Caddy docker rootless problem with Certificate

1. Caddy version (caddy version):

:latest

2. How I run Caddy:

docker rootless

a. System environment:

Ubuntu 20.04 LTS

b. Command:

docker-compose up

c. Service/unit/compose file:

docker

d. My complete Caddyfile or JSON config:

in Global section on the top:

http_port  8080
https_port 4430

in docker-compose:
ports:
- “8080:80”
- “4430:443”

3. The problem I’m having:

Cannot get certificates

4. Error messages and/or full log output:

{“level”:“error”,“ts”:1613765594.8973374,“logger”:“tls.obtain”,“msg”:“will retry”,“error”:"[domain.com] Obtain: [domain.com] solving challenges: domain.com: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18181971/243776816) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)",“attempt”:1,“retrying_in”:60,“elapsed”:6.114742529,“max_duration”:2592000}

5. What I already tried:

I think, it may be iptables thing. Perhaps you know what iptables rule to set?

6. Links to relevant resources:

You have the Docker ports backwards, you would need to bind 80 and 443 on the host but 8080 and 4430 in the container.

ACME requires ports 80 and 443. Those global options just change what Caddy “thinks” HTTP and HTTPS mean instead of the default of 80 and 443, but ACME will still want to connect to those ports.

Francis, do you know what config in Caddyfile to change exactly?

Docker rootless means the container cannot use privileged ports, that’s why used 8080 and 4430 earlier, but as you said, it does not work for ACME.

I use this in docker-compose too:
cap_add:
- NET_BIND_SERVICE

The only thing that’s wrong is your Docker port mapping. Your Caddyfile is fine. You just need to flip the two numbers around the :

Change those to:

- "80:8080"
- "443:4430"

When I type 80:8080 caddy has problem with 0.0.0.0:43.
When I do my way, ACME is the problem.

I’m not sure what problem you’re having, because that’s known to work (listen to a high port inside of the Caddy container, and map them to the low ports on your host).

Alternatively you can use the configure Caddy to use the DNS challenge instead which doesn’t require any particular ports to be open, but requires you to build Caddy with the appropriate plugin to solve the DNS challenge:

There’s instructions for building Caddy with plugins here Docker Hub