Caddy on FreeBSD behind OPNsense

Gautier_Azria · October 4, 2024, 8:33am

1. The problem I’m having:

I Install Caddy on FreeBSD behind OPNsense and I get error: secure connection failed.

I installed the same configuration on another site with caddy on debian than freeBSD without problem, same rules: port forward 80 and 443.
I start another webserver on port 80 and forward to this IP adress and I can reach the server from external.

I miss something but what?

2. Error messages and/or full log output:

{"level":"error","ts":1728030275.7452548,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"toto.pequod.sokil.fr","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 89.219.181.98: Fetching http://toto.pequod.sokil.fr/.well-known/acme-challenge/fKLS-zkEi6tdDN1I63p0Xy8e6RSsOtIjaq_rE-H9iVo: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1728030275.7454224,"logger":"tls.obtain","msg":"will retry","error":"[toto.pequod.sokil.fr] Obtain: [toto.pequod.sokil.fr] solving challenge: toto.pequod.sokil.fr: [toto.pequod.sokil.fr] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 89.219.181.98: Fetching http://toto.pequod.sokil.fr/.well-known/acme-challenge/fKLS-zkEi6tdDN1I63p0Xy8e6RSsOtIjaq_rE-H9iVo: Timeout during connect (likely firewall problem) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":725.25959746,"max_duration":2592000}

3. Caddy version:

Caddy 2.8.4_3

4. How I installed and ran Caddy:

NA

a. System environment:

FreeBSD 14.1-RELEASE
OPNsense 24.7.5_3-amd64
Everything on Proxmox 8.2.5

Bruce5051 · October 4, 2024, 2:29pm

Here is what Let’s Debug yields https://letsdebug.net/toto.pequod.sokil.fr/2244076
“Timeout during connect (likely firewall problem)”

francislavoie · October 5, 2024, 10:14am

I’m not able to connect to this either.

Make sure ports 80 and 443 are correctly forwarded to your server’s IP, in your router/firewall. I don’t know FreeBSD, but make sure it doesn’t have some software firewall blocking those ports.

If this is a home server, make sure your ISP isn’t blocking the use ports 80 and 443, some ISPs don’t allow use of those ports.

Gautier_Azria · October 5, 2024, 12:56pm

I install caddy on debian and same same.
I mounted small web server on port 80 on the edge router and it’s ok.

I will connect caddy directly behind the edge router. If it’s work it’s a misconfiguration of opnsense.

Monviech · October 5, 2024, 5:14pm

FreeBSD doesnt have any Firewall activated on default installation.

The only thing different from Linux is that Caddy needs some special configuration to use port 80/443 when not run as root.

Theyre explained in the rc.d file of Caddy that comes with the port.

Check with sockstat -l | grep -i caddy what caddy bound to on FreeBSD.

Gautier_Azria · October 7, 2024, 5:33am

sockstat -l | grep -i caddy
www caddy 880 6 stream /var/run/caddy/caddy.sock
www caddy 880 8 tcp46 *:443 :
www caddy 880 9 udp46 *:443 :
www caddy 880 10 tcp46 *:80 :

I also connect caddy and my web server test just behind the edge router. forward the port and same same.

Gautier_Azria · October 8, 2024, 11:17am

I migrate on caddy plugin directly on OPNsense and not better. I will try to post on their forum.

Thank for your help, appreciate this

system · November 7, 2024, 11:18am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.