Browser errors when using Caddy with Dynamic DNS

1. Caddy version (caddy version):

2.4.3

2. How I run Caddy:

I run Caddy as a systemd service on a Raspberry Pi.

a. System environment:

Raspberry Pi OS (Raspberry Pi reference 2021-05-07)
systemd 241

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

From /lib/systemd/system/caddy.service

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

Caddyfile:

import /etc/caddy/*.caddyfile

/etc/caddy/nextcloud.caddyfile:

myddnssubdomain.ddns.net {
	root * /var/www/nextcloud
	file_server

	log {
		output file /media/cloud/logs/caddy/nextcloud.log
		level DEBUG
	}

	php_fastcgi unix//run/php/php7.3-fpm.sock
	header {
		# enable HSTS
		Strict-Transport-Security max-age=31536000;
	}

	tls internal {
		on_demand
	}

	redir /.well-known/carddav /remote.php/dav 301
	redir /.well-known/caldav /remote.php/dav 301

	# .htaccess / data / config / ... shouldn't be accessible from outside
	@forbidden {
		path /.htaccess
		path /data/*
		path /config/*
		path /db_structure
		path /.xml
		path /README
		path /3rdparty/*
		path /lib/*
		path /templates/*
		path /occ
		path /console.php
	}

	respond @forbidden 404
}

3. The problem I’m having:

I am trying to expose a Caddy-hosted Nextcloud instance in my local network to the Internet. I use the Dynamic DNS service from no-ip.com. I can actually reach the Nextcloud instance but browsers are throwing errors that the certificate can not be trusted.

The problem does not appear when hosting at raspberrypi.local in my LAN.

4. Error messages and/or full log output:

SEC_ERROR_UNKNOWN_ISSUER on Firefox
NET::ERR_CERT_AUTHORITY_INVALID on Chrome

5. What I already tried:

I tried to find out if there are any additional steps needed to get Caddy to work with Dynamic DNS. It seems, later down the road I need the caddy-dynamicdns plugin to react to IP changes but this seems unrelated to my current problem.

6. Links to relevant resources:

With this, Caddy is configured to use its own CA. Why did you put this in your config, along with on_demand?

Thanks Matt. That was the cause of the problem indeed.

It is in my config because it is a remainder of someone else’s Caddyfile that I tried to adapt for my purposes. Not very smart of me. I take it as a lesson to make sure I understand every line in my caddyfile.

1 Like

Great, glad it was that easy! Lesson learned. :slight_smile:

This topic was automatically closed after 30 days. New replies are no longer allowed.