Caddy 2 on HA now showing decpetive site

bughatti · March 9, 2023, 6:55pm

1. The problem I’m having:

I have had Caddy running in HA for a while now with no issues. Yesterday I woke up and all of my sites behind caddy2 show deceptive. This is not just an HA issue, I have plex, synology, radarr, sonarr, tdarr, frigate, overseer all behind caddy. I have looked through many docs online and even requested a review by google for my domain (still waiting to hear from them) If I continue through the deceptive piece and get to my sites, all the certs show fine, they dont expire until April 14

2. Error messages and/or full log output:

Common Name (CN)	liquiduni.somename.com
Organization (O)	<Not Part Of Certificate>
Organizational Unit (OU)	<Not Part Of Certificate>
Common Name (CN)	R3
Organization (O)	Let's Encrypt
Organizational Unit (OU)	<Not Part Of Certificate>
Issued On	Saturday, January 14, 2023 at 9:07:45 AM
Expires On	Friday, April 14, 2023 at 10:07:44 AM

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service base-addon-banner: starting
-----------------------------------------------------------
 Add-on: Caddy 2
 Open source web and proxy server with automatic HTTPS
-----------------------------------------------------------
 Add-on version: 1.4.1
 You are running the latest version of this add-on.
 System: Home Assistant OS 9.5  (amd64 / generic-x86-64)
 Home Assistant Core: 2023.3.2
 Home Assistant Supervisor: 2023.03.1
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
Log level is set to DEBUG
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service caddy: starting
s6-rc: info: service caddy successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
INFO: Prepare Caddy...
INFO: Use built-in Caddy
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
INFO: Prepare Caddyfile...
INFO: Caddyfile found at /share/caddy/Caddyfile
INFO: Run Caddy...
DEBUG: '/usr/bin/caddy' run --config '/share/caddy/Caddyfile' ''
{"level":"info","ts":1678386807.1660428,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
{"level":"warn","ts":1678386807.1714633,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/share/caddy/Caddyfile","line":2}
{"level":"info","ts":1678386807.1734118,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1678386807.1742423,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00053ed20"}
{"level":"info","ts":1678386807.1743808,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1678386807.1744885,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1678386807.175892,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1678386807.175901,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/ssl/caddy"}
{"level":"info","ts":1678386807.1760845,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1678386807.1761444,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1678386807.1761906,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["homeassistant.somename.com","search.somename.com","liquiduni.somename.com","music.somename.com","haportainer.somename.com","sonarr.somename.com","liquidxpe.somename.com","sab.somename.com","liquidrt.somename.com","transcode.somename.com","automate-myhome.com","read.somename.com","watch.somename.com","frigate.somename.com","radarr.somename.com","homeaccess.somename.com"]}
{"level":"info","ts":1678386807.184296,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1678386807.1890695,"msg":"autosaved config (load with --resume flag)","file":"/data/caddy/autosave.json"}
{"level":"info","ts":1678386807.1890872,"msg":"serving initial configuration"}

3. Caddy version:

-----------------------------------------------------------
 Add-on: Caddy 2
 Open source web and proxy server with automatic HTTPS
-----------------------------------------------------------
 Add-on version: 1.4.1
 You are running the latest version of this add-on.
 System: Home Assistant OS 9.5  (amd64 / generic-x86-64)
 Home Assistant Core: 2023.3.2
 Home Assistant Supervisor: 2023.03.1
-----------------------------------------------------------

4. How I installed and ran Caddy:

a. System environment:

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
email someemail@gmail.com
}

# Synology
https://liquidxpe.somename.com {
        reverse_proxy https://XX.XX.XX.48:5001 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# Unifi
https://liquiduni.somename.com {
        reverse_proxy https://XX.XX.XX.240:8443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# Edgerouter
https://liquidrt.somename.com {
        reverse_proxy https://XX.XX.XX.1:8440 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# DSM Portainer
https://dsmportainer.somename.com {
        reverse_proxy https://XX.XX.XX.48:9443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# HA Portainer
https://haportainer.somename.com {
        reverse_proxy http://XX.XX.XX.240:9000 {
                transport http
        }
}
# Radarr
https://radarr.somename.com {
        reverse_proxy http://XX.XX.XX.48:7878 {
                transport http
        }
}
# Sonarr
https://sonarr.somename.com {
        reverse_proxy http://XX.XX.XX.48:8989 {
                transport http
        }
}
# Readarr
https://read.somename.com {
        reverse_proxy http://XX.XX.XX.48:8787 {
                transport http
        }
}
# Lidarr
https://music.somename.com {
        reverse_proxy http://XX.XX.XX.48:8686 {
                transport http
        }
}
# SabNZBD
https://sab.somename.com {
        reverse_proxy http://XX.XX.XX.48:8080 {
                transport http
        }
}
# automate-myhome
https://automate-myhome.com {
        reverse_proxy http://XX.XX.XX.240:49153 {
                transport http
        }
}
# HomeAssist
https://homeaccess.somename.com {
        reverse_proxy https://XX.XX.XX.220:8123 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
#Frigate
https://frigate.somename.com {
        reverse_proxy http://XX.XX.XX.75:5000 {
                transport http
        }
}
#Search
https://search.somename.com {
        reverse_proxy http://XX.XX.XX.48:5055 {
                transport http
        }
}
#Transcode
https://transcode.somename.com {
        reverse_proxy http://XX.XX.XX.75:8265 {
                transport http
        }
}
#Plex
https://watch.somename.com {
        reverse_proxy http://XX.XX.XX.75:32400 {
                transport http
        }
}

5. Links to relevant resources:

matt · March 9, 2023, 9:29pm

Likely a SafeBrowsing false-positive. Unfortunately that’s about all we can help with without the actual domains which you redacted, unfortunately, which is against our rules for this reason

Good luck!

bughatti · March 9, 2023, 10:10pm

If you have a way for me to get it to you that’s not public, I have no issue sending it, I’m just not going to put my data on the web for all to attack.

My biggest concern was finding out if others are having similar issues since there has been updates lately, between Home Assistant and Caddy. It very well is a safe browsing issue but it is also within Caddy, not Home Assistant or other services I present to myself externally. When I remove my ubiquiti router from the caddyfile and then use the let’s encrypt script directly on the router and it pulls a cert, it appears to work fine in the browser with no deceptive warning. I have read that using tls skip security checking is the last resort in the caddyfile, but if I upload the self signed cert for all services, I have to continue to do that and that defeats the purpose of caddy making it easy on people.

matt · March 10, 2023, 12:15am

That’s not how that works… unfortunately your server is going to be attacked regardless of whether you post the domain names here. Attackers already know about your server, but we don’t – which is not helping you get help

Anyway, I do want to clarify that this is not a TLS error. If the browser says “Deceptive site” it is referring to the SafeBrowsing lists – a few of my own sites have been falsely flagged by this too. (It’s one reason that I proposed a non-global, privacy-preserving alternative to SafeBrowsing-type protections in my masters thesis).

Your site can often be flagged if:

You inherit an IP address that was recently used by a malicious site (quite likely if you don’t have a static IP on your home network)
Your domain is fronting content that looks identical to content on another host (like a transparent proxy)
You collect login information, especially in conjunction with either of the two above.

The web server software doesn’t really have anything to do with the SafeBrowsing list – I’m afraid you’ll have to take that up with Google.

system · April 9, 2023, 12:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.