Caddy + Docker don't use existing certifcate

LeMecWeird · May 2, 2022, 8:32am

1. Caddy version (`caddy version`):

last docker image abiosoft/caddy

2. How I run Caddy:

I simply use this docker compose :

version: "3.2"
services:
  back:
    build:
      context: ./backend/
      dockerfile: Dockerfile
    ports:
      - "3000:3000"
  front:
    build:
      context: ./FrontEnd/
      dockerfile: Dockerfile
  server-ssl-front:
    image: abiosoft/caddy
    depends_on:
      - front
    links:
      - front
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - './.caddy:/root/.caddy'
      - './Caddyfile:/etc/Caddyfile'

a. System environment:

Ubuntu 20.04.3 and I use docker

b. Command:

docker-compose up

c. My complete Caddyfile or JSON config:

uat-harx.ai {
        proxy / front:3000
}

3. The problem I’m having:

Caddy just seems to ask for another certificate when we restart it. But we have the uuid inside the /.caddy in local that is the same as the uuid in the /.caddy in the docker. So we reached the limit of certificate. But we just want to use the already generated one.

4. Error messages and/or full log output:

server-ssl-front_1  | Activating privacy features... 2022/05/02 08:15:18 [INFO][uat.harx.ai] Obtain certificate
server-ssl-front_1  | 2022/05/02 08:15:18 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:19 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 1/3; challenge=http-01)
server-ssl-front_1  | 2022/05/02 08:15:20 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:20 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 2/3; challenge=http-01)
server-ssl-front_1  | 2022/05/02 08:15:21 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:21 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 3/3; challenge=http-01)
server-ssl-front_1  | 2022/05/02 08:15:22 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:22 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 1/3; challenge=tls-alpn-01)
server-ssl-front_1  | 2022/05/02 08:15:23 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:23 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 2/3; challenge=tls-alpn-01)
server-ssl-front_1  | 2022/05/02 08:15:24 [INFO] [uat.harx.ai] acme: Obtaining bundled SAN certificate
server-ssl-front_1  | 2022/05/02 08:15:24 [ERROR][uat.harx.ai] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url:  (attempt 3/3; challenge=tls-alpn-01)
server-ssl-front_1  | 2022/05/02 08:15:25 failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: uat.harx.ai: see https://letsencrypt.org/docs/rate-limits/, url: 
server-ssl-front_1  | exit status 1

5. What I already tried:

I tried to change a million time the name of the directory and of the volumes but nothing seems to work.

francislavoie · May 2, 2022, 12:24pm

That’s really old. Caddy v1 is no longer supported. Upgrade to Caddy v2 ASAP.

LeMecWeird · May 2, 2022, 12:43pm

what is the official docker image for caddy2 so ?

https://hub.docker.com/_/caddy

Is this one ? I tried to use this but never make it worked

francislavoie · May 2, 2022, 12:57pm

Yes, that’s the one. It definitely works. You’ll need to be more specific if you had trouble.

LeMecWeird · May 2, 2022, 1:08pm

I just changed the abiosoft/caddy image to the : caddy:latest

and changed my caddyfile from :

uat-harx.ai {
        proxy / front:3000
}

to

uat-harx.ai {
        reverse_proxy  front:3000
}

and I have this error :

server-ssl-front_1  | {"level":"info","ts":1651496743.0803978,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0823915,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
server-ssl-front_1  | {"level":"warn","ts":1651496743.0826483,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
server-ssl-front_1  | {"level":"info","ts":1651496743.0832965,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004bf2d0"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0833755,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0835757,"logger":"tls","msg":"finished cleaning storage units"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0837498,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
server-ssl-front_1  | {"level":"info","ts":1651496743.0840368,"msg":"serving initial configuration"}

but that’s strange since my caddy server have the 443 open like in the docker file :

server-ssl-front:
    image: abiosoft/caddy
    depends_on:
      - front
    links:
      - front
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - './.caddy:/root/.caddy'
      - './Caddyfile:/etc/Caddyfile'

francislavoie · May 2, 2022, 1:11pm

There’s no error there… that’s just Caddy’s regular startup logs. Notice there’s no "level": "error".

This is incorrect. Review the docs on Docker Hub. There’s a docker-compose example at the bottom. Or see here:

LeMecWeird · May 2, 2022, 2:45pm

Hey I’m back thanks to you we fixed our problem !

But now we have this log showing :

server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS

and here is our caddyfile :

{
        email ethan.villesseche@harx.ai
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

uat.harx.ai {
        reverse_proxy front:3000
}

francislavoie · May 2, 2022, 3:13pm

That’s completely normal.

LeMecWeird · May 2, 2022, 3:15pm

Okay, shouldn’t I add tls policies ?

francislavoie · May 2, 2022, 3:16pm

Nope, that’s done for you by Caddy’s Automatic HTTPS feature. That message is the feature saying “yep I’m making sure everything’s in order”

LeMecWeird · May 2, 2022, 3:20pm

Thanks for all !

LeMecWeird · May 3, 2022, 8:11am

Hello ! we have a new problem now, today we just go back to work and it appear that our browsers show a message that the site is https but not secure, and we have this message : “certificate unvailable” “Unable to verify this certificate with a trusted certificate authority”

here is some screen (in french but that’s exactly what i told you before)

uat2

9peppe · May 3, 2022, 9:57am

Is this line still in your Caddyfile?

You have to remove it (and use the default production API) or set the production API explicitly: https://acme-v02.api.letsencrypt.org/directory – note how it’s acme-v02 instead of acme-staging-v02.

system · June 1, 2022, 8:33am

This topic was automatically closed after 30 days. New replies are no longer allowed.