1. The problem I’m having:
I am trying to set up Caddy to provide reverse proxy and HTTPS for Foundry VTT. Specifically I am following this guide. Going to vtt.masterflinter.net times out (as does curling it).
I have my router forwarding ports 443 and 80 to my home-server. I believe this is working because if I set up port forwarding to the foundry port (30000), turn off Caddy, and change the Foundry config file to remove the proxy info I can hit foundry using my ip:port. I could be wrong though since Caddy is having trouble.
If my network setup is relevant then it is Internet → ISP Modem/Router in Bridge mode → Router → home-server.
I have a porkbun domain name that I created an A-record for my subdomain (vtt.masterflinter.net). I also believe I did this correctly because if you curl vtt.masterflinter.net the correct ip shoes up.
The acme challenge is failing. If I copy the link from the caddy output and paste it in a browser I see what looks like json contents.
In the course of troubleshooting I have tried allowing caddy to bind ports 80 and 443, deleting the contents of /var/lib/caddy/.local/share/caddy/, and verifying that my firewall rules are not blocking 80/443 based on other posts in caddy.community.
2. Error messages and/or full log output:
flint@flint-home-server:/etc/caddy$ caddy run
2023/10/08 19:37:55.090 INFO using adjacent Caddyfile
2023/10/08 19:37:55.091 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/10/08 19:37:55.091 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000372600"}
2023/10/08 19:37:55.091 INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2023/10/08 19:37:55.091 DEBUG http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["vtt.masterflinter.net"]},{"subjects":["10.0.0.23"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"encodings":{"gzip":{},"zstd":{}},"handler":"encode","prefer":["zstd","gzip"]},{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:30000"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"encodings":{"gzip":{},"zstd":{}},"handler":"encode","prefer":["zstd","gzip"]},{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:30000"}]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["10.0.0.23",""]},"default_sni":"10.0.0.23"},{"default_sni":"10.0.0.23"}],"automatic_https":{}}}}}
2023/10/08 19:37:55.097 INFO pki.ca.local root certificate is already trusted by system {"path": "storage:pki/authorities/local/root.crt"}
2023/10/08 19:37:55.097 INFO http enabling HTTP/3 listener {"addr": ":443"}
2023/10/08 19:37:55.097 INFO tls cleaning storage unit {"description": "FileStorage:/home/flint/.local/share/caddy"}
2023/10/08 19:37:55.097 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2023/10/08 19:37:55.098 DEBUG http starting server loop {"address": "[::]:443", "tls": true, "http3": true}
2023/10/08 19:37:55.098 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/10/08 19:37:55.098 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false}
2023/10/08 19:37:55.098 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/10/08 19:37:55.098 INFO http enabling automatic TLS certificate management {"domains": ["10.0.0.23", "vtt.masterflinter.net"]}
2023/10/08 19:37:55.098 INFO tls finished cleaning storage units
2023/10/08 19:37:55.099 WARN tls stapling OCSP {"error": "no OCSP stapling for [10.0.0.23]: no OCSP server specified in certificate", "identifiers": ["10.0.0.23"]}
2023/10/08 19:37:55.099 DEBUG tls.cache added certificate to cache {"subjects": ["10.0.0.23"], "expiration": "2023/10/09 02:21:04.000", "managed": true, "issuer_key": "local", "hash": "fbb3789a5940cf1eb8f6fbf47640ef9b8dcc4e23c8e7d179c37b02c17626c7be", "cache_size": 1, "cache_capacity": 10000}
2023/10/08 19:37:55.099 DEBUG events event {"name": "cached_managed_cert", "id": "efc810d6-42c8-4695-9015-8cf3122c69b6", "origin": "tls", "data": {"sans":["10.0.0.23"]}}
2023/10/08 19:37:55.099 INFO autosaved config (load with --resume flag) {"file": "/home/flint/.config/caddy/autosave.json"}
2023/10/08 19:37:55.099 INFO serving initial configuration
2023/10/08 19:37:55.099 INFO tls.obtain acquiring lock {"identifier": "vtt.masterflinter.net"}
2023/10/08 19:37:55.100 INFO tls.obtain lock acquired {"identifier": "vtt.masterflinter.net"}
2023/10/08 19:37:55.100 INFO tls.obtain obtaining certificate {"identifier": "vtt.masterflinter.net"}
2023/10/08 19:37:55.100 DEBUG events event {"name": "cert_obtaining", "id": "72bea34c-35e5-4f83-9c49-dde66f60c487", "origin": "tls", "data": {"identifier":"vtt.masterflinter.net"}}
2023/10/08 19:37:55.100 DEBUG tls.obtain trying issuer 1/2 {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2023/10/08 19:37:55.269 DEBUG tls.issuance.acme.acme_client http request {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["752"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:55 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:55.313 DEBUG tls.issuance.acme.acme_client http request {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 08 Oct 2023 19:37:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["_s_5u1NQ_1R6zAjpagMeeY3lBbwMZsnNUVEqXlYN-B_cNSEVLAE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:55.376 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["335"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/1350494416"],"Replay-Nonce":["IAvmRRVVRKsAZIfMhwDXE3o1Hc0s_B9fyv7lQzyR9la8dhmnPvQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/10/08 19:37:55.377 INFO tls.issuance.acme waiting on internal rate limiter {"identifiers": ["vtt.masterflinter.net"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "cdflint.caddy@masterflinter.net"}
2023/10/08 19:37:55.377 INFO tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["vtt.masterflinter.net"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "cdflint.caddy@masterflinter.net"}
2023/10/08 19:37:55.448 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1350494416/213739532386"],"Replay-Nonce":["_s_5u1NQ2FbSV5pkgU4XwPjNczQUp55g85xId4OlYWnRcfL3XQk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/10/08 19:37:55.495 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["IAvmRRVVa2fqHATSlZJ8VVvqJo6gHNJLR2ytoFm1l7ebzm7rSS0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:55.495 DEBUG tls.issuance.acme.acme_client no solver configured {"challenge_type": "dns-01"}
2023/10/08 19:37:55.495 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "vtt.masterflinter.net", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/10/08 19:37:55.496 DEBUG tls.issuance.acme.acme_client waiting for solver before continuing {"identifier": "vtt.masterflinter.net", "challenge_type": "tls-alpn-01"}
2023/10/08 19:37:55.496 DEBUG tls.issuance.acme.acme_client done waiting for solver {"identifier": "vtt.masterflinter.net", "challenge_type": "tls-alpn-01"}
2023/10/08 19:37:55.496 DEBUG http.stdlib http: TLS handshake error from 127.0.0.1:43406: EOF
2023/10/08 19:37:55.547 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/271985688956/Xw1Sgw", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["191"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/271985688956/Xw1Sgw"],"Replay-Nonce":["IAvmRRVVDTQd5cDy67to-X5LnsrzaNAf2cq1-KuSTtdWQqvj84M"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:55.547 DEBUG tls.issuance.acme.acme_client challenge accepted {"identifier": "vtt.masterflinter.net", "challenge_type": "tls-alpn-01"}
2023/10/08 19:37:55.845 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:55 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["IAvmRRVVDbRF_4zwW9qdIDS61vj-09Hi_0yZTbJakeim5KjA6Tg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:56.142 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:56 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["IAvmRRVVl5y2PpFTyZ6r1iabtv8jAEhwxwCfUEDzUqgLtvHxpSc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:56.438 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:56 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["_s_5u1NQDaNJNIQtSMwbQbHtgEfvwJlxfnhv-H2_aMldipjF6zw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:56.735 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:56 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["IAvmRRVVYv3PGY1PsT3x4BHnToNwBP_dQ_MFRUODGloYBYQNSE8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:57.031 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["IAvmRRVVX0nKaM-bogsTBw4gwf-zLpGzFieZt8wd-WOD4B9oWAQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:57.327 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["IAvmRRVVfLIyqKjNeoR5zaTvJG_7X4cbNCFy0KpFwLt3LRqzU8g"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:57.623 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["_s_5u1NQo1hXDY-cz_rV2kdE1TK7b3YYtNcsaOD1_UpbBsdZLV4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:57.921 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["_s_5u1NQBFTo51HdcmUk4ENYQHt04T-m0NxSs6KQRrVg3yqEryE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/08 19:37:58.217 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/271985688956", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["1350494416"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Sun, 08 Oct 2023 19:37:58 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["_s_5u1NQqrBtON8ABA8kfoIQ1ujukSSAfEo_5jAAqe_GvNmudMw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
3. Caddy version:
v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=
4. How I installed and ran Caddy:
- add Caddy repository
- install Caddy using apt
- apt update+upgrade
- Edit Caddyfile in /etc/caddy/
a. System environment:
Running Caddy on Ubuntu Server 22.04
b. Command:
caddy run --config /etc/caddy/Caddyfile
or
caddy run (if I am already in /etc/caddy)
c. Service/unit/compose file:
d. My complete Caddy config:
# This replaces the existing content in /etc/caddy/Caddyfile
# A CONFIG SECTION FOR YOUR IP AND HOSTNAME
{
default_sni 10.0.0.23
debug
email cdflint.caddy@masterflinter.net
}
10.0.0.23 {
# PROXY ALL REQUEST TO PORT 30000
tls internal
reverse_proxy localhost:30000
encode zstd gzip
}
vtt.masterflinter.net {
# PROXY ALL REQUEST TO PORT 30000
reverse_proxy localhost:30000
encode zstd gzip
}
# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile