1. The problem I’m having:

I am trying to set up Caddy in docker container as reverse proxy for some services already uses certificate issued by

My list of directory:

├── ca.cer
├── fullchain.cer

I copy cer, key and ca.cer to Caddy container.

❯ docker create --name caddy-reverse-proxy \
        -p 80:80 \
        -p 443:443 \
        -p 443:443/udp \
        -v "$(realpath data)":/data \
        -v "$(realpath config)":/config \
        -v "$(realpath etc/caddy)":/etc/caddy/ \
        -v "$(realpath etc/ssl/certs/":/etc/ssl/certs/ \
        -v "$(realpath etc/ssl/certs/ca.cer)":/etc/ssl/certs/letsencrypt.cer \
        caddy caddy --config /etc/caddy/Caddyfile run

This is my Caddyfile:


(reverseproxyheaders) {
        header_up X-Real-IP {remote}
        header_down Strict-Transport-Security max-age=31536000
} {
} {
        tls /etc/ssl/certs/ /etc/ssl/certs/ {
                ca_root /etc/ssl/certs/letsencrypt.cer

        reverse_proxy {
                import reverseproxyheaders

2. Error messages and/or full log output:

When I try to reach out my service from browser, I get following error:

{"level":"error","ts":1677440146.338388,"logger":"http.log.error","msg":"dial tcp i/o timeout","request":{"remote_ip":"","remote_port":"41478","proto":"HTTP/2.0","method":"GET","host":"","uri":"/","headers":{"Upgrade-Insecure-Requests":["1"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":""}},"duration":3.003594812,"status":502,"err_id":"9ynr4khqh","err_trace":"reverseproxy.statusError (reverseproxy.go:1299)"}

This is output of curl -vt:

❯ curl -v 
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here:

3. Caddy version:

Latest Docker image.

a. System environment:

Ubuntu 20.04, Docker 23.0.0

That’s not a problem with your certs, that’s a problem with your proxy upstream address.

Are you sure that IP address reaches the service you expect? You’re using :8443, is that upstream expecting HTTPS traffic? If so, see the docs: reverse_proxy (Caddyfile directive) — Caddy Documentation

Yes, that was mistake in IP.


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.