Caddy on AWS EC2 Ubuntu with Cloudflare Origin Server cert not working

Yasir_Ali · November 1, 2022, 2:41pm

1. Output of `caddy version`:

v2.6.2

2. How I run Caddy:

systemctl start caddy

a. System environment:

Ububtu 22 on AWS EC2

b. Command:

systemctl start caddy

c. Service/unit/compose file:

Where to find this? Can someone let me know the command or file location for it? so I can update it here. thanks

UPDATE: This what I obtained by running cat /lib/systemd/system/caddy.service command.

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Is the above file correct?

d. My complete Caddy config:

{
	admin off
	log {
		output file /var/log/caddy/server-caddy.log
	}
}

:80, :443 {
	reverse_proxy localhost:4000
}

64.187.131.95.nip.io {
	reverse_proxy localhost:4000
	log {
		output file /var/log/caddy/server-elastic-ip-caddy.log
	}
}

api.staging.yogajoint.com {
	tls /etc/caddy/yj-cloudflare-origin-server.pem /etc/caddy/yj-cloudflare-origin-server.key {
		client_auth {
			mode require_and_verify
			trusted_ca_cert_file /etc/caddy/yj-cloudflare-origin-pull-ca.pem
		}
	}
	reverse_proxy localhost:4000
	log {
		output file /var/log/caddy/server-domain-caddy.log
	}
}

3. The problem I’m having:

When I try to access the domain it shows me
“NET::ERR_CERT_AUTHORITY_INVALID” when the Cloudflare Proxy is disable
AND
“ERR_SSL_VERSION_OR_CIPHER_MISMATCH” when the Cloudflare Proxy is enable

4. Error messages and/or full log output:

Nov 01 14:16:31 ip-172-31-246-63 systemd[1]: Starting Caddy...
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: caddy.HomeDir=/var/lib/caddy
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: caddy.Version=v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: runtime.GOOS=linux
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: runtime.GOARCH=amd64
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: runtime.Compiler=gc
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: runtime.NumCPU=2
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: runtime.GOMAXPROCS=2
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: runtime.Version=go1.19.2
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: os.Getwd=/
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: LANG=C.UTF-8
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: NOTIFY_SOCKET=/run/systemd/notify
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: HOME=/var/lib/caddy
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: LOGNAME=caddy
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: USER=caddy
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: INVOCATION_ID=cd2b1855faed4c07ba3dba41c753fcbc
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: JOURNAL_STREAM=8:522291
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: SYSTEMD_EXEC_PID=74367
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: {"level":"info","ts":1667312191.7269092,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: {"level":"info","ts":1667312191.729195,"msg":"redirected default logger","from":"stderr","to":"/var/log/caddy/server-caddy.log"}
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: 2022-11-01 14:16:31.729368573 +0000 UTC m=+0.019281844 write error: chown /var/log/caddy/server-caddy.log: operation not permitted
Nov 01 14:16:31 ip-172-31-246-63 caddy[74367]: {"level":"info","ts":1667312191.7323716,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
Nov 01 14:16:31 ip-172-31-246-63 systemd[1]: Started Caddy.

5. What I already tried:

Tried and checked everything everyone is suggesting on the other forums but nothing so far
Also tried “Authenticated Origin Pulls” for cloudflare

6. Links to relevant resources:

Guide I followed How to use Caddy with Cloudflare's SSL settings
Guide followed for “Authenticated Origin Pulls” Caddy and Cloudflare setup with TLS Authenticated Pulls

Yasir_Ali · November 1, 2022, 7:28pm

UPDATE I moved the certs to /etc/ssl/certs/ & key to /etc/ssl/private/which fixed this

system · December 1, 2022, 2:41pm

This topic was automatically closed after 30 days. New replies are no longer allowed.