Caddy + Docker don't use existing certifcate

1. Caddy version (caddy version):

last docker image abiosoft/caddy

2. How I run Caddy:

I simply use this docker compose :

version: "3.2"
services:
  back:
    build:
      context: ./backend/
      dockerfile: Dockerfile
    ports:
      - "3000:3000"
  front:
    build:
      context: ./FrontEnd/
      dockerfile: Dockerfile
  server-ssl-front:
    image: abiosoft/caddy
    depends_on:
      - front
    links:
      - front
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - './.caddy:/root/.caddy'
      - './Caddyfile:/etc/Caddyfile'

a. System environment:

Ubuntu 20.04.3 and I use docker

b. Command:

docker-compose up

c. My complete Caddyfile or JSON config:

uat-harx.ai {
        proxy / front:3000
}

3. The problem I’m having:

Caddy just seems to ask for another certificate when we restart it. But we have the uuid inside the /.caddy in local that is the same as the uuid in the /.caddy in the docker. So we reached the limit of certificate. But we just want to use the already generated one.

4. Error messages and/or full log output:

server-ssl-front_1  | Activating privacy features... 2022/05/02 08:15:18 [INFO][uat.harx.ai] Obtain certificate
server-ssl-front_1  | 2022/05/02 08:15:18 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:19 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 1/3; challenge=http-01)
server-ssl-front_1  | 2022/05/02 08:15:20 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:20 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 2/3; challenge=http-01)
server-ssl-front_1  | 2022/05/02 08:15:21 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:21 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 3/3; challenge=http-01)
server-ssl-front_1  | 2022/05/02 08:15:22 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:22 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 1/3; challenge=tls-alpn-01)
server-ssl-front_1  | 2022/05/02 08:15:23 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:23 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 2/3; challenge=tls-alpn-01)
server-ssl-front_1  | 2022/05/02 08:15:24 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:24 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 3/3; challenge=tls-alpn-01)
server-ssl-front_1  | 2022/05/02 08:15:25 failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url: 
server-ssl-front_1  | exit status 1

5. What I already tried:

I tried to change a million time the name of the directory and of the volumes but nothing seems to work.

That’s really old. Caddy v1 is no longer supported. Upgrade to Caddy v2 ASAP.

what is the official docker image for caddy2 so ?

https://hub.docker.com/_/caddy

Is this one ? I tried to use this but never make it worked

Yes, that’s the one. It definitely works. You’ll need to be more specific if you had trouble.

I just changed the abiosoft/caddy image to the : caddy:latest

and changed my caddyfile from :

uat-harx.ai {
        proxy / front:3000
}

to

uat-harx.ai {
        reverse_proxy  front:3000
}

and I have this error :

server-ssl-front_1  | {"level":"info","ts":1651496743.0803978,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0823915,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
server-ssl-front_1  | {"level":"warn","ts":1651496743.0826483,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
server-ssl-front_1  | {"level":"info","ts":1651496743.0832965,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004bf2d0"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0833755,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0835757,"logger":"tls","msg":"finished cleaning storage units"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0837498,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0840368,"msg":"serving initial configuration"}

but that’s strange since my caddy server have the 443 open like in the docker file :

server-ssl-front:
    image: abiosoft/caddy
    depends_on:
      - front
    links:
      - front
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - './.caddy:/root/.caddy'
      - './Caddyfile:/etc/Caddyfile'

There’s no error there… that’s just Caddy’s regular startup logs. Notice there’s no "level": "error".

This is incorrect. Review the docs on Docker Hub. There’s a docker-compose example at the bottom. Or see here:

Hey I’m back thanks to you we fixed our problem !

But now we have this log showing :

server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS

and here is our caddyfile :

{
        email ethan.villesseche@harx.ai
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

uat.harx.ai {
        reverse_proxy front:3000
}

That’s completely normal.

Okay, shouldn’t I add tls policies ?

Nope, that’s done for you by Caddy’s Automatic HTTPS feature. That message is the feature saying “yep I’m making sure everything’s in order”

Thanks for all !

Hello ! we have a new problem now, today we just go back to work and it appear that our browsers show a message that the site is https but not secure, and we have this message : “certificate unvailable” “Unable to verify this certificate with a trusted certificate authority”

here is some screen (in french but that’s exactly what i told you before)

uat2

Is this line still in your Caddyfile?

You have to remove it (and use the default production API) or set the production API explicitly: https://acme-v02.api.letsencrypt.org/directory – note how it’s acme-v02 instead of acme-staging-v02.

2 Likes