`auto_https off` in 2.1.0 still seems to try do https renewals

1. Caddy version (caddy version): 2.1.0

2. How I run Caddy:

I’m trying to migrate from json (from 2.0.0) to Caddyfile on 2.1.0.

a. System environment:

k3s - ubuntu

b. Command:

caddy run --config=/etc/caddy/Caddyfile --adapter=caddyfile

c. Service/unit/compose file:

      - name: caddy
        image: caddy:2.1.0
        imagePullPolicy: Always
        command: ["caddy", "run"]
        args:
          - --config=/etc/caddy/Caddyfile
          - --adapter=caddyfile
        volumeMounts:
        - name: caddy-data
          mountPath: /data
        - name: caddy-config
          mountPath: /etc/caddy/Caddyfile
          subPath: Caddyfile
        - name: trusted-certificates
          mountPath: /etc/trusted-certs
          readOnly: true

d. My complete Caddyfile or JSON config:

New Caddyfile

{
    auto_https off
}

unifi.myserver.io:80 {
    reverse_proxy {
        to 192.168.1.3:8443
        transport http {
            tls_insecure_skip_verify
        }
    }
}

Old working Caddyfile.json

{
	"apps": {
		"http": {
			"servers": {
				"srv0": {
					"automatic_https": {
						"disable": true
					},
					"listen": [
						":80"
					],
					"routes": [
						{
							"match": [
								{
									"host": [
										"unifi.myserver.io"
									]
								}
							],
							"handle": [
								{
									"handler": "reverse_proxy",
									"transport": {
										"protocol": "http",
										"tls": {
											"insecure_skip_verify": true
										}
									},
									"upstreams": [
										{
											"dial": "192.168.1.3:8443"
										}
									]
								}
							],
							"terminal": true
						}
					]
				}
			}
		}
	}
}

3. The problem I’m having:

I don’t want Caddy to request its own Let’s Encrypt certificates as it sits behind a Traefik load balancer that already issues its own certs. My JSON version does this correctly and was expecting 2.1.0 to support this using a Caddyfile based on the release notes.

However, I can see Caddy attempting (and failing) at certificate validations when I use the Caddyfile syntax. This causes Caddy to return 500s on every request.

4. Error messages and/or full log output:

[INFO] [unifi.myserver.io] acme: Obtaining bundled SAN certificate given a CSR
[INFO] [unifi.myserver.io] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/70156375
[INFO] [unifi.myserver.io] acme: use tls-alpn-01 solver
[INFO] [unifi.myserver.io] acme: Trying to solve TLS-ALPN-01
[INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/70156375
[INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/70156375
[ERROR] error: one or more domains had a problem:
[unifi.myserver.io] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested unifi.myserver.io from 100.104.12.72:443. Received 2 certificate(s), first certificate had names "unifi.myserver.io", url: 
(challenge=tls-alpn-01 remaining=[])

5. What I already tried:

The JSON version works, but it’s large and cumbersome and I only used JSON for the automatic_https.

6. Links to relevant resources:

That’s strange, because adapting your Caddyfile with caddy adapt gives me this, which is effectively the same thing:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":80"
          ],
          "routes": [
            {
              "match": [
                {
                  "host": [
                    "unifi.myserver.io"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "transport": {
                            "protocol": "http",
                            "tls": {
                              "insecure_skip_verify": true
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "192.168.1.3:8443"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ],
          "automatic_https": {
            "disable": true
          }
        }
      }
    }
  }
}

One think you could do is use http:// instead of :80 on your site label, I think. But I don’t see how your Caddyfile and JSON configs could behave differently.

Thanks for your response. I changed my config to use the http:// instead of :80. It works now, I’m wondering if it was just stuck between config changes or something.

I don’t know. But it works.