Caddy docker errors starting up

1. Output of caddy version:

Caddy:2

2. How I run Caddy:

from docker-compose.yml

a. System environment:

WSL2 with Ubuntu 20.4

b. Command:

Paste command here.

c. Service/unit/compose file:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      WEBSOCKET_ENABLED: "true"  # Enable WebSocket notifications.
     SIGNUPS_ALLOWED: "false"
      INVITATIONS_ALLOWED: "false"
      SHOW_PASSWORD_HINT: "false"
      WEB_VAULT_ENABLED: "false"
#  mail service settings
      SMTP_HOST: "smtp.gmail.com"
      SMTP_FROM: "myemail@gmail.com"
      SMTP_PORT: "587"
      SMTP_SECURITY: "starttls"
      SMTP_USERNAME: "myeamil@gmail.com"
      SMTP_PASSWORD: "123456"
 #     SMTP_DEBUG: "true"
 #  ADMIN_TOKEN: "123456"
    volumes:
      - ./vw-data:/data
  caddy:
    image: caddy:2
    container_name: caddy
    restart: always

      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
EMAIL: "myemail@yahoo.com"                 # The email address to use for ACME registration.
      LOG_FILE: "/data/access.log"

d. My complete Caddy config:

{$DOMAIN}:443 {

  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Use the ACME HTTP-01 challenge to get a cert for the configured domain.
  tls zung102@yahoo.com
  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # The file size is set to 500MB to support the Vaultwarden (Bitwarden) Send feature.
  request_body {
       max_size 500MB
  }

  header {
       # Enable cross-site filter (XSS) and tell browser to block detected attacks
       X-XSS-Protection "1; mode=block"
       # Disallow the site to be rendered within a frame (clickjacking protection)
       X-Frame-Options "DENY"
       # Prevent search engines from indexing (optional)
       X-Robots-Tag "none"
       # Server name removing
       -Server
  }

  # Notifications redirected to the WebSocket server


# The negotiation endpoint is also proxied to Rocket
  reverse_proxy /notifications/hub/negotiate vaultwarden:80
# Notifications redirected to the websockets server
  reverse_proxy /notifications/hub vaultwarden:3012
# Proxy everything else to Rocket
  reverse_proxy  vaultwarden:80 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }

}

3. The problem I’m having:

curl -v 172.20.0.2 yielded this result:

zung@Dzungabc:~/vaultwarden$ curl -v --insecure https://172.20.0.3
*   Trying 172.20.0.3:443...
* TCP_NODELAY set
^C

i.e. I guessed it could not connect to the Caddy network. The same was true for Vaultwarden docker network interface: 172.20.0.2

4. Error messages and/or full log output:

2023-01-18 12:21:14 {"level":"info","ts":1674062474.2557902,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"vfor26.duckdns.org","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
2023-01-18 12:21:45 {"level":"error","ts":1674062505.8908184,"logger":"http.acme_client","msg":"challenge failed","identifier":"vfor26.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"72.140.211.179: Fetching http://vfor26.duckdns.org/.well-known/acme-challenge/KzddrLgACaMCcRI1XYuqG-96IenJeAMD8EKzvmiu9bk: Connection reset by peer","instance":"","subproblems":[]}}
2023-01-18 12:21:45 {"level":"error","ts":1674062505.8909328,"logger":"http.acme_client","msg":"validating authorization","identifier":"vfor26.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"72.140.211.179: Fetching http://vfor26.duckdns.org/.well-known/acme-challenge/KzddrLgACaMCcRI1XYuqG-96IenJeAMD8EKzvmiu9bk: Connection reset by peer","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/83660683/6618821093","attempt":2,"max_attempts":3}
2023-01-18 12:21:45 {"level":"error","ts":1674062505.8910525,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"vfor26.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 72.140.211.179: Fetching http://vfor26.duckdns.org/.well-known/acme-challenge/KzddrLgACaMCcRI1XYuqG-96IenJeAMD8EKzvmiu9bk: Connection reset by peer"}

for Vaultwarden log ...
2023-01-18 11:28:43 [INFO] No .env file found.
2023-01-18 11:28:43 
2023-01-18 11:28:44 [2023-01-18 16:28:44.037][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
2023-01-18 11:28:44 [2023-01-18 16:28:44.047][start][INFO] Rocket has launched from http://0.0.0.0:80

5. What I already tried:

I actually have gotten Vaultwarden and Caddy dockers ran successfully after guidance from this post Cannot start Caddy via Docker - #61 by zung102

I made some minor changes then backed out the changes then I ran into this problem. I have tried to remove vaultwarden image and to pull it again, but the same result remained.

Port forwarding is below …

Address         Port        Address         Port
--------------- ----------  --------------- ----------
192.168.0.146   80          172.20.0.3      80
192.168.0.146   443         172.20.0.3      443

Thanks for any help toward this issue.

6. Links to relevant resources:

I had tried to enter the DOMAIN environment variable for both the vaultwarden and caddy services in compose file but it was not successful. Here it is its value https and semicolon then URL name

That seems… very high. Arguably, there’s no reason to even use this if you’re going to set the maximum that high :thinking: When would someone ever send more than that?

There’s no benefit to doing this. The Server header does not expose any information that could be used in a harmful way.

What was your DOMAIN environment variable set to?

If you make a request with curl with the hostname of 172.20.0.3, then Caddy would need to have a certificate with the name 172.20.0.3 in it. If your DOMAIN wasn’t that, then it won’t have a certificate, and won’t be able to complete the TLS handshake.

Are you sure you have ports forwarded in your router, and your firewall in Windows allowing traffic on ports 80 and 443?

was set for $DOMAIN.
Yes, the router still has the port forwarding unchanged i.e.
80 → 80 on local IP 192.168.0.146
443–> 443 on local IP 192.168.0.146
It used to work without Windows port inbound allowance. However, I made the new rule for Windows to allow inbound to ports 80, 443. It did not appear to make any progress …

2023-01-19 00:02:35 {"level":"info","ts":1674104555.6880844,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"vfor26.duckdns.org","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2023-01-19 00:03:07 {"level":"error","ts":1674104587.2667882,"logger":"http.acme_client","msg":"challenge failed","identifier":"vfor26.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"72.140.211.179: Fetching http://vfor26.duckdns.org/.well-known/acme-challenge/yphcVkQ_lo3jUdDnlkm_Wyj0c072LJZOe1n80fVh300: Connection reset by peer","instance":"","subproblems":[]}}
2023-01-19 00:03:07 {"level":"error","ts":1674104587.2669978,"logger":"http.acme_client","msg":"validating authorization","identifier":"vfor26.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"72.140.211.179: Fetching http://vfor26.duckdns.org/.well-known/acme-challenge/yphcVkQ_lo3jUdDnlkm_Wyj0c072LJZOe1n80fVh300: Connection reset by peer","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/914577057/159689198947","attempt":2,"max_attempts":3}
2023-01-19 00:03:07 {"level":"error","ts":1674104587.2671893,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"vfor26.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 72.140.211.179: Fetching http://vfor26.duckdns.org/.well-known/acme-challenge/yphcVkQ_lo3jUdDnlkm_Wyj0c072LJZOe1n80fVh300: Connection reset by peer"}
2023-01-19 00:03:07 {"level":"info","ts":1674104587.2686172,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["vfor26.duckdns.org"],"ca":"https://acme.zerossl.com/v2/DV90","account":"zung102@yahoo.com"}
2023-01-19 00:03:07 {"level":"info","ts":1674104587.2687845,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["vfor26.duckdns.org"],"ca":"https://acme.zerossl.com/v2/DV90","account":"zung102@yahoo.com"}
2023-01-19 00:03:23 {"level":"info","ts":1674104603.7399032,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"vfor26.duckdns.org","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
2023-01-19 00:03:45 {"level":"error","ts":1674104625.6525977,"logger":"http.acme_client","msg":"challenge failed","identifier":"vfor26.duckdns.org","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}}

One question why curl -v 172.20.0.2 suspended and did not show the vaultwarden web contents as 172.20.0.2 was the vaultwarden docker address.
Thank you for continuing to help me !!! Also for commenting about the parameters in my Caddyfile.

This topic was automatically closed after 30 days. New replies are no longer allowed.