1. Caddy version (caddy version
): 2.1.0
2. How I run Caddy:
I’m trying to migrate from json (from 2.0.0) to Caddyfile on 2.1.0.
a. System environment:
k3s - ubuntu
b. Command:
caddy run --config=/etc/caddy/Caddyfile --adapter=caddyfile
c. Service/unit/compose file:
- name: caddy
image: caddy:2.1.0
imagePullPolicy: Always
command: ["caddy", "run"]
args:
- --config=/etc/caddy/Caddyfile
- --adapter=caddyfile
volumeMounts:
- name: caddy-data
mountPath: /data
- name: caddy-config
mountPath: /etc/caddy/Caddyfile
subPath: Caddyfile
- name: trusted-certificates
mountPath: /etc/trusted-certs
readOnly: true
d. My complete Caddyfile or JSON config:
New Caddyfile
{
auto_https off
}
unifi.myserver.io:80 {
reverse_proxy {
to 192.168.1.3:8443
transport http {
tls_insecure_skip_verify
}
}
}
Old working Caddyfile.json
{
"apps": {
"http": {
"servers": {
"srv0": {
"automatic_https": {
"disable": true
},
"listen": [
":80"
],
"routes": [
{
"match": [
{
"host": [
"unifi.myserver.io"
]
}
],
"handle": [
{
"handler": "reverse_proxy",
"transport": {
"protocol": "http",
"tls": {
"insecure_skip_verify": true
}
},
"upstreams": [
{
"dial": "192.168.1.3:8443"
}
]
}
],
"terminal": true
}
]
}
}
}
}
}
3. The problem I’m having:
I don’t want Caddy to request its own Let’s Encrypt certificates as it sits behind a Traefik load balancer that already issues its own certs. My JSON version does this correctly and was expecting 2.1.0 to support this using a Caddyfile based on the release notes.
However, I can see Caddy attempting (and failing) at certificate validations when I use the Caddyfile syntax. This causes Caddy to return 500s on every request.
4. Error messages and/or full log output:
[INFO] [unifi.myserver.io] acme: Obtaining bundled SAN certificate given a CSR
[INFO] [unifi.myserver.io] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/70156375
[INFO] [unifi.myserver.io] acme: use tls-alpn-01 solver
[INFO] [unifi.myserver.io] acme: Trying to solve TLS-ALPN-01
[INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/70156375
[INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/70156375
[ERROR] error: one or more domains had a problem:
[unifi.myserver.io] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested unifi.myserver.io from 100.104.12.72:443. Received 2 certificate(s), first certificate had names "unifi.myserver.io", url:
(challenge=tls-alpn-01 remaining=[])
5. What I already tried:
The JSON version works, but it’s large and cumbersome and I only used JSON for the automatic_https
.