Caddy cloudflare not working

ford · January 3, 2025, 4:26pm

1. The problem I’m having:

When I connect to Caddy using my public ip address it works only when I type http://mypublicip:80 when I do http://mypublicip:443 I get Client sent an “HTTP request to an HTTPS server.” and when I do https://mypublicip:443 says secure connection failed and SSL_ERROR_INTERNAL_ERROR_ALERT

2. Error messages and/or full log output:

log

{"level":"info","ts":1735931016.4684925,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1735931016.4697332,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1735931016.4697464,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1735931016.4707115,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1735931016.470922,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1735931016.4709387,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1735931016.4709764,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000523580"}
{"level":"info","ts":1735931016.4713411,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1735931016.471422,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1735931016.4715652,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735931016.4716215,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735931016.4716637,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["ford.work","jellyfin.ford.work"]}
{"level":"info","ts":1735931016.4732473,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1735931016.4732754,"msg":"serving initial configuration"}
{"level":"info","ts":1735931016.4841115,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"f77bea6e-fbbf-4a5b-be8f-a2e7350fe217","try_again":1736017416.484107,"try_again_in":86399.999999254}
{"level":"info","ts":1735931016.4842725,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"error","ts":1735931020.5647044,"logger":"http.log.error","msg":"dial tcp [::1]:8096: connect: connection refused","request":{"remote_ip":"162.158.10.229","remote_port":"10490","client_ip":"162.158.10.229","proto":"HTTP/2.0","method":"GET","host":"jellyfin.ford.work","uri":"/","headers":{"X-Forwarded-For":["100.40.98.148"],"X-Forwarded-Proto":["https"],"Upgrade-Insecure-Requests":["1"],"Accept-Language":["en-US,en;q=0.5"],"Cf-Connecting-Ip":["100.40.98.148"],"Cf-Ray":["8fc5400e3c008fcc-BOS"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0"],"Sec-Fetch-Site":["none"],"Cf-Ipcountry":["US"],"Sec-Fetch-Mode":["navigate"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Sec-Fetch-User":["?1"],"Cdn-Loop":["cloudflare; loops=1"],"Accept-Encoding":["gzip, br"],"Sec-Fetch-Dest":["document"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Priority":["u=0, i"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"jellyfin.ford.work"}},"duration":0.000716851,"status":502,"err_id":"7mw7huyi0","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
{"level":"error","ts":1735931020.842992,"logger":"http.log.error","msg":"dial tcp [::1]:8096: connect: connection refused","request":{"remote_ip":"162.158.10.249","remote_port":"9840","client_ip":"162.158.10.249","proto":"HTTP/2.0","method":"GET","host":"jellyfin.ford.work","uri":"/favicon.ico","headers":{"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, br"],"Cf-Ray":["8fc540101f2e8fcc-BOS"],"Sec-Fetch-Dest":["image"],"Cdn-Loop":["cloudflare; loops=1"],"Accept-Language":["en-US,en;q=0.5"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0"],"Referer":["https://jellyfin.ford.work/"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Site":["same-origin"],"Priority":["u=6"],"Cf-Ipcountry":["US"],"X-Forwarded-For":["100.40.98.148"],"Cf-Connecting-Ip":["100.40.98.148"],"Accept":["image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"jellyfin.ford.work"}},"duration":0.000774329,"status":502,"err_id":"ks2dh5m7t","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

3. Caddy version:

caddy:latest

4. How I installed and ran Caddy:

docker compose up -d

a. System environment:

Linux Ubuntu docker compose

b. Command:

docker compose up -d

c. Service/unit/compose file:

networks:
  caddy:

services:
  portainer:
    image: portainer/portainer-ce:latest
    networks:
      - caddy
    ports:
      - 9443:9443
    volumes:
      - data:/data
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped

  caddy:
    build: 
      context: .
      dockerfile: Dockerfile  # Use the custom Dockerfile to build Caddy with t>
    restart: unless-stopped
    networks:
      - caddy
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    environment:
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
      - DOMAIN=${DOMAIN}
      - CADDY_DNS_PROVIDER=cloudflare
    volumes:
      - ./Caddyfile:/etc/caddy/  # Correct path for Caddyfile
      - ./site:/srv
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
  caddy_config:
  data:

d. My complete Caddy config:

my Dockerfile

# Use the official Caddy builder image
FROM caddy:builder AS builder

# Add the Cloudflare DNS module
RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

# Use the official Caddy runtime image
FROM caddy:latest

# Copy the custom-built Caddy binary
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

my Caddyfile

https://ford.work {
        tls {
                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy portainer:9443
}
https://jellyfin.ford.work {
        tls {
                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy localhost:8096
}

5. Links to relevant resources:

relevant resource

Mohammed90 · January 3, 2025, 7:15pm

You have a domain name, why are you using an IP address to access the service? Use the domain name. If Caddy is configured correctly, it’ll work.

You don’t need this, by the way. It’s typically needed when using wildcard domain names.

localhost in Docker containers means inside the container, not the host machine. To reach a service running on the host from inside the container, use either host.docker.internal or 172.17.0.1.

Lastly, if you’re using Cloudflare in front of Caddy, ensure you’re using DNS-only (grey cloud, I think).

ford · January 3, 2025, 8:13pm

I was using the IP address to see if it was a Caddy or Cloudflare issue but idek anymore. I changed my caddy file to have the right information now and I switched Cloudflare to dns-only but I still can’t connect… when I try to connect to my website I get “Client sent an HTTP request to an HTTPS server.” and when I connect to jellyfin it says 525: SSL Handshake failed

logs

{"level":"info","ts":1735934733.2789793,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"info","ts":1735934733.2801409,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1735934733.2803419,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1735934733.280427,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1735934733.2804246,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0005aab80"}
{"level":"info","ts":1735934733.2810137,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1735934733.2812092,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1735934733.2814429,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735934733.2815907,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735934733.2817283,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["jellyifn.ford.work","ford.work"]}
{"level":"info","ts":1735934733.2843375,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1735934733.2845018,"msg":"serving initial configuration"}
{"level":"info","ts":1735934733.2850518,"logger":"tls.obtain","msg":"acquiring lock","identifier":"jellyifn.ford.work"}
{"level":"info","ts":1735934733.2896335,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"f77bea6e-fbbf-4a5b-be8f-a2e7350fe217","try_again":1736021133.2896285,"try_again_in":86399.999999231}
{"level":"info","ts":1735934733.2898042,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1735934733.2943692,"logger":"tls.obtain","msg":"lock acquired","identifier":"jellyifn.ford.work"}
{"level":"info","ts":1735934733.2945538,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"jellyifn.ford.work"}
{"level":"info","ts":1735934733.2957919,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["jellyifn.ford.work"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1735934733.2958229,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["jellyifn.ford.work"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1735934733.295838,"logger":"http","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2148359025","account_contact":[]}
{"level":"error","ts":1735934733.6742427,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jellyifn.ford.work","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - too many failed authorizations (5) for \"jellyifn.ford.work\" in the last 1h0m0s, retry after 2025-01-03 20:06:22 UTC: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account"}
{"level":"error","ts":1735934733.6743333,"logger":"tls.obtain","msg":"will retry","error":"[jellyifn.ford.work] Obtain: [jellyifn.ford.work] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 429 urn:ietf:params:acme:error:rateLimited - too many failed authorizations (5) for \"jellyifn.ford.work\" in the last 1h0m0s, retry after 2025-01-03 20:06:22 UTC: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":0.379919586,"max_duration":2592000}

Mohammed90 · January 3, 2025, 8:34pm

You’re probably typing http:// in your browser. Don’t. It’s HTTPS now.

Though something is not right. Caddy should have redirected those requests from HTTP to HTTPS. How are you making the requests? What are you typing?

ford · January 3, 2025, 8:44pm

I am typing in ford.work and it auto redirects me to https://ford.work with that error. when I type in https://ford.work it still comes up with that error “client sent an HTTP request to an HTTPS server.”

{"level":"info","ts":1735936824.1357117,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1735936824.1373444,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"info","ts":1735936824.1385827,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1735936824.1389947,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1735936824.139015,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1735936824.139553,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1735936824.1397154,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1735936824.1399727,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735936824.1401205,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735936824.140203,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["jellyifn.ford.work","ford.work"]}
{"level":"info","ts":1735936824.141468,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1735936824.1416624,"msg":"serving initial configuration"}
{"level":"info","ts":1735936824.1397727,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00011d680"}
{"level":"info","ts":1735936824.1422696,"logger":"tls.obtain","msg":"acquiring lock","identifier":"jellyifn.ford.work"}
{"level":"info","ts":1735936824.1454694,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"f77bea6e-fbbf-4a5b-be8f-a2e7350fe217","try_again":1736023224.1454654,"try_again_in":86399.999999309}
{"level":"info","ts":1735936824.1460848,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1735936824.149687,"logger":"tls.obtain","msg":"lock acquired","identifier":"jellyifn.ford.work"}
{"level":"info","ts":1735936824.149821,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"jellyifn.ford.work"}
{"level":"info","ts":1735936824.1511316,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["jellyifn.ford.work"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1735936824.1511645,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["jellyifn.ford.work"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1735936824.151179,"logger":"http","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2148359025","account_contact":[]}
{"level":"info","ts":1735936824.6407857,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"jellyifn.ford.work","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1735936825.008696,"logger":"http.acme_client","msg":"challenge failed","identifier":"jellyifn.ford.work","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1735936825.0087407,"logger":"http.acme_client","msg":"validating authorization","identifier":"jellyifn.ford.work","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2148359025/340443375025","attempt":1,"max_attempts":3}
{"level":"error","ts":1735936826.0862365,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jellyifn.ford.work","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - too many failed authorizations (5) for \"jellyifn.ford.work\" in the last 1h0m0s, retry after 2025-01-03 20:42:25 UTC: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account"}
{"level":"error","ts":1735936826.0863302,"logger":"tls.obtain","msg":"will retry","error":"[jellyifn.ford.work] Obtain: [jellyifn.ford.work] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 429 urn:ietf:params:acme:error:rateLimited - too many failed authorizations (5) for \"jellyifn.ford.work\" in the last 1h0m0s, retry after 2025-01-03 20:42:25 UTC: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":1.936615557,"max_duration":2592000}
{"level":"info","ts":1735936886.0868614,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"jellyifn.ford.work"}
{"level":"info","ts":1735936886.0880163,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/178668424","account_contact":[]}
{"level":"info","ts":1735936886.5580766,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"jellyifn.ford.work","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1735936886.9558446,"logger":"http.acme_client","msg":"challenge failed","identifier":"jellyifn.ford.work","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1735936886.955889,"logger":"http.acme_client","msg":"validating authorization","identifier":"jellyifn.ford.work","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/178668424/21760536964","attempt":1,"max_attempts":3}
{"level":"info","ts":1735936888.1256096,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"jellyifn.ford.work","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1735936888.5235212,"logger":"http.acme_client","msg":"challenge failed","identifier":"jellyifn.ford.work","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1735936888.5235636,"logger":"http.acme_client","msg":"validating authorization","identifier":"jellyifn.ford.work","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/178668424/21760537494","attempt":2,"max_attempts":3}
{"level":"error","ts":1735936888.5235937,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jellyifn.ford.work","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain"}
{"level":"error","ts":1735936888.5236838,"logger":"tls.obtain","msg":"will retry","error":"[jellyifn.ford.work] Obtain: [jellyifn.ford.work] solving challenge: jellyifn.ford.work: [jellyifn.ford.work] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":64.373969601,"max_duration":2592000}
{"level":"info","ts":1735937008.5242007,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"jellyifn.ford.work"}
{"level":"info","ts":1735937008.5255744,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/178668424","account_contact":[]}
{"level":"info","ts":1735937008.7623382,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"jellyifn.ford.work","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1735937009.1654859,"logger":"http.acme_client","msg":"challenge failed","identifier":"jellyifn.ford.work","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1735937009.1655264,"logger":"http.acme_client","msg":"validating authorization","identifier":"jellyifn.ford.work","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/178668424/21760570524","attempt":1,"max_attempts":3}
{"level":"info","ts":1735937010.3379216,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"jellyifn.ford.work","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1735937010.7385793,"logger":"http.acme_client","msg":"challenge failed","identifier":"jellyifn.ford.work","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
{"level":"error","ts":1735937010.7386274,"logger":"http.acme_client","msg":"validating authorization","identifier":"jellyifn.ford.work","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/178668424/21760570934","attempt":2,"max_attempts":3}
{"level":"error","ts":1735937010.7386658,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jellyifn.ford.work","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain"}
{"level":"error","ts":1735937010.7387166,"logger":"tls.obtain","msg":"will retry","error":"[jellyifn.ford.work] Obtain: [jellyifn.ford.work] solving challenge: jellyifn.ford.work: [jellyifn.ford.work] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for jellyifn.ford.work - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyifn.ford.work - check that a DNS record exists for this domain (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":186.589002413,"max_duration":2592000}

fds · January 3, 2025, 9:13pm

You’re reaching your Caddy server correctly, and through HTTPS, it’s your reverse_proxy setup that’s wrong.

It looks like that
reverse_proxy portainer:9443
this is a HTTPS server, but since it’s not on the standard https port – 443 – you have to instruct Caddy yourself that it should turn on TLS.

Try to replace it with this:

reverse_proxy portainer:9443 {
	transport http {
		tls
	}
}

It’s looking very likely you’ll also need to turn off certificate validation for that server, which requires adding the extra line tls_insecure_skip_verify under tls
See the documentation on how to possibly harden the configuration:

btw your log is full of errors/warnings that make it seem like you mistyped jellyfin as jellyifn somewhere, but that’s likely unrelated.

ford · January 3, 2025, 9:35pm

Oops that did fix jellyfin so now that works and I did end up needing to use tls_insecure_skip_verify. I’m connected to my site using https and it says it’s encrypted still? does that mean its fine or am I misunderstand that command?

its says its verified by lets encrypt?

fds · January 3, 2025, 9:43pm

All should be generally fine. It’s only the reverse_proxy that’s insecurely not verifying its connection to your source (portainer). If you trust the local network connection between the host Caddy runs on and “portainer” then there’s no need to worry.

system · February 2, 2025, 9:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.