1. The problem I’m having:
I am trying to set up Caddy in docker container as reverse proxy for some services already uses certificate issued by acme.sh.
My list of acme.sh directory:
/home/krautcat/odisharia.ru/acme.sh/ipa.services.odisharia.ru_ecc
├── ca.cer
├── fullchain.cer
├── ipa.services.odisharia.ru.cer
├── ipa.services.odisharia.ru.conf
├── ipa.services.odisharia.ru.csr
├── ipa.services.odisharia.ru.csr.conf
└── ipa.services.odisharia.ru.key
I copy cer, key and ca.cer to Caddy container.
❯ docker create --name caddy-reverse-proxy \
-p 80:80 \
-p 443:443 \
-p 443:443/udp \
-v "$(realpath data)":/data \
-v "$(realpath config)":/config \
-v "$(realpath etc/caddy)":/etc/caddy/ \
-v "$(realpath etc/ssl/certs/acme.sh)":/etc/ssl/certs/acme.sh \
-v "$(realpath etc/ssl/certs/ca.cer)":/etc/ssl/certs/letsencrypt.cer \
caddy caddy --config /etc/caddy/Caddyfile run
This is my Caddyfile:
{
debug
}
(reverseproxyheaders) {
header_up X-Real-IP {remote}
header_down Strict-Transport-Security max-age=31536000
}
http://ipa.services.odisharia.ru {
reverse_proxy 172.10.0.4:8080
}
https://ipa.services.odisharia.ru {
tls /etc/ssl/certs/acme.sh/ipa.services.odisharia.ru.cer /etc/ssl/certs/acme.sh/ipa.services.odisharia.ru.key {
ca_root /etc/ssl/certs/letsencrypt.cer
}
reverse_proxy 172.10.0.4:8443 {
import reverseproxyheaders
}
}
2. Error messages and/or full log output:
When I try to reach out my service from browser, I get following error:
{"level":"error","ts":1677440146.338388,"logger":"http.log.error","msg":"dial tcp 172.10.0.4:8443: i/o timeout","request":{"remote_ip":"193.138.218.225","remote_port":"41478","proto":"HTTP/2.0","method":"GET","host":"ipa.services.odisharia.ru","uri":"/","headers":{"Upgrade-Insecure-Requests":["1"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipa.services.odisharia.ru"}},"duration":3.003594812,"status":502,"err_id":"9ynr4khqh","err_trace":"reverseproxy.statusError (reverseproxy.go:1299)"}
This is output of curl -vt:
❯ curl -v https://ipa.services.odisharia.ru
* Trying 206.189.55.28:443...
* Connected to ipa.services.odisharia.ru (206.189.55.28) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
3. Caddy version:
Latest Docker image.
a. System environment:
Ubuntu 20.04, Docker 23.0.0