1. Caddy version (caddy version
):
v2.4.0
2. How I run Caddy:
On EC2 servers behind a load balancer (global accelerator)
a. System environment:
Ubuntu 20.04
b. Command:
systemctl start caddy
d. My complete Caddyfile or JSON config:
//This is tunneled through a local server so I can test things
CADDY_PROXY_TARGET=ba07514839c9.ngrok.io
{
on_demand_tls {
ask https://{$CADDY_PROXY_TARGET}/user-domain-check
}
storage dynamodb caddy_ssl_certificates
}
:80 {
respond /health "Im healthy!" 200
}
:443 {
tls jack@amplify.link {
on_demand
}
reverse_proxy https://{$CADDY_PROXY_TARGET} {
header_up Host {$CADDY_PROXY_TARGET}
header_up User-Custom-Domain {host}
header_up X-Forwarded-Port {server_port}
health_timeout 5s
}
}
3. The problem I’m having:
When I point the domain I want to work with caddy at the AWS Global accelerator static IP addresses then generating certificates fail. However, if I point the domain directly at the EC2 instance (bypassing the load balancer) then it works correctly. As I have customers in different areas of the world I’m trying to use the load balancer so that customers can point to that, without having to know the IP addresses of the individual servers.
4. Error messages and/or full log output:
This is the output when trying to curl https://jstowey.co.uk when it is pointing at the load balancer:
Jul 28 22:24:54 ip-172-31-28-236 caddy[19723]: {"level":"info","ts":1627511094.9651167,"logger":"tls.obtain","msg":"acquiring lock","identifier":"jstowey.co.uk"}
Jul 28 22:24:54 ip-172-31-28-236 caddy[19723]: {"level":"info","ts":1627511094.9727457,"logger":"tls.obtain","msg":"lock acquired","identifier":"jstowey.co.uk"}
Jul 28 22:24:54 ip-172-31-28-236 caddy[19723]: {"level":"info","ts":1627511094.9833117,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["jstowey.co.uk"]}
Jul 28 22:24:54 ip-172-31-28-236 caddy[19723]: {"level":"info","ts":1627511094.983341,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["jstowey.co.uk"]}
Jul 28 22:24:55 ip-172-31-28-236 caddy[19723]: {"level":"info","ts":1627511095.7641287,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["jstowey.co.uk"]}
Jul 28 22:24:55 ip-172-31-28-236 caddy[19723]: {"level":"info","ts":1627511095.764165,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["jstowey.co.uk"]}
Jul 28 22:24:57 ip-172-31-28-236 caddy[19723]: {"level":"info","ts":1627511097.1118493,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"jstowey.co.uk","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
Jul 28 22:26:24 ip-172-31-28-236 caddy[19723]: {"level":"warn","ts":1627511184.9694316,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90/authz/WWZNRn-zH9cDUpV2zgZksg","error":"performing request: Post \"https://acme.zerossl.com/v2/DV90/authz/WWZNRn-zH9cDUpV2zgZksg\": context deadline exceeded"}
Jul 28 22:26:24 ip-172-31-28-236 caddy[19723]: {"level":"error","ts":1627511184.9694834,"logger":"tls.issuance.acme.acme_client","msg":"deactivating authorization","identifier":"jstowey.co.uk","authz":"https://acme.zerossl.com/v2/DV90/authz/WWZNRn-zH9cDUpV2zgZksg","error":"request to https://acme.zerossl.com/v2/DV90/authz/WWZNRn-zH9cDUpV2zgZksg failed after 1 attempts: context deadline exceeded"}
Jul 28 22:26:24 ip-172-31-28-236 caddy[19723]: {"level":"error","ts":1627511184.969506,"logger":"tls.obtain","msg":"will retry","error":"[jstowey.co.uk] Obtain: [jstowey.co.uk] solving challenges: [jstowey.co.uk] context deadline exceeded (order=https://acme.zerossl.com/v2/DV90/order/2usq0fU0rF-vN051crVTVA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":89.996702151,"max_duration":2592000}
Jul 28 22:26:24 ip-172-31-28-236 caddy[19723]: {"level":"info","ts":1627511184.9695163,"logger":"tls.obtain","msg":"releasing lock","identifier":"jstowey.co.uk"}
5. What I already tried:
I’ve tried a number of different configurations, but can’t tell much from what the logs show. I’ve tried updating the hostname of both my EC2 servers to the global accelerator DNS name, but that didn’t seem to fix anything.
6. Links to relevant resources:
How to add unlimited custom domains to Laravel Vapor | Laravel News - I followed this guide to get to this point: and it works for the most part, it’s just this final hurdle that’s causing issues.
On Demand SSL on ports 80,443 with health checks? - I reviewed this ticket for answers, but looks like a slightly different issue, my health checks come back fine.