Acme server for local https - on synology

mooncaptain108 · February 21, 2024, 10:38pm

1. The problem I’m having:

I have a running caddy on my network doing reverse proxy to a file server. This works fine. I also have another server running caddy and referencing back to an acme_ca on the other public facing server. This works fine too. Nice to have https on internal web applications.

Now I am trying something apparently more difficult. Trying to get caddy to provide acme_ca https support for my synology web page.

I installed or rather copied a caddy executable to my synolog 218+ running an intel cpu - celeron or pentium. The caddy runs fine there. But when I setup the caddy to work like my other downstream server I found the synology was already using 443 and 80 so i put https_port and http_port setting into caddy to get around this. However whenever I attempt to connect to he webserver using my local dns to resolve the ip address from a url in my local definitions. I get the classic SSL_ERROR_INTERNAL_ERROR_ALERT.

In addition - and this may be the problem. I am seeing caddy errors.

2. Error messages and/or full log output:

2024/02/21 21:53:25.746 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "media01.mooncaptain.pn.net", "challenge_type": "http-01", "ca": "https://acme.localserver/acme/local/directory"}
2024/02/21 21:58:25.870 ERROR   tls.issuance.acme.acme_client   deactivating authorization      {"identifier": "media01.mooncaptain.pn.net", "authz": "https://acme.localserver/acme/local/authz/bjiigAgx0hGtmwrOfCASyWEya7xUFLN3", "error": "attempt 1: https://acme.localserver/acme/local/authz/bjiigAgx0hGtmwrOfCASyWEya7xUFLN3: HTTP 0 urn:ietf:params:acme:error:malformed - The request message was malformed"}
2024/02/21 21:58:25.870 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "media01.mooncaptain.pn.net", "issuer": "acme.localserver-acme-local-directory", "error": "[media01.mooncaptain.pn.net] solving challenges: [media01.mooncaptain.pn.net] authorization took too long (order=https://acme.localserver/acme/local/order/KVXHGOYg6A0EPXDHZYdD9zAaPFBnqFSB) (ca=https://acme.localserver/acme/local/directory)"}
2024/02/21 21:58:25.870 ERROR   tls.obtain      will retry      {"error": "[media01.mooncaptain.pn.net] Obtain: [media01.mooncaptain.pn.net] solving challenges: [media01.mooncaptain.pn.net] authorization took too long (order=https://acme.localserver/acme/local/order/KVXHGOYg6A0EPXDHZYdD9zAaPFBnqFSB) (ca=https://acme.localserver/acme/local/directory)", "attempt": 6, "retrying_in": 600, "elapsed": 3001.206464712, "max_duration": 2592000}

3. Caddy version:

v2.7.6 h1

4. How I installed and ran Caddy:

I downloaded caddy_linux_amd64 from the caddy website.

I renamed to caddy and parked it in /usr/sbin - to get it into the path

Created a Caddyfile in my home folder.

copied the root.crt from my public facing caddy into /etc/ssl/certs folder.

a. System environment:

Linux Media01 4.4.180+ #42962 SMP Wed Sep 21 10:56:47 CST 2022 x86_64 GNU/Linux synology_apollolake_218+

b. Command:

sudo caddy run

or

sudo caddy start

c. Service/unit/compose file:

no docker no compose no systemd.service

d. My complete Caddy config:

I have three caddy files:

Main caddy - works well

#FRONTEND on fileserver01

# ACME Server
acme.localserver {
	acme_server
	tls internal
}

https://allthisisthat.net {
	reverse_proxy localhost:8080
}

back end that fails

# http://192.168.0.218:8080
# BACKEND - on synology Media01
# Global Option Block
{
	# General Option
	#debug

	# TLS Options
	# reference acme server on fileserver01
	acme_ca https://acme.localserver/acme/local/directory

	# copied from  root.crt on fileserver to here:
	acme_ca_root /etc/ssl/certs/root.crt
	http_port 880
	https_port 8443
	
}
https://media01.mooncaptain.pn.net:8443 {
	handle * {
	reverse_proxy 192.168.0.218:5000
	}
}

Back end that works.

#BACKEND - on mediaserver03
# Global Option Block
{
	# General Option
	#debug

	# TLS Options
	# reference acme server on fileserver01
	acme_ca https://acme.localserver/acme/local/directory
	# copy of root.crt from the fileserver
	acme_ca_root /etc/ssl/certs/root.crt
}

https://mediaserver03.mooncaptain.pn.net {
	handle /sonarr* {
		reverse_proxy localhost:8989
	}
	handle /emby* {
		reverse_proxy localhost:8096
	}
	handle /nzbget* {
		reverse_proxy localhost:6789
	}
}

5. Links to relevant resources:

where I got started(Use Caddy for local HTTPS (TLS) between front-end reverse proxy and LAN hosts)

francislavoie · February 22, 2024, 11:36am

This essentially means the ACME server couldn’t connect to your client to validate it using the HTTP or TLS-ALPN challenges, I think. It needs to be able to reach it on port 80/443 (requirement of the ACME protocol).

How do you have DNS set up here? Are you sure all machines are resolving that domain to the correct IP? Clearly it’s internal DNS because that domain isn’t in public DNS.

mooncaptain108 · February 22, 2024, 12:45pm

I am using unbound on pfsense to manage local DNS stuff - it’s working for other things.
Also I tried putting :443 on end of URL to acme server and I get very fast response error as in

2024/02/22 12:11:01.724 INFO    tls.obtain      obtaining certificate   {"identifier": "media01.mooncaptain.pn.net"}
2024/02/22 12:11:01.726 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "media01.mooncaptain.pn.net", "issuer": "acme.localserver-acme-local-directory:443", "error": "registering account [] with server: provisioning client: HTTP 404: 404 page not found\n"}
2024/02/22 12:11:01.727 ERROR   tls.obtain      will retry      {"error": "[media01.mooncaptain.pn.net] Obtain: registering account [] with server: provisioning client: HTTP 404: 404 page not found\n", "attempt": 4, "retrying_in": 300, "elapsed": 300.017924004, "max_duration": 2592000}

That clearly didn’t work.
One last thing - the goal being setting up a valid https connection to the synology I did try using the working acme server setup I have on my other internal web server (mediaserver03) by doing a reverse proxy to the problematic synology. At first I tried to map a sub-folder to the website. See last section.

#BACKEND - on mediaserver03
# Global Option Block
{
	# General Option
	#debug

	# TLS Options
	# reference acme server on fileserver01
	acme_ca https://acme.localserver/acme/local/directory
	# copy of root.crt from the fileserver
	acme_ca_root /etc/ssl/certs/root.crt
}

https://mediaserver03.mooncaptain.pn.net {
	handle /sonarr* {
		reverse_proxy localhost:8989
	}
	handle /emby* {
		reverse_proxy localhost:8096
	}
	handle /nzbget* {
		reverse_proxy localhost:6789
	}
	handle /media01* {
		reverse_proxy http://192.168.0.218:5000
	}
}

I got various wrong results. Mostly page not found errors. There is no way to map a subfolder in the synology setup.

After this failing I tried to connect using just the base URL

	handle {
		reverse_proxy http://192.168.0.218:5000
	}

And this worked.

That gives more information but I still have one other synology I would like to connect to over https and no way to use the mediaserver03 caddy to deal with both of them. Also I have run out of servers to put caddy on. Maybe I could use virtual box. Then I could have one dedicated caddy for each synology. Messing around in the synology OS is a pain.

Enough day dreaming.
Thanks for your response - if there is more I could try with this setup please let me know.

mooncaptain108 · February 22, 2024, 7:11pm

I solved the problem by abandoning the caddy on the synology and adding some logic in the downstream caddy - i.e. the one that calls the acme_ca in the public facing caddy.

I use the unbound DNS resolver on my pfsense router to create a couple of subdomains on my mediaserver03 web server.

media01.mediaserver03
media02.mediaserver03

Both overrides point to the ip address of mediaserver03 and caddy intelligently treats them as different URL’s and forwards them appropriately.

Now I have https on all LAN servers.
In case you are wondering - i would be - some the url’s you see are from a tailnet and some are from my unbound resolver. Just know that they are pointing to LAN ip addresses.

#BACKEND - on mediaserver03
# Global Option Block
{
	# General Option
	#debug

	# TLS Options
	# reference acme server on fileserver01
	acme_ca https://acme.localserver/acme/local/directory
	# copy of root.crt from the fileserver
	acme_ca_root /etc/ssl/certs/root.crt
}

https://mediaserver03.mooncaptain.pn.net {
	handle /sonarr* {
		reverse_proxy localhost:8989
	}
	handle /emby* {
		reverse_proxy localhost:8096
	}
	handle /nzbget* {
		reverse_proxy localhost:6789
	}
}
https://media01.mediaserver03 {
	reverse_proxy http://192.168.0.218:5000
}
https://media02.mediaserver03 {
	reverse_proxy http://192.168.0.19:5000
}

system · March 23, 2024, 7:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.