Caddy in Docker is no longer serving valid cert

Landro · February 28, 2023, 2:45pm

1. The problem I’m having:

I have a pi running a docker compose containers for caddy and vaultwarden that is publicly accessible. This has been up and running for months but the certificate seems to have failed updating.

2. Error messages and/or full log output:

Here is the error output from from curl- vL https://localhost:

3. Caddy version: v2.6.4

4. How I installed and ran Caddy:

I installed Caddy and Vaultwarden images into docker compose containers. I run the containers by running docker compose start or docker compose up.

a. System environment:

Running this in docker compose containers on a raspberry pi version 11 (bullseye).

b. Command:

Any caddy commands I run are through the docker container

c. Service/unit/compose file:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      WEBSOCKET_ENABLED: "true"  # Enable WebSocket notifications.
    volumes:
      - ./vw-data:/data

  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      DOMAIN: "https://bitnite.net"  # Your domain.
      EMAIL: "<email>"               # The email address to use for ACME registration.
      LOG_FILE: "/data/access.log"

d. My complete Caddy config:

{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Use the ACME HTTP-01 challenge to get a cert for the configured domain.
  tls {$EMAIL}

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # Notifications redirected to the WebSocket server
  reverse_proxy /notifications/hub vaultwarden:3012

  # Proxy everything else to Rocket
  reverse_proxy vaultwarden:80 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }
}

Thanks for any help.

francislavoie · March 1, 2023, 6:02pm

But what’s in Caddy’s logs?

Landro · March 1, 2023, 7:51pm

This is from running docker logs caddy -f. However, when I make requests to localhost I do not see new logs.

{"level":"info","ts":1677699932.5530038,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1677699932.562992,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1677699932.5836236,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"info","ts":1677699932.585166,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40004622a0"}
{"level":"info","ts":1677699932.5861247,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1677699932.5864007,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1677699932.597896,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1677699932.598581,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1677699932.599832,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1677699932.601036,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1677699932.6018562,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1677699932.602421,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["bitnite.net"]}
{"level":"info","ts":1677699932.6202774,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1677699932.8517199,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1677699932.8518615,"msg":"serving initial configuration"}

francislavoie · March 1, 2023, 9:07pm

I can’t ready your server on port 80 or 443.

$ curl -v http://bitnite.net
*   Trying 68.33.24.8:80...
* TCP_NODELAY set
^C

$ curl -v https://bitnite.net
*   Trying 68.33.24.8:443...
* TCP_NODELAY set
^C

Make sure your networking is configured to allow traffic on those ports.

You won’t be able to connect using localhost if you configured Caddy to serve a particular domain. The site address controls which domain Caddy manages a certificate for. It won’t have a certificate for localhost.

Landro · March 1, 2023, 9:52pm

sorry everyone it was my public IP that changed. Thanks for all the help

system · March 31, 2023, 9:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.