Caddy doesn't seem to start/run or do secure connections

1. Caddy version (caddy version):2.3.0

2. How I run Caddy:

from the CL: sudo systemctl start caddy

a. System environment:

RPi 4, RP-OS

PRETTY_NAME=“Raspbian GNU/Linux 10 (buster)”
NAME=“Raspbian GNU/Linux”
VERSION_ID=“10”
VERSION=“10 (buster)”

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

n/a

d. My complete Caddyfile or JSON config:

The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
#:80
#mediaserver.stufftoread.com
jellyfin.DOMAIN.TLD {
    encode gzip
    reverse_proxy mediaserver.stufftoread.com:8096
}
# Set this path to your site's directory.
root * /usr/share/caddy

# Enable the static file server.
file_server

# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080
reverse_proxy 127.0.0.1:8096
#{
#    email email@domain.tld
#}

#jellyfin.DOMAIN.TLD {
#    encode gzip
#    reverse_proxy mediaserver.stufftoread.com:8096
#}
# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

3. The problem I’m having:

I am running Jellyfin media system. I want to use Caddy to implement a reverse proxy and support https connections to jellyfin

  1. I do not know how to test that that reverse proxy is working.
  2. when I connect to jellyfin from the web or my LAN using any web browser, it states that the connection is ‘not secured’

When I http://localhost, I get the ‘Caddy success’ page.
I am not sure what commands to use and in what order to:
a)shut Caddy down and kill any zombie or suspended instances
b) how to correctly restart it, without or with a new Caddyfile

4. Error messages and/or full log output:

I issue: sudo systemctl start caddy
I then issue: journalctl -u caddy --no-pager | less
This is the last portion of the log file:

pr 14 20:07:01 raspberrypi systemd[1]: Started Caddy.
Apr 14 20:07:02 raspberrypi caddy[16417]: caddy.HomeDir=/var/lib/caddy
Apr 14 20:07:02 raspberrypi caddy[16417]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Apr 14 20:07:02 raspberrypi caddy[16417]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Apr 14 20:07:02 raspberrypi caddy[16417]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Apr 14 20:07:02 raspberrypi caddy[16417]: caddy.Version=v2.3.0
Apr 14 20:07:02 raspberrypi caddy[16417]: runtime.GOOS=linux
Apr 14 20:07:02 raspberrypi caddy[16417]: runtime.GOARCH=arm
Apr 14 20:07:02 raspberrypi caddy[16417]: runtime.Compiler=gc
Apr 14 20:07:02 raspberrypi caddy[16417]: runtime.NumCPU=4
Apr 14 20:07:02 raspberrypi caddy[16417]: runtime.GOMAXPROCS=4
Apr 14 20:07:02 raspberrypi caddy[16417]: runtime.Version=go1.15.6
Apr 14 20:07:02 raspberrypi caddy[16417]: os.Getwd=/
Apr 14 20:07:02 raspberrypi caddy[16417]: LANG=en_US.UTF-8
Apr 14 20:07:02 raspberrypi caddy[16417]: LANGUAGE=en_US.UTF-8
Apr 14 20:07:02 raspberrypi caddy[16417]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Apr 14 20:07:02 raspberrypi caddy[16417]: HOME=/var/lib/caddy
Apr 14 20:07:02 raspberrypi caddy[16417]: LOGNAME=caddy
Apr 14 20:07:02 raspberrypi caddy[16417]: USER=caddy
Apr 14 20:07:02 raspberrypi caddy[16417]: INVOCATION_ID=b99a3b666a2648a0a22d9f35a75b0e69
Apr 14 20:07:02 raspberrypi caddy[16417]: JOURNAL_STREAM=8:967252
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.0433996,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.0489562,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1
:2019"]}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.0499094,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x38a3f40"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.0582778,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"warn","ts":1618445222.1815743,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Apr 14 20:07:02 raspberrypi caddy[16417]: 2021/04/14 20:07:02 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Apr 14 20:07:02 raspberrypi caddy[16417]: 2021/04/14 20:07:02 define JAVA_HOME environment variable to use the Java trust
Apr 14 20:07:02 raspberrypi sudo[16426]: pam_unix(sudo:auth): conversation failed
Apr 14 20:07:02 raspberrypi sudo[16426]: pam_unix(sudo:auth): auth could not identify password for [caddy]
Apr 14 20:07:02 raspberrypi sudo[16426]:    caddy : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2021_ECC_Root_63340393426586678000127088344461378
8.crt
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"error","ts":1618445222.2062793,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2088716,"logger":"tls.obtain","msg":"acquiring lock","identifier":"root"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.209651,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["jellyfin.domain.tld","root"]}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.210895,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2113645,"logger":"tls.obtain","msg":"lock acquired","identifier":"*"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.210333,"logger":"tls.obtain","msg":"lock acquired","identifier":"root"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2130425,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2222428,"msg":"serving initial configuration"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2154403,"logger":"tls","msg":"cleaned up storage units"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2239392,"logger":"tls.obtain","msg":"acquiring lock","identifier":"jellyfin.domain.tld"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.224881,"logger":"tls.obtain","msg":"acquiring lock","identifier":"root"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.225707,"logger":"tls.obtain","msg":"lock acquired","identifier":"jellyfin.domain.tld"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2311223,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"root"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2311835,"logger":"tls.obtain","msg":"releasing lock","identifier":"root"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"warn","ts":1618445222.2347302,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [root]: no OCSP server specified in certificate"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.234884,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["jellyfin.domain.tld"]}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2349503,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["jellyfin.domain.tld"]}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.239381,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"*"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.2394261,"logger":"tls.obtain","msg":"releasing lock","identifier":"*"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"warn","ts":1618445222.242,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [*]: no OCSP server specified in certificate"}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.7109668,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["jellyfin.domain.tld"]}
Apr 14 20:07:02 raspberrypi caddy[16417]: {"level":"info","ts":1618445222.7116823,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["jellyfin.domain.tld"]}
Apr 14 20:07:03 raspberrypi caddy[16417]: {"level":"error","ts":1618445223.1016335,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":0.875859077,"max_duration":2592000}
Apr 14 20:07:03 raspberrypi caddy[16417]: {"level":"info","ts":1618445223.2260509,"logger":"tls.obtain","msg":"lock acquired","identifier":"root"}
Apr 14 20:07:03 raspberrypi caddy[16417]: {"level":"info","ts":1618445223.226719,"logger":"tls.obtain","msg":"certificate already exists in storage","identifier":"root"}
Apr 14 20:07:03 raspberrypi caddy[16417]: {"level":"info","ts":1618445223.2267785,"logger":"tls.obtain","msg":"releasing lock","identifier":"root"}
Apr 14 20:07:03 raspberrypi caddy[16417]: {"level":"warn","ts":1618445223.2324445,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [root]: no OCSP server specified in certificate"}
Apr 14 20:08:03 raspberrypi caddy[16417]: {"level":"error","ts":1618445283.980844,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":61.755069736,"max_duration":2592000}
Apr 14 20:10:04 raspberrypi caddy[16417]: {"level":"error","ts":1618445404.7653296,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":182.539554229,"max_duration":2592000}
Apr 14 20:12:05 raspberrypi caddy[16417]: {"level":"error","ts":1618445525.5073993,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":303.281624582,"max_duration":2592000}
Apr 14 20:17:06 raspberrypi caddy[16417]: {"level":"error","ts":1618445826.2060003,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":603.98022583,"max_duration":2592000}
Apr 14 20:27:07 raspberrypi caddy[16417]: {"level":"error","ts":1618446427.0961154,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":6,"retrying_in":1200,"elapsed":1204.870341586,"max_duration":2592000}
Apr 14 20:47:07 raspberrypi caddy[16417]: {"level":"error","ts":1618447627.8803048,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":7,"retrying_in":1200,"elapsed":2405.65453113,"max_duration":2592000}
Apr 14 21:07:08 raspberrypi caddy[16417]: {"level":"error","ts":1618448828.570637,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":8,"retrying_in":1800,"elapsed":3606.344863526,"max_duration":2592000}
Apr 14 21:37:09 raspberrypi caddy[16417]: {"level":"error","ts":1618450629.7044632,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.domain.tld] Obtain: [jellyfin.domain.tld] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [jellyfin.domain.tld] (ca=https://acme.zerossl.com/v2/DV90)","attempt":9,"retrying_in":1800,"elapsed":5407.478689038,"max_duration":2592000}
(END)


### 5. What I already tried:
<!-- Show us what effort you've put in to solving the problem. Be specific -- people are volunteering their time to help you! Low effort posts are not likely to get good answers! -->

I've used various combinations of caddy stop/start/run and revised my Caddyfile to what I think is the minimum to connect to jellyfin securely.


### 6. Links to relevant resources: 
https://jellyfin.org/docs/general/quick-start.html
see the link 'reverse proxies' in the text.

Your config is invalid, because if you’re trying to serve multiple sites, you need to use braces for each site.

Essentially you just need to remove everything else in your config that isn’t your jellyfin site.

Also, the error you’re seeing is:

That’s not a real domain name, so you can’t use that. If you want HTTPS, you need to use a domain that you own, which points to your server.

Thank you. I changed my Caddyfile to:

#The Caddyfile is an easy way to configure your Caddy web server.

mediaserver.stufftoread.com {
encode gzip
reverse_proxy mediaserver.stufftoread.com:8096
}

Set this path to your site’s directory.

root * /usr/share/caddy

Enable the static file server.

file_server

Another common task is to set up a reverse proxy:

reverse_proxy 127.0.0.1:8096
#end
Still no joy…Is this Caddyfile correct?
Thanks

Please use backticks (```) on their own lines, before and after your config, to use code formatting, otherwise the forums parse it as markdown which messes it up.

It looks like you still have unrelated stuff in your config. Please read the docs to understand how the Caddyfile should be structured:

Thank you. I changed my Caddyfile to:

# The Caddyfile is an easy way to configure your Caddy web server.

mediaserver.stufftoread.com {
    encode gzip
    reverse_proxy mediaserver.stufftoread.com:8096
}
# Set this path to your site's directory.
root * /usr/share/caddy

# Enable the static file server.
file_server

# Another common task is to set up a reverse proxy:
reverse_proxy 127.0.0.1:8096
#end

what specifically is incorrect with this Caddyfile? I read the docs and I can’t see what is incorrect.
Thanks

When there is only one site block, the curly braces (and indentation) are optional. This is for convenience to quickly define a single site, when you have only a single site block; it’s a matter of preference.

To configure multiple sites with the same Caddyfile, you must use curly braces around each one to separate their configurations:

This stuff is not inside a site block, so it doesn’t make sense:

Thanks again. I don’t understand the ‘serving two sites.’ the only site I have is Jellyfin. unless you are including the local host. I revised the file to this…is it correct?

mediaserver.stufftoread.com {
    encode gzip
    reverse_proxy mediaserver.stufftoread.com:8096
    file_server
    root * /usr/share/caddy
}

127.0.0.1:8096 {
        reverse_proxy 127.0.0.1:8096
        root * /usr/share/caddy
        file_server
}

Sorta better. You don’t need root and file_server if you’re proxying. Also it doesn’t make sense to try to have Caddy try to serve 127.0.0.1:8096 because Jellyfin is already listening on that port.

I don’t quite understand what you’re trying to do though. You have Jellyfin running on the same machine, right? Then your config should just look like this:

mediaserver.stufftoread.com {
    encode gzip
    reverse_proxy 127.0.0.1:8096
}

That’s it.

thank again. yes, jellyfin is running on the same machine. I edited my caddyfile to be exactly like the one you posted. When I started caddy, it is not happy…here is the tail of the error log:

Apr 15 00:33:41 raspberrypi systemd[1]: Started Caddy.
Apr 15 00:33:41 raspberrypi caddy[21794]: caddy.HomeDir=/var/lib/caddy
Apr 15 00:33:41 raspberrypi caddy[21794]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Apr 15 00:33:41 raspberrypi caddy[21794]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Apr 15 00:33:41 raspberrypi caddy[21794]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Apr 15 00:33:41 raspberrypi caddy[21794]: caddy.Version=v2.3.0
Apr 15 00:33:41 raspberrypi caddy[21794]: runtime.GOOS=linux
Apr 15 00:33:41 raspberrypi caddy[21794]: runtime.GOARCH=arm
Apr 15 00:33:41 raspberrypi caddy[21794]: runtime.Compiler=gc
Apr 15 00:33:41 raspberrypi caddy[21794]: runtime.NumCPU=4
Apr 15 00:33:41 raspberrypi caddy[21794]: runtime.GOMAXPROCS=4
Apr 15 00:33:41 raspberrypi caddy[21794]: runtime.Version=go1.15.6
Apr 15 00:33:41 raspberrypi caddy[21794]: os.Getwd=/
Apr 15 00:33:41 raspberrypi caddy[21794]: LANG=en_US.UTF-8
Apr 15 00:33:41 raspberrypi caddy[21794]: LANGUAGE=en_US.UTF-8
Apr 15 00:33:41 raspberrypi caddy[21794]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Apr 15 00:33:41 raspberrypi caddy[21794]: HOME=/var/lib/caddy
Apr 15 00:33:41 raspberrypi caddy[21794]: LOGNAME=caddy
Apr 15 00:33:41 raspberrypi caddy[21794]: USER=caddy
Apr 15 00:33:41 raspberrypi caddy[21794]: INVOCATION_ID=04a0baaac46747d68a724214ffbbdb37
Apr 15 00:33:41 raspberrypi caddy[21794]: JOURNAL_STREAM=8:995756
Apr 15 00:33:41 raspberrypi caddy[21794]: {"level":"info","ts":1618461221.374352,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Apr 15 00:33:41 raspberrypi caddy[21794]: {"level":"info","ts":1618461221.3797166,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
Apr 15 00:33:41 raspberrypi caddy[21794]: {"level":"info","ts":1618461221.38093,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x24c1310"}
Apr 15 00:33:41 raspberrypi caddy[21794]: {"level":"info","ts":1618461221.383118,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Apr 15 00:33:41 raspberrypi caddy[21794]: {"level":"info","ts":1618461221.383187,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Apr 15 00:33:41 raspberrypi caddy[21794]: {"level":"info","ts":1618461221.3832457,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
Apr 15 00:33:41 raspberrypi caddy[21794]: {"level":"warn","ts":1618461221.5110047,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Apr 15 00:33:41 raspberrypi caddy[21794]: 2021/04/15 00:33:41 define JAVA_HOME environment variable to use the Java trust
Apr 15 00:33:41 raspberrypi caddy[21794]: 2021/04/15 00:33:41 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Apr 15 00:33:41 raspberrypi sudo[21803]: pam_unix(sudo:auth): conversation failed
Apr 15 00:33:41 raspberrypi sudo[21803]: pam_unix(sudo:auth): auth could not identify password for [caddy]
Apr 15 00:33:41 raspberrypi sudo[21803]:    caddy : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2021_ECC_Root_633403934265866780001270883444613788.crt
Apr 15 00:33:41 raspberrypi caddy[21794]: {"level":"error","ts":1618461221.5334172,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Apr 15 00:33:41 raspberrypi caddy[21794]: run: loading initial config: loading new config: http app module: start: tcp: listening on :8096: listen tcp :8096: bind: address already in use
Apr 15 00:33:41 raspberrypi systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Apr 15 00:33:41 raspberrypi systemd[1]: caddy.service: Failed with result 'exit-code'.

idk why this is failing. Thoughts?

says it failed to install root certificate…how to fix that?

Are you sure it only has exactly what I wrote? This error says that Caddy is trying to listen on port :8096 which is not something I wrote.

my Caddyfile contains exactly what what you wrote, and nothing more.
There is a 8096 on the reverse proxy line.
Jellyfin services requests on port 8096.
This is a very simple system. It is a RPi 4 with Pi desktop installed, and Jellyfin, and Caddy. Nothing additional.
I have a domain name through noip. http requests on that domain get mapped to my ip address. My router is set up for port forwarding and is working correctly. I hope this helps
What is the correct way to stop and start Caddy? should it be run in background?

Thanks
J

You can run sudo systemctl restart caddy.

Are you sure you’re editing /etc/caddy/Caddyfile and not a Caddyfile in another location?

thanks, yes only one Caddyfile located in /etc/caddy/

Double-checked Caddyfile. It is exactly what you wrote. Nothing else is in the file. Searched the entire disk, no other Caddyfile. File is located in /etc/caddy.
No other files in caddy directory.
Decided to shutdown, power cycle and reboot.
Came up normally, jellyfin still works, caddy started, still won’t serve https requests. Below is the log file. I dont understand why it is trying to reach out to 192.168.1.1:53 for all its certificate stuff? What should be done to fix this?
How can I tell if the proxy server is working?

-- Logs begin at Thu 2021-04-15 09:46:57 EDT, end at Thu 2021-04-15 09:53:33 EDT. --
Apr 15 09:47:02 raspberrypi systemd[1]: Started Caddy.
Apr 15 09:47:05 raspberrypi caddy[491]: caddy.HomeDir=/var/lib/caddy
Apr 15 09:47:05 raspberrypi caddy[491]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Apr 15 09:47:05 raspberrypi caddy[491]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Apr 15 09:47:05 raspberrypi caddy[491]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Apr 15 09:47:05 raspberrypi caddy[491]: caddy.Version=v2.3.0
Apr 15 09:47:05 raspberrypi caddy[491]: runtime.GOOS=linux
Apr 15 09:47:05 raspberrypi caddy[491]: runtime.GOARCH=arm
Apr 15 09:47:05 raspberrypi caddy[491]: runtime.Compiler=gc
Apr 15 09:47:05 raspberrypi caddy[491]: runtime.NumCPU=4
Apr 15 09:47:05 raspberrypi caddy[491]: runtime.GOMAXPROCS=4
Apr 15 09:47:05 raspberrypi caddy[491]: runtime.Version=go1.15.6
Apr 15 09:47:05 raspberrypi caddy[491]: os.Getwd=/
Apr 15 09:47:05 raspberrypi caddy[491]: LANG=en_US.UTF-8
Apr 15 09:47:05 raspberrypi caddy[491]: LANGUAGE=en_US.UTF-8
Apr 15 09:47:05 raspberrypi caddy[491]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Apr 15 09:47:05 raspberrypi caddy[491]: HOME=/var/lib/caddy
Apr 15 09:47:05 raspberrypi caddy[491]: LOGNAME=caddy
Apr 15 09:47:05 raspberrypi caddy[491]: USER=caddy
Apr 15 09:47:05 raspberrypi caddy[491]: INVOCATION_ID=21fa93928c4d40019783fecdb5ccde05
Apr 15 09:47:05 raspberrypi caddy[491]: JOURNAL_STREAM=8:16891
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.3276412,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.3471045,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.3482404,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x2477900"}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.4469347,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.4470441,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.4596026,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["mediaserver.stufftoread.com"]}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.5054038,"logger":"tls.obtain","msg":"acquiring lock","identifier":"mediaserver.stufftoread.com"}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.5221243,"logger":"tls.obtain","msg":"lock acquired","identifier":"mediaserver.stufftoread.com"}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.5433085,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.5433595,"msg":"serving initial configuration"}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.5736086,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["mediaserver.stufftoread.com"]}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.5740535,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["mediaserver.stufftoread.com"]}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"info","ts":1618494425.6017158,"logger":"tls","msg":"cleaned up storage units"}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"warn","ts":1618494425.6211991,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 192.168.1.1:53: dial udp 192.168.1.1:53: connect: network is unreachable"}
Apr 15 09:47:05 raspberrypi caddy[491]: {"level":"warn","ts":1618494425.8725414,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 192.168.1.1:53: dial udp 192.168.1.1:53: connect: network is unreachable"}
Apr 15 09:47:06 raspberrypi caddy[491]: {"level":"warn","ts":1618494426.123908,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 192.168.1.1:53: dial udp 192.168.1.1:53: connect: network is unreachable"}
Apr 15 09:47:06 raspberrypi caddy[491]: {"level":"info","ts":1618494426.1370502,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["mediaserver.stufftoread.com"]}
Apr 15 09:47:06 raspberrypi caddy[491]: {"level":"info","ts":1618494426.1371155,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["mediaserver.stufftoread.com"]}
Apr 15 09:47:06 raspberrypi caddy[491]: {"level":"warn","ts":1618494426.1383815,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90","error":"performing request: Get \"https://acme.zerossl.com/v2/DV90\": dial tcp: lookup acme.zerossl.com on 192.168.1.1:53: dial udp 192.168.1.1:53: connect: network is unreachable"}
Apr 15 09:47:06 raspberrypi caddy[491]: {"level":"warn","ts":1618494426.3899674,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90","error":"performing request: Get \"https://acme.zerossl.com/v2/DV90\": dial tcp: lookup acme.zerossl.com on 192.168.1.1:53: dial udp 192.168.1.1:53: connect: network is unreachable"}
Apr 15 09:47:06 raspberrypi caddy[491]: {"level":"warn","ts":1618494426.6509511,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme.zerossl.com/v2/DV90","error":"performing request: Get \"https://acme.zerossl.com/v2/DV90\": dial tcp: lookup acme.zerossl.com on 192.168.1.1:53: dial udp 192.168.1.1:53: connect: network is unreachable"}
Apr 15 09:47:06 raspberrypi caddy[491]: {"level":"error","ts":1618494426.651096,"logger":"tls.obtain","msg":"will retry","error":"[mediaserver.stufftoread.com] Obtain: [mediaserver.stufftoread.com] creating new order: provisioning client: performing request: Get \"https://acme.zerossl.com/v2/DV90\": dial tcp: lookup acme.zerossl.com on 192.168.1.1:53: dial udp 192.168.1.1:53: connect: network is unreachable (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":1.128920258,"max_duration":2592000}
Apr 15 09:48:26 raspberrypi caddy[491]: {"level":"info","ts":1618494506.7235997,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mediaserver.stufftoread.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Apr 15 09:48:27 raspberrypi caddy[491]: {"level":"error","ts":1618494507.1314728,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"mediaserver.stufftoread.com","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:connection","error":"Connection refused"}
Apr 15 09:48:27 raspberrypi caddy[491]: {"level":"error","ts":1618494507.1317766,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"mediaserver.stufftoread.com","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Connection refused","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19079405/32379919","attempt":1,"max_attempts":3}
Apr 15 09:48:28 raspberrypi caddy[491]: {"level":"info","ts":1618494508.3083897,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mediaserver.stufftoread.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Apr 15 09:48:29 raspberrypi caddy[491]: {"level":"error","ts":1618494509.432223,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"mediaserver.stufftoread.com","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:connection","error":"Fetching http://72.65.247.150:8096/.well-known/acme-challenge/oQtlryA7sbgg1eFGUgiC541UAps0eXgMArFAvSQqV3M: Invalid port in redirect target. Only ports 80 and 443 are supported, not 8096"}
Apr 15 09:48:29 raspberrypi caddy[491]: {"level":"error","ts":1618494509.4324563,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"mediaserver.stufftoread.com","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Fetching http://72.65.247.150:8096/.well-known/acme-challenge/oQtlryA7sbgg1eFGUgiC541UAps0eXgMArFAvSQqV3M: Invalid port in redirect target. Only ports 80 and 443 are supported, not 8096","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19079405/32379927","attempt":2,"max_attempts":3}
Apr 15 09:48:32 raspberrypi caddy[491]: {"level":"info","ts":1618494512.8036883,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mediaserver.stufftoread.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
Apr 15 09:53:33 raspberrypi caddy[491]: {"level":"error","ts":1618494813.0099869,"logger":"tls.obtain","msg":"will retry","error":"[mediaserver.stufftoread.com] Obtain: [mediaserver.stufftoread.com] solving challenges: [mediaserver.stufftoread.com] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/Kmcn-EmizmI6IsyM5RC8Vw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":369.555172817,"max_duration":2592000}
(END)

It’s always DNS :slight_smile:

The DNS server in your network is not reachable. Is the DNS server up? Is there firewall?

Thanks
I don’t quite understand…My router base address is 192.168.1.1
I go outside my LAN to the DNS…and not sure where the global DNS is located. would that be through my ISP? I think my router would get the address of the DNS to use from my ISP when the router boots?

Yeah, the 192.168.1.1 is your router’s address, and it will probably proxy DNS queries from inside your network to an external DNS server, but it isn’t responding to internal DNS queries. Can you run dig <your domain name of choice> @192.168.1.1?

By the way, I’ve just noticed the last line of your log showing you still have :8096, as Francis said. Do cat /etc/caddy/Caddyfile to ensure the content is as expected. Also run systemctl status caddy to double-check the unit file being used. Ensure the command it’s running is pointing at the right Caddyfile.

Thank you. ‘dig’ doesn’t appear to be a command that Raspbian understands. Here are results of caddyfile and systemctl status caddy…

pi@raspberrypi:/etc/caddy $ dig mediaserver.stufftoread.com @192.168.1.1
bash: dig: command not found
pi@raspberrypi:/etc/caddy $ cat Caddyfile
# The Caddyfile is an easy way to configure your Caddy web server.
mediaserver.stufftoread.com {
    encode gzip
    reverse_proxy 127.0.0.1:8096
}
# https://caddyserver.com/docs/caddyfile
pi@raspberrypi:/etc/caddy $ systemctl status caddy
\u25cf caddy.service - Caddy
   Loaded: loaded (/lib/systemd/system/caddy.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-04-15 09:47:02 EDT; 5h 39min ago
     Docs: https://caddyserver.com/docs/
 Main PID: 491 (caddy)
    Tasks: 10 (limit: 4915)
   CGroup: /system.slice/caddy.service
           \u2514\u2500491 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

Apr 15 12:28:35 raspberrypi caddy[491]: {"level":"info","ts":1618504115.4679716,"logger":"tls.issuance.acme.acme
Apr 15 12:33:36 raspberrypi caddy[491]: {"level":"error","ts":1618504416.7072995,"logger":"tls.obtain","msg":"wi
Apr 15 13:33:37 raspberrypi caddy[491]: {"level":"info","ts":1618508017.8868158,"logger":"tls.issuance.acme.acme
Apr 15 13:33:38 raspberrypi caddy[491]: {"level":"error","ts":1618508018.427498,"logger":"tls.issuance.acme.acme
Apr 15 13:33:38 raspberrypi caddy[491]: {"level":"error","ts":1618508018.4276373,"logger":"tls.issuance.acme.acm
Apr 15 13:33:39 raspberrypi caddy[491]: {"level":"info","ts":1618508019.597166,"logger":"tls.issuance.acme.acme_
Apr 15 13:33:41 raspberrypi caddy[491]: {"level":"error","ts":1618508021.2797134,"logger":"tls.issuance.acme.acm
Apr 15 13:33:41 raspberrypi caddy[491]: {"level":"error","ts":1618508021.2823677,"logger":"tls.issuance.acme.acm
Apr 15 13:33:42 raspberrypi caddy[491]: {"level":"info","ts":1618508022.9082837,"logger":"tls.issuance.acme.acme
Apr 15 13:38:44 raspberrypi caddy[491]: {"level":"error","ts":1618508324.8574185,"logger":"tls.obtain","msg":"wi
lines 1-19/19 (END)

just installed dig…here are the results

i@raspberrypi:/etc/caddy $ dig mediaserver.stufftoread.com @192.168.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Raspbian <<>> mediaserver.stufftoread.com @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58393
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mediaserver.stufftoread.com.	IN	A

;; ANSWER SECTION:
mediaserver.stufftoread.com. 60	IN	A	34.199.8.144

;; Query time: 118 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Apr 15 15:33:15 EDT 2021
;; MSG SIZE  rcvd: 72