求助，caddy无法更新证书了

之前一直正常使用的docker 版 caddy, 域名解析、证书更新一直正常，然后，偶然发现dnspod后台的记录，有一堆_acme-challenge 的txt记录，查了一下，发现caddy日志中提示更新证书失败。

因为之前是正常的，最早的_acme-challenge 是在4月份。想知道是什么原因导致的更新证书失败 完全没有头绪。

caddy 是用的这个 GitHub - kkkgo/caddy-docker · GitHub ，它有dnspod 插件。
nas中配置了ddns记录，dnspod 中解析正常。

部分日志文件，域名和邮箱处理了一下。

date,stream,content
2026/05/13 12:30:11,stderr,"{"level":"error","ts":1778646611.3007264,"logger":"tls.renew","msg":"will retry","error":"[*.mydomain.cn] Renew: [*.mydomain.cn] solving challenges: waiting for solver certmagic.solverWrapper to be ready: no memory of presenting a DNS record for "_acme-challenge.mydomain.cn" (usually OK if presenting also failed) (order=https://acme-v02.api.letsencrypt.org/acme/order/2138772365/510265948426) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":4.48313876,"max_duration":2592000}
"
2026/05/13 12:30:11,stderr,"{"level":"error","ts":1778646611.3006105,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"*.mydomain.cn","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.mydomain.cn] solving challenges: waiting for solver certmagic.solverWrapper to be ready: no memory of presenting a DNS record for "_acme-challenge.mydomain.cn" (usually OK if presenting also failed) (order=https://acme-v02.api.letsencrypt.org/acme/order/2138772365/510265948426) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
"
2026/05/13 12:30:11,stderr,"{"level":"error","ts":1778646611.032793,"msg":"cleaning up solver","identifier":"*.mydomain.cn","challenge_type":"dns-01","error":"no memory of presenting a DNS record for "_acme-challenge.mydomain.cn" (usually OK if presenting also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/[email protected]/client.go:331\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/[email protected]/client.go:385\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/[email protected]/client.go:149\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/[email protected]/acmeissuer.go:498\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/[email protected]/acmeissuer.go:391\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/[email protected]/modules/caddytls/acmeissuer.go:292\ngithub.com/caddyserver/certmagic.(*Config).renewCert.func2\n\tgithub.com/caddyserver/[email protected]/config.go:952\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/[email protected]/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).renewCert\n\tgithub.com/caddyserver/[email protected]/config.go:1028\ngithub.com/caddyserver/certmagic.(*Config).RenewCertAsync\n\tgithub.com/caddyserver/[email protected]/config.go:804\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func2\n\tgithub.com/caddyserver/[email protected]/config.go:469\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/[email protected]/async.go:73"}
"
2026/05/13 12:30:08,stderr,"{"level":"info","ts":1778646608.35068,"msg":"trying to solve challenge","identifier":"*.mydomain.cn","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.8222723,"logger":"http","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2138772365","account_contact":["mailto:[email protected]"]}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.8222265,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.mydomain.cn"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"[email protected]"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.8220966,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.mydomain.cn"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"[email protected]"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.8181903,"logger":"tls.renew","msg":"renewing certificate","identifier":"*.mydomain.cn","remaining":569468.181818377}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.8175447,"logger":"tls.renew","msg":"lock acquired","identifier":"*.mydomain.cn"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.762355,"logger":"tls.renew","msg":"acquiring lock","identifier":"*.mydomain.cn"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.7186878,"logger":"tls","msg":"finished cleaning storage units"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.717737,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/cert","instance":"f4fbd575-a501-48d8-b7fd-c67b84cb0662","try_again":1778733006.7177312,"try_again_in":86399.999998775}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6688046,"logger":"tls","msg":"certificate needs renewal based on ARI window","subjects":["*.mydomain.cn"],"expiration":1779216075,"ari_cert_id":"rkie3IcdRKBv2qLlYHQEeMKcAIA.BVHrasOHbiEGIlKCPzU5EC3R","next_ari_update":1778650315.7273977,"renew_check_interval":600,"window_start":1776547519,"window_end":1776702968,"selected_time":1776579869,"renewal_cutoff":1776579269}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6686342,"msg":"serving initial configuration"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6685905,"msg":"autosaved config (load with --resume flag)","file":"/root/.config/caddy/autosave.json"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6595893,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.mydomain.cn"]}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.659565,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6592526,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6583645,"logger":"http","msg":"enabling HTTP/3 listener","addr":":6223"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6583152,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
"
2026/05/13 12:30:06,stderr,"{"level":"warn","ts":1778646606.6583083,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
"
2026/05/13 12:30:06,stderr,"{"level":"warn","ts":1778646606.6582725,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.65346,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6533902,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":6223}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6528914,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x389f128bd800"}
"
2026/05/13 12:30:06,stderr,"{"level":"warn","ts":1778646606.65228,"logger":"admin","msg":"admin endpoint disabled"}
"
2026/05/13 12:30:06,stderr,"{"level":"warn","ts":1778646606.6507986,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/tmp/caddyfile","line":2}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6507945,"msg":"adapted config to JSON","adapter":"caddyfile"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6507897,"msg":"using config from file","file":"/tmp/caddyfile"}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6507819,"msg":"GOMEMLIMIT is updated","GOMEMLIMIT":11156708966,"previous":9223372036854775807}
"
2026/05/13 12:30:06,stderr,"{"level":"info","ts":1778646606.6507454,"msg":"maxprocs: Honoring GOMAXPROCS="2" as set in environment"}

同样的Docker Caddy反向代理，证书更新没问题，服务器部署在首尔。

如果是国内IP，可能是因为网络原因，四月份确实有一波加强…

网络问题吧….等几天

我这里一切正常，刚才测试了下，正常拿到了证书

证书还有一周到期了

网络问题的话，有解吗？要梯子？

no memory of presenting a DNS record for "_acme-challenge.mydomain.cn"

你的错误时这个啊，DNS 解析失败了。你得看看你的 DNS

嗯，这个是在创建docker时设置环境变量的，试过，设置了也报错，甚至域名直接502, 所以就又设置为空了。

设置dns 之后，错误

{"level":"error","ts":1778655822.2701826,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"*.mydomain.cn","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.mydomain.cn] creating new order: provisioning client: performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"} 

走 ipv6 了吧…

心累了，根据AI的建议，又删了容器的dns，然后在caddyfile 里的 tls 块中加入 resolvers，问题依旧。

或者你试试不用 AI，直接让 caddy 工作呢。

我在 Openclaw 的机器上，所有的配置只有：
123.456.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}

reverse_proxy 127.0.0.1:19000

}

我看日志中提示 no memory of presenting a DNS record

比如这样写配置

{
    tls {
        dns dnspod {env.DNSPOD_ID} {env.DNSPOD_TOKEN}
        propagation_delay 60s  # 60秒后再验证
        resolvers 1.1.1.1 8.8.8.8 # 强制使用外部 DNS 进行预验证
    }
}

就是换一下服务器的DNS，并延长检测前的等待时间，我之前就是因为服务器默认的DNS，解析传播速度比CF的慢（改完域名的_acme-challenge,CF，谷歌的DNS基本10秒内就更新了，但是服务器默认DNS查询结果要5分钟后才更新），导致本地预验证死活都不过，从而导致证书更新失败。

resolvers 223.5.5.5 8.8.8.8

已经加了，也是不行。

我加propagation_delay 试了，也不行

另外，dnspod 里一堆_acme-challenge 记录，这个应该是不太正常的吧，是因为验证没通过，所以没删除？

先删了，说不定现在不行和这些残留的错误记录有关。

盲猜是 ipv6 的问题，但不确定在哪个链路上挂了。

现在是随有随删

也有可能，毕竟之前也遇到过，无法访问某个API，但是禁用IPv6，强制让他走IPv4就好了的情况

应该怎么排查一下？把路由器时的ipv6关了吗？

caddy默认是http 80端口来验证，你是不是走http 80验证了，外网可能不通了，你换成dns api验证试试，这种稳定一些

找我用的镜像提issue了，解决了，是镜像的问题