1. Caddy version (caddy version
):
2.4.3
2. How I run Caddy:
I run Caddy as a systemd service on a Raspberry Pi.
a. System environment:
Raspberry Pi OS (Raspberry Pi reference 2021-05-07)
systemd 241
b. Command:
sudo systemctl start caddy
c. Service/unit/compose file:
From /lib/systemd/system/caddy.service
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
Caddyfile
:
import /etc/caddy/*.caddyfile
/etc/caddy/nextcloud.caddyfile
:
myddnssubdomain.ddns.net {
root * /var/www/nextcloud
file_server
log {
output file /media/cloud/logs/caddy/nextcloud.log
level DEBUG
}
php_fastcgi unix//run/php/php7.3-fpm.sock
header {
# enable HSTS
Strict-Transport-Security max-age=31536000;
}
tls internal {
on_demand
}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# .htaccess / data / config / ... shouldn't be accessible from outside
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
}
3. The problem I’m having:
I am trying to expose a Caddy-hosted Nextcloud instance in my local network to the Internet. I use the Dynamic DNS service from no-ip.com. I can actually reach the Nextcloud instance but browsers are throwing errors that the certificate can not be trusted.
The problem does not appear when hosting at raspberrypi.local
in my LAN.
4. Error messages and/or full log output:
SEC_ERROR_UNKNOWN_ISSUER
on Firefox
NET::ERR_CERT_AUTHORITY_INVALID
on Chrome
5. What I already tried:
I tried to find out if there are any additional steps needed to get Caddy to work with Dynamic DNS. It seems, later down the road I need the caddy-dynamicdns
plugin to react to IP changes but this seems unrelated to my current problem.