Caddy(docker) reverse proxy with dns-01 on Cloudflare

craffolo · October 17, 2021, 5:13pm

I retried this and now the response is “curl: (60) SSL certificate problem: unable to get local issuer certificate”

Whitestrake · October 18, 2021, 4:48am

How about:

curl -kIL --resolve gorcy.domain.x:10000:127.0.0.1 https://gorcy.domain.x:10000

(Note the addition of the k flag)

craffolo · October 18, 2021, 8:04am

HTTP/2 502
server: Caddy
date: Mon, 18 Oct 2021 08:03:06 GMT

So i have problem with ssl?

Whitestrake · October 18, 2021, 8:14am

And with the upstream server, apparently.

This could means that your local root certificate store has issues of some kind.

I’m not sure how to proceed on a raspberry pi, exactly, but I’d probably look into troubleshooting your ca-certificates next?

craffolo · October 18, 2021, 4:42pm

I’m trying with cloudflare origin CA and dns01 challenge, but neither can resolve the problem. So i decided to try all from the start without cloudflared and with the 10000 port opened on my router, but When i try to connect it says “ERR_NAME_NOT_RESOLVED”

This is the configuration

gorcy.mydomain.x:10000 {
	tls /cert/certificate.pem /cert/key.pem
	reverse_proxy http://127.0.0.1:9283
}

And on DNS Cloudflare:
A | mydomain.x–>> my ip
CNAME | gorcy → mydomain.x

craffolo · October 18, 2021, 8:03pm

with this “curl -IL --resolve gorcy.domain.x:10000:127.0.0.1 https://gorcy.domain.x:10000”
curl: (7) Failed to connect to gorcy.domain.x port 10000: Connection refused

I’m using origin cloudflare cert. And now with dns-01 i’m not able to get the cert : “timed out waiting for record to fully propagate; verify DNS provider configuration is correct”

craffolo · October 18, 2021, 8:32pm

What is the meaning of this error?

tls     stapling OCSP   {"error": "no OCSP stapling for [cloudflare origin certificate *.home04.cloud home04.cloud]: no URL to issuing certificate"}

francislavoie · October 18, 2021, 8:33pm

That’s harmless, Caddy’s just saying that the certificate should have an OCSP stapling URL, because it’s best-practice, but for various reasons, Cloudflare’s doesn’t. You can ignore that.

craffolo · October 29, 2021, 5:42pm

Now that i have time, i decided to start all over.
But now i have a new error from cloudflare “Error 525 SSL handshake failed”
what does mean?

https://gorcy.domain.x { 
	tls {
		dns cloudflare aaabbccddd
		alpn disable_tlsalpn_challenge
	}	
  	respond "TEST"
  	file_server
}

francislavoie · October 29, 2021, 6:50pm

That means Cloudflare couldn’t trust the cert that Caddy served it.

What are in your logs? Please give as much detail as possible.

What modes do you have set on Cloudflare?

craffolo · November 9, 2021, 8:51pm

ssl complete mode.
A record to my ip and CNAME record “gorcy” to my A record

How can i get accurate logs?

craffolo · November 22, 2021, 11:25am

Can someone help me?

Whitestrake · November 23, 2021, 3:26am

We’re not quite sure how to help you because we don’t have a good picture of what’s actually happening.

I’m not sure what you mean specifically by accurate logs - I’m not sure I’d describe any of Caddy’s log output as particularly inaccurate, definitely never purposefully so… The best I can do is point you to How Logging Works — Caddy Documentation.

francislavoie · December 7, 2021, 3:26am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.