ACME problem: Code:6111 Message:Invalid format for Authorization header

I’ve been trying to set up subdomains wildcard style for days now, but consistently getting the following:

{"level":"INFO","ts":"2024/04/06 20:20:16","logger":"tls","msg":"finished cleaning storage units"}
{"level":"INFO","ts":"2024/04/06 20:20:16","logger":"tls.obtain","msg":"acquiring lock","identifier":"*.subjective.place"}
{"level":"INFO","ts":"2024/04/06 20:20:16","logger":"tls.obtain","msg":"lock acquired","identifier":"*.subjective.place"}
{"level":"INFO","ts":"2024/04/06 20:20:16","logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.subjective.place"}
{"level":"INFO","ts":"2024/04/06 20:20:16","logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.subjective.place"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"[email protected]"}
{"level":"INFO","ts":"2024/04/06 20:20:16","logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.subjective.place"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"[email protected]"}
{"level":"INFO","ts":"2024/04/06 20:20:17","logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.subjective.place","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"ERROR","ts":"2024/04/06 20:20:18","logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"*.subjective.place","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.subjective.place\" (usually OK if presenting also failed)"}
{"level":"ERROR","ts":"2024/04/06 20:20:18","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.subjective.place","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.subjective.place] solving challenges: presenting for challenge: adding temporary record for zone \"subjective.place.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers ErrorChain:[{Code:6111 Message:Invalid format for Authorization header}]}] (order=https://acme-v02.api.letsencrypt.org/acme/order/1657323807/258724915407) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"INFO","ts":"2024/04/06 20:20:19","logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"*.subjective.place","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"ERROR","ts":"2024/04/06 20:20:20","logger":"tls.issuance.zerossl.acme_client","msg":"cleaning up solver","identifier":"*.subjective.place","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.subjective.place\" (usually OK if presenting also failed)"}
{"level":"ERROR","ts":"2024/04/06 20:20:20","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.subjective.place","issuer":"acme.zerossl.com-v2-DV90","error":"[*.subjective.place] solving challenges: presenting for challenge: adding temporary record for zone \"subjective.place.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers ErrorChain:[{Code:6111 Message:Invalid format for Authorization header}]}] (order=https://acme.zerossl.com/v2/DV90/order/SL5l7VCfP660pKwKjdaoOQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"ERROR","ts":"2024/04/06 20:20:20","logger":"tls.obtain","msg":"will retry","error":"[*.subjective.place] Obtain: [*.subjective.place] solving challenges: presenting for challenge: adding temporary record for zone \"subjective.place.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers ErrorChain:[{Code:6111 Message:Invalid format for Authorization header}]}] (order=https://acme.zerossl.com/v2/DV90/order/SL5l7VCfP660pKwKjdaoOQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":4.564666287,"max_duration":2592000}

This happens on both my domains:

  • subjective.agency
  • subjective.place

After searching high and wide, there are following possible causes for the issue:

  • unconventional domain name. It was reported by some users who had this issue a few years back that domains like com are resolved without issues, but domains like xyz fail

  • CF token issue. In most topics I looked through, it was mentioned that this obscure error message indicates missing or incorrect CF token. I tried creating/recreating token several times, but no change. Current token has permissions as per GitHub - libdns/cloudflare: Cloudflare provider implementation for libdns, still doesn’t work.

Also maybe important: I’m using caddy for reverse proxy.
Caddyfile (CF token is real but has been rolled since):

{
        admin 0.0.0.0:2019
        auto_https disable_redirects
        email [email protected]
        acme_dns cloudflare x0GnnpmwGUElwCojhnUthvMKep6QRNlDHGL3YZim

        log {
                output file /var/log/caddy/ctrl_access.log
        }
}

(cloudflare) {
        tls {
                protocols tls1.3
                key_type p256
                dns cloudflare x0GnnpmwGUElwCojhnUthvMKep6QRNlDHGL3YZim
                resolvers 1.1.1.1
        }
}

:50556 {
        respond "This is a test message to indicate that caddy is working"
}

*.subjective.agency {
        import cloudflare

        @inf host subdomain1.subjective.agency
        handle @inf {
                reverse_proxy localhost:50556
        }

        @devdb host subdomain2.subjective.agency
        handle @devdb {
                respond "WTF"
        }
}

*.subjective.place {
        import cloudflare

        @bul host subdomain1.subjective.place
        handle @bul {
                reverse_proxy 10.0.0.3:50313
        }
}

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.