Acme.sh - tcp port 80 is already used by caddy

Help
1

1. Caddy version (caddy version):

v2.4.6

2. How I run Caddy:

As a reverse-proxy in front of Apache.

a. System environment:

AlmaLinux release 8.5

b. Command:

caddy run

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

sub.domain.tld:443 {
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        -Server
    }

    encode gzip
    log {
        output file /var/log/caddy-access.log
        format json
    }
    tls /root/.acme.sh/sub.domain.tld_ecc/fullchain.cer /root/.acme.sh/sub.domain.tld_ecc/sub.domain.tld.key {
        protocols tls1.3
    }   
    reverse_proxy 127.0.0.1:81 {
      
    }
}

3. The problem I’m having:

Updating the SSL cert(s) fails. I use acme.sh. If I run the following code [root@sub ~]# acme.sh --cron --force, I get the error listed below. I couldn’t find any info on this issue. I can’t believe I’m the only one. If I manually stop Caddy and run the same command, the cert gets renewed. What’s the proper way to resolve this issue? I do want auto HTTP->HTTPS but I also want my cert to get auto-renewed as well :slight_smile:

4. Error messages and/or full log output:

[Sun Jan  2 15:15:44 EST 2022] ===Starting cron===
[Sun Jan  2 15:15:44 EST 2022] Renew: 'sub.domain.tld'
[Sun Jan  2 15:15:44 EST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Jan  2 15:15:45 EST 2022] Standalone mode.
[Sun Jan  2 15:15:45 EST 2022] LISTEN 0      128                *:80               *:*    users:(("caddy",pid=1388,fd=7))
[Sun Jan  2 15:15:45 EST 2022] tcp port 80 is already used by (("caddy",pid=1388,fd=7))
[Sun Jan  2 15:15:45 EST 2022] Please stop it first
[Sun Jan  2 15:15:45 EST 2022] _on_before_issue.
[Sun Jan  2 15:15:45 EST 2022] Error renew sub.domain.tld.
[Sun Jan  2 15:15:45 EST 2022] Renew: 'sub.domain.tld'
[Sun Jan  2 15:15:45 EST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Jan  2 15:15:45 EST 2022] Standalone mode.
[Sun Jan  2 15:15:45 EST 2022] LISTEN 0      128                *:80               *:*    users:(("caddy",pid=1388,fd=7))
[Sun Jan  2 15:15:45 EST 2022] tcp port 80 is already used by (("caddy",pid=1388,fd=7))
[Sun Jan  2 15:15:45 EST 2022] Please stop it first
[Sun Jan  2 15:15:45 EST 2022] _on_before_issue.
[Sun Jan  2 15:15:45 EST 2022] Error renew sub.domain.tld_ecc.
[Sun Jan  2 15:15:45 EST 2022] ===End cron===

5. What I already tried:

I’m not sure where to begin troubleshooting. Everything works except for the fact that the SSL cert(s) will not auto-renew because Caddy is listening on port 80 even though I specified a domain and port 443 in Caddyfile.

6. Links to relevant resources:

2

Why are you using acme.sh?

Caddy can issue and maintain certificates for you itself.

Caddy needs to bind to port 80 to make HTTP->HTTPS redirects possible, and it also uses that port for ACME HTTP challenges.

3

The server came configured this way. I noticed the certs expired so I ran [root@sub ~]# acme.sh --cron --force as a test to see why the cert renewal failed.

The server also has:

# crontab -l
19 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
4

Can someone please walk me through “undoing” my current configuration so that I can have Caddy issue and maintain certs for itself? It makes no sense, to me, to have the server set up the way that it is now. Is it just a matter of editing the Caddyfile?

5

All you need to do is remove the tls directive from your config, and Caddy will automatically enable certificate maintenance for that domain. Caddy makes any ACME clients like acme.sh completely redundant.

sub.domain.tld {
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        -Server
    }

    encode gzip
    log {
        output file /var/log/caddy-access.log
        format json
    }

    reverse_proxy 127.0.0.1:81
}
1 Like
6

This topic was automatically closed after 30 days. New replies are no longer allowed.