Wildcard domain: oauth2 token expired

[deltabweb]

Hey,

I'm trying to get a wildcard certificate for my domain but keep getting errors in the logs

My Caddyfile is basically the recommended pattern for wildcard certificates:

*.mydomain.com {
    tls {
        dns digitalocean {env.DIGITALOCEAN_API_TOKEN}
    }

    @foo host foo.mydomain.com
    handle @foo {
        respond "Foo!"
    }

    @bar host bar.mydomain.com
    handle @bar {
        respond "Bar!"
    }

    # Fallback for otherwise unhandled domains
    handle {
        abort
    }
}

And these are the logs I'm getting:

{"level":"info","ts":1668589734.463839,"msg":"using provided configuration","config_file":"/config/Caddyfile","config_adapter":""}
{"level":"warn","ts":1668589734.4649262,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/config/Caddyfile","line":3}
{"level":"info","ts":1668589734.465346,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1668589734.465486,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1668589734.465494,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1668589734.465505,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00051eb60"}
{"level":"info","ts":1668589734.465674,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1668589734.4656858,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1668589734.4657106,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1668589734.465721,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1668589734.4657633,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1668589734.4657674,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.mydomain.com"]}
{"level":"info","ts":1668589734.4681587,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1668589734.4855313,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1668589734.485538,"msg":"serving initial configuration"}
{"level":"info","ts":1668589734.4864178,"logger":"watcher","msg":"watching config file for changes","config_file":"/config/Caddyfile"}
{"level":"info","ts":1668589734.4923887,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.mydomain.com"}
{"level":"info","ts":1668589734.5065305,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.mydomain.com"}
{"level":"info","ts":1668589734.5081594,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.mydomain.com"}
{"level":"info","ts":1668589735.3726954,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.mydomain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1668589735.3727517,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.mydomain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1668589735.715023,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.mydomain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1668589736.4691508,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.mydomain.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.mydomain.com\" (usually OK if presenting also failed)"}
{"level":"error","ts":1668589736.6270103,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.mydomain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme-v02.api.letsencrypt.org/acme/order/<redacted>/<redacted>) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"warn","ts":1668589736.63011,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"info","ts":1668589749.4456408,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"<redacted>"}
{"level":"info","ts":1668589768.1749997,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.mydomain.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1668589768.1750169,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.mydomain.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1668589786.0051374,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.mydomain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1668589786.0053241,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.mydomain.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.mydomain.com\" (usually OK if presenting also failed)"}
{"level":"error","ts":1668589795.0850728,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.mydomain.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme.zerossl.com/v2/DV90/order/<redacted>) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1668589795.085155,"logger":"tls.obtain","msg":"will retry","error":"[*.mydomain.com] Obtain: [*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme.zerossl.com/v2/DV90/order/<redacted>) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":60.57861185,"max_duration":2592000}
{"level":"info","ts":1668589855.0871596,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.mydomain.com"}
{"level":"info","ts":1668589856.4200697,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.mydomain.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1668589856.4203105,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.mydomain.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.mydomain.com\" (usually OK if presenting also failed)"}
{"level":"error","ts":1668589856.5778918,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.mydomain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/<redacted>/<redacted>) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"info","ts":1668589865.7846193,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.mydomain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1668589865.784703,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.mydomain.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.mydomain.com\" (usually OK if presenting also failed)"}
{"level":"error","ts":1668589868.4825253,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.mydomain.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme.zerossl.com/v2/DV90/order/<redacted>) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1668589868.4825914,"logger":"tls.obtain","msg":"will retry","error":"[*.mydomain.com] Obtain: [*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme.zerossl.com/v2/DV90/order/<redacted>) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":133.976048192,"max_duration":2592000}
{"level":"info","ts":1668589988.4865525,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.mydomain.com"}
{"level":"info","ts":1668589989.21262,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.mydomain.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1668589989.21281,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.mydomain.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.mydomain.com\" (usually OK if presenting also failed)"}
{"level":"error","ts":1668589989.3676631,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.mydomain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/<redacted>/<redacted>) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"info","ts":1668590007.4248714,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.mydomain.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1668590007.4250734,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.mydomain.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.mydomain.com\" (usually OK if presenting also failed)"}
{"level":"error","ts":1668590016.80266,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.mydomain.com","issuer":"acme.zerossl.com-v2-DV90","error":"[*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme.zerossl.com/v2/DV90/order/<redacted>) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1668590016.8026946,"logger":"tls.obtain","msg":"will retry","error":"[*.mydomain.com] Obtain: [*.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": Post \"https://api.digitalocean.com/v2/domains/mydomain.com/records\": oauth2: token expired and refresh token is not set (order=https://acme.zerossl.com/v2/DV90/order/<redacted>) (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":282.296151784,"max_duration":2592000}

I hope someone's able to help, cheers

PS: The token I'm using works just fine if I use it with curl to GET this url https://api.digitalocean.com/v2/domains/mydomain.com/records

[Kofl]

Saw that error only once when a customer gave the token read_only permissions instead of read and write.

[samborambo]

Same error for me too. R/W permissions. The token shows as being unused in DO. Works fine with curl.

[Zalymo]

any updates on this? i'm now getting this same issue when attempting to solve DNS challenges

[deltabweb]

I ended up using lego_deprecated as I couldn't get it working

[alexruetz]

Could be related to an old DigitalOcean package used by https://github.com/libdns/digitalocean This hasn't been updated in 2 years