2026/06/21 17:01:24.000", "selected_time": "2026/06/21 15:34:30.000", "renewal_cutoff": "2026/06/21 15:24:30.000"}
2026/06/26 16:12:16.624 INFO tls.cache.maintenance certificate expires soon; queuing for renewal {"identifiers": ["www.red-panda.be"], "remaining": -148531.624387828}
2026/06/26 16:15:42.973 INFO http servers shutting down with eternal grace period
Even a reboot of caddy did not fix the issue, and I had to remove the certificate for it to realize and renew.
[tyrasuki@web01-dse ~]$ rm /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/www.red-panda.be/www.red-panda.be.crt
[tyrasuki@web01-dse ~]$ systemctl restart caddy
After doing so, the cert renews as normal:
...
2026/06/26 16:15:43.935 INFO tls.obtain acquiring lock {"identifier": "www.red-panda.be"}
2026/06/26 16:15:43.944 INFO tls.obtain lock acquired {"identifier": "www.red-panda.be"}
2026/06/26 16:15:43.946 INFO tls.obtain obtaining certificate {"identifier": "www.red-panda.be"}
2026/06/26 16:15:43.968 INFO tls.issuance.acme waiting on internal rate limiter {"identifiers": ["www.red-panda.be"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "xxx@xxx.xxx"}
2026/06/26 16:15:43.968 INFO tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["www.red-panda.be"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "xxx@xxx.xxx"}
2026/06/26 16:15:43.968 INFO tls.issuance.acme using ACME account {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxxxx", "account_contact": ["mailto:xxx@xxx.xxx"]}
...
2026/06/26 16:15:44.118 INFO tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:/var/lib/caddy/.local/share/caddy", "instance": "xx-xx-xx-xx", "try_again": "2026/06/27 16:15:44.118", "try_again_in": 86399.999991454}
2026/06/26 16:15:44.120 INFO tls finished cleaning storage units
2026/06/26 16:15:45.328 INFO trying to solve challenge {"identifier": "www.red-panda.be", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2026/06/26 16:15:45.339 INFO got renewal info {"names": ["www.tyrasuki.be"], "window_start": "2026/06/28 10:07:39.000", "window_end": "2026/06/28 13:18:28.000", "selected_time": "2026/06/28 12:17:33.000", "recheck_after": "2026/06/26 21:58:06.339", "explanation_url": ""}
2026/06/26 16:15:45.351 INFO tls updated and stored ACME renewal information {"identifiers": ["www.tyrasuki.be"], "cert_hash": "125b490a7789db56efae726fff9dfb1c4ed8e2e56069bd205286c1d3e5c1c073", "ari_unique_id": "xxx, "cert_expiry": "2026/07/01 19:13:49.000", "selected_time": "2026/06/28 12:28:28.000", "next_update": "2026/06/26 21:58:06.339", "explanation_url": ""}
2026/06/26 16:15:46.038 INFO tls.issuance.acme served key authentication {"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2600:3000:2710:200::81]:40283", "distributed": false}
2026/06/26 16:15:46.329 INFO tls.issuance.acme served key authentication {"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2a05:d016:39f:3100:293a:77d1:40a8:dd1f]:40486", "distributed": false}
2026/06/26 16:15:46.551 INFO tls.issuance.acme served key authentication {"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2600:1f16:269:da02:527a:536e:c090:356c]:32870", "distributed": false}
2026/06/26 16:15:46.760 INFO tls.issuance.acme served key authentication {"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2600:1f14:804:fd02:5362:483e:39e:5e20]:38652", "distributed": false}
2026/06/26 16:15:46.923 INFO tls.issuance.acme served key authentication {"identifier": "www.red-panda.be", "challenge": "http-01", "remote": "[2406:da18:85:1401:e75d:9c74:59d4:a4ce]:59320", "distributed": false}
2026/06/26 16:15:48.841 INFO authorization finalized {"identifier": "www.red-panda.be", "authz_status": "valid"}
2026/06/26 16:15:48.841 INFO validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/xxxx/xxxx"}
2026/06/26 16:15:49.918 INFO got renewal info {"names": ["www.red-panda.be"], "window_start": "2026/06/29 22:11:07.000", "window_end": "2026/06/30 01:21:57.000", "selected_time": "2026/06/30 01:13:36.000", "recheck_after": "2026/06/26 21:16:10.918", "explanation_url": ""}
2026/06/26 16:15:50.228 INFO got renewal info {"names": ["www.red-panda.be"], "window_start": "2026/06/29 22:11:07.000", "window_end": "2026/06/30 01:21:57.000", "selected_time": "2026/06/30 00:36:55.000", "recheck_after": "2026/06/26 21:05:12.228", "explanation_url": ""}
2026/06/26 16:15:50.544 INFO got renewal info {"names": ["www.red-panda.be"], "window_start": "2026/06/29 22:11:07.000", "window_end": "2026/06/30 01:21:57.000", "selected_time": "2026/06/30 00:32:04.000", "recheck_after": "2026/06/26 22:28:58.544", "explanation_url": ""}
2026/06/26 16:15:50.546 INFO successfully downloaded available certificate chains {"count": 3, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/0580dd65831937092e61610726498a5df2ed"}
2026/06/26 16:15:50.570 INFO tls.obtain certificate obtained successfully {"identifier": "www.red-panda.be", "issuer": "acme-v02.api.letsencrypt.org-directory"}
2026/06/26 16:15:50.572 INFO tls.obtain releasing lock {"identifier": "www.red-panda.be"}
2026/06/26 16:15:50.580 WARN tls stapling OCSP {"identifiers": ["www.red-panda.be"]}
I would've expected caddy to see this, realize the A and AAAA records are set correctly now, and try to renew by itself. Or is this expected behaviour? :)
Kind regards,
Jori Vanneste / Tyrasuki
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
No response
Issue Details
Howdy,
I've ran into a peculiar bug recently, where due to misconfiguration that I did not notice, the A and AAAA records pointing to
www.of my domain were invalid, and caused the certificate for it unable to be renewed.I noticed this only once the certificate expired, and fixed it.
However, upon doing so, Caddy reported the following in the logs:
Even a reboot of caddy did not fix the issue, and I had to remove the certificate for it to realize and renew.
After doing so, the cert renews as normal:
I would've expected caddy to see this, realize the A and AAAA records are set correctly now, and try to renew by itself. Or is this expected behaviour? :)
Kind regards,
Jori Vanneste / Tyrasuki
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
No response