Caddy SSL not being created from LE or ZeroSSL

EagleCoder · September 18, 2023, 9:41pm

1. The problem I’m having:

Setup Caddy as a reverse proxy for SeaFile and other apps. Caddy is returning a 502 error code.

curl -v http://docs.eaglewings.com
*   Trying 2607:7700:0:c:0:1:17e3:ad83:80...
* Connected to docs.eaglewings.com (2607:7700:0:c:0:1:17e3:ad83) port 80 (#0)
> GET / HTTP/1.1
> Host: docs.eaglewings.com
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://docs.eaglewings.com/
< Server: Caddy
< Date: Mon, 18 Sep 2023 21:18:40 GMT
< Content-Length: 0
< 
* Closing connection 0

curl -v https://docs.eaglewings.com
*   Trying 2607:7700:0:c:0:1:17e3:ad83:443...
* Connected to docs.eaglewings.com (2607:7700:0:c:0:1:17e3:ad83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=docs.eaglewings.com
*  start date: Sep 18 00:38:46 2023 GMT
*  expire date: Dec 17 00:38:45 2023 GMT
*  subjectAltName: host "docs.eaglewings.com" matched cert's "docs.eaglewings.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5562971fce90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: docs.eaglewings.com
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Mon, 18 Sep 2023 21:20:25 GMT
< 
* Connection #0 to host docs.eaglewings.com left intact

2. Error messages and/or full log output:

docker-caddy-1  | {"level":"debug","ts":1695071829.7238595,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"63.143.42.253","remote_port":"55558","server_name":"admin.eaglewings.com","remote":"63.143.42.253:55558","identifier":"admin.eaglewings.com","cipher_suites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
docker-caddy-1  | {"level":"debug","ts":1695071829.7240493,"logger":"http.stdlib","msg":"http: TLS handshake error from 63.143.42.253:55558: no certificate available for 'admin.eaglewings.com'"}
docker-caddy-1  | {"level":"debug","ts":1695071906.8561368,"logger":"events","msg":"event","name":"tls_get_certificate","id":"8b5dc8f0-d505-42e1-a03b-14b6c2f76fc9","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53,49170,10,4865,4866,4867],"ServerName":"","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{}}}}
docker-caddy-1  | {"level":"debug","ts":1695071906.85632,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"172.20.0.2"}
docker-caddy-1  | {"level":"debug","ts":1695071906.8563483,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"51.15.54.119","remote_port":"20004","server_name":"","remote":"51.15.54.119:20004","identifier":"172.20.0.2","cipher_suites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53,49170,10,4865,4866,4867],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
docker-caddy-1  | {"level":"debug","ts":1695071906.8565276,"logger":"http.stdlib","msg":"http: TLS handshake error from 51.15.54.119:20004: no certificate available for '172.20.0.2'"}
docker-caddy-1  | {"level":"debug","ts":1695071952.3503578,"logger":"events","msg":"event","name":"tls_get_certificate","id":"09ea23bf-b001-41b2-892b-1b659eeb72d1","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"eaglewings.com","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
docker-caddy-1  | {"level":"debug","ts":1695071952.350632,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"eaglewings.com"}
docker-caddy-1  | {"level":"debug","ts":1695071952.350642,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
docker-caddy-1  | {"level":"debug","ts":1695071952.350647,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
docker-caddy-1  | {"level":"debug","ts":1695071952.3506615,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.58.151.12","remote_port":"55335","server_name":"eaglewings.com","remote":"172.58.151.12:55335","identifier":"eaglewings.com","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
docker-caddy-1  | {"level":"debug","ts":1695071952.35086,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.58.151.12:55335: no certificate available for 'eaglewings.com'"}
docker-caddy-1  | {"level":"debug","ts":1695072025.3019593,"logger":"events","msg":"event","name":"tls_get_certificate","id":"b7952193-d1b6-4119-a899-f1ca2a4a50a2","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"docs.eaglewings.com","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
docker-caddy-1  | {"level":"debug","ts":1695072025.302135,"logger":"tls.handshake","msg":"choosing certificate","identifier":"docs.eaglewings.com","num_choices":1}
docker-caddy-1  | {"level":"debug","ts":1695072025.3022072,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"docs.eaglewings.com","subjects":["docs.eaglewings.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601"}
docker-caddy-1  | {"level":"debug","ts":1695072025.3022256,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"172.58.151.12","remote_port":"14874","subjects":["docs.eaglewings.com"],"managed":true,"expiration":1702773526,"hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601"}
docker-caddy-1  | {"level":"debug","ts":1695072025.4434516,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"seafile:8080","total_upstreams":1}
docker-caddy-1  | {"level":"debug","ts":1695072025.4497743,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"seafile:8080","duration":0.00614827,"request":{"remote_ip":"172.58.151.12","remote_port":"14874","client_ip":"172.58.151.12","proto":"HTTP/2.0","method":"GET","host":"docs.eaglewings.com","uri":"/","headers":{"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["docs.eaglewings.com"],"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["172.58.151.12"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"docs.eaglewings.com"}},"error":"dial tcp: lookup seafile on 127.0.0.11:53: server misbehaving"}
docker-caddy-1  | {"level":"error","ts":1695072025.4499848,"logger":"http.log.error","msg":"dial tcp: lookup seafile on 127.0.0.11:53: server misbehaving","request":{"remote_ip":"172.58.151.12","remote_port":"14874","client_ip":"172.58.151.12","proto":"HTTP/2.0","method":"GET","host":"docs.eaglewings.com","uri":"/","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"docs.eaglewings.com"}},"duration":0.006768806,"status":502,"err_id":"4xz6ygmqw","err_trace":"reverseproxy.statusError (reverseproxy.go:1248)"}
docker-caddy-1  | {"level":"debug","ts":1695072046.0699177,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1110b5fb-a59e-49f5-bcc6-14503d05cd0f","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"docs.eaglewings.com","SupportedCurves":[29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"Conn":{}}}}
docker-caddy-1  | {"level":"debug","ts":1695072046.0701268,"logger":"tls.handshake","msg":"choosing certificate","identifier":"docs.eaglewings.com","num_choices":1}
docker-caddy-1  | {"level":"debug","ts":1695072046.0701487,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"docs.eaglewings.com","subjects":["docs.eaglewings.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601"}
docker-caddy-1  | {"level":"debug","ts":1695072046.0701592,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"172.58.146.98","remote_port":"51986","subjects":["docs.eaglewings.com"],"managed":true,"expiration":1702773526,"hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601"}
docker-caddy-1  | {"level":"debug","ts":1695072046.269895,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"seafile:8080","total_upstreams":1}
docker-caddy-1  | {"level":"debug","ts":1695072046.2723358,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"seafile:8080","duration":0.002314931,"request":{"remote_ip":"172.58.146.98","remote_port":"51986","client_ip":"172.58.146.98","proto":"HTTP/3.0","method":"GET","host":"docs.eaglewings.com","uri":"/","headers":{"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Fetch-Mode":["navigate"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Dest":["document"],"Sec-Gpc":["1"],"X-Forwarded-For":["172.58.146.98"],"Accept-Language":["en-US,en;q=0.7"],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Chromium\";v=\"116\", \"Not)A;Brand\";v=\"24\", \"Brave\";v=\"116\""],"Upgrade-Insecure-Requests":["1"],"Accept-Encoding":["gzip, deflate, br"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["docs.eaglewings.com"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"docs.eaglewings.com"}},"error":"dial tcp: lookup seafile on 127.0.0.11:53: server misbehaving"}
docker-caddy-1  | {"level":"error","ts":1695072046.272444,"logger":"http.log.error","msg":"dial tcp: lookup seafile on 127.0.0.11:53: server misbehaving","request":{"remote_ip":"172.58.146.98","remote_port":"51986","client_ip":"172.58.146.98","proto":"HTTP/3.0","method":"GET","host":"docs.eaglewings.com","uri":"/","headers":{"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua":["\"Chromium\";v=\"116\", \"Not)A;Brand\";v=\"24\", \"Brave\";v=\"116\""],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.7"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Site":["none"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Linux\""],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"docs.eaglewings.com"}},"duration":0.002605629,"status":502,"err_id":"36ee0qigw","err_trace":"reverseproxy.statusError (reverseproxy.go:1248)"}

3. Caddy version:

v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=

4. How I installed and ran Caddy:

docker compose

a. System environment:

b. Command:

c. Service/unit/compose file:

version: '3'

services:
    db:
        image: mariadb:10.11
        container_name: seafile-mysql
        environment:
            - MYSQL_ROOT_PASSWORD=Stylized6-Living-Multiple  # Requested, set the root's password of MySQL service.
            - MYSQL_LOG_CONSOLE=true
        volumes:
            - mysql-data:/var/lib/mysql  # Requested, specifies the path to MySQL data persistent store.
        restart: unless-stopped
        networks:
            - seafile-net

    memcached:
        image: memcached:latest
        container_name: seafile-memcached
        entrypoint: memcached -m 256
        restart: unless-stopped
        networks:
            - seafile-net
          
    seafile:
        image: seafileltd/seafile-mc:latest
        container_name: seafile
        ports:
            - "8080:80"
            #- "443:443"  # If https is enabled, cancel the comment.
        volumes:
            - seafile-data:/shared   # Requested, specifies the path to Seafile data persistent store.
        environment:
            - DB_HOST=db
            - DB_ROOT_PASSWD=passwordroot  # Requested, the value should be root's password of MySQL service.
            - TIME_ZONE=Etc/UTC  # Optional, default is UTC. Should be uncomment and set to your local time zone.
            - SEAFILE_ADMIN_EMAIL=admin@eaglewings.com # Specifies Seafile admin user, default is 'me@example.com'.
            - SEAFILE_ADMIN_PASSWORD=password1    # Specifies Seafile admin password, default is 'asecret'.
            - SEAFILE_SERVER_LETSENCRYPT=false   # Whether to use https or not.
            - SEAFILE_SERVER_HOSTNAME=docs.eaglewingsessentialhealth.com # Specifies your host name if https is enabled.
        depends_on:
            - db
            - memcached
        networks:
            - seafile-net

    caddy:
        image: caddy:latest
        restart: unless-stopped
        ports:
          - "80:80"
          - "443:443"
          - "443:443/udp"
        volumes:
          - ./Caddyfile:/etc/caddy/Caddyfile
          - ./seafile/seahub-data:/shared/seahub-data
          - ./site:/srv
          - caddy_data:/data
          - caddy_config:/config

networks:
    seafile-net:

volumes:
    mysql-data:
    seafile-data:
    caddy_data:
    caddy_config:

d. My complete Caddy config:

{
	#acme_ca https://acme.zerossl.com/v2/DV90
	email admin@eaglewings.com
    debug
}


docs.eaglewings.com {
		handle /seafhttp* {
			reverse_proxy seafile:8082
		}

		handle_path /media* {
			root * /shared/media
			file_server
		}

		handle {
	        reverse_proxy seafile:8080
		}
}

5. Links to relevant resources:

francislavoie · September 18, 2023, 10:13pm

502 means Caddy couldn’t connect to your proxy upstream. There’s no problem with TLS.

You probably mean to proxy to seafile:80 because that’s the port internal to Docker.

EagleCoder · September 21, 2023, 12:04am

I tried changing to proxy to seafile:80 but that didn’t work either. Still getting the 502 error code. I was thinking that there would be something wrong with Caddy connecting to the upstream service (seafile) in this case but I for the life of me can’t figure out what’s not working or why.

francislavoie · September 21, 2023, 4:38pm

You didn’t share your logs.

EagleCoder · September 22, 2023, 4:34pm

I thought these logs would suffice… my apologies.
https://caddy.community/t/caddy-ssl-not-being-created-from-le-or-zerossl/21137#h-2-error-messages-andor-full-log-output-2

Here’s a new set, that it looks like LE is creating a cert and Caddy is able to serve it. But there seems to be a problem with Caddy Proxying to the SeaFile Server.

ocker-caddy-1  | {"level":"info","ts":1695400024.0149887,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
docker-caddy-1  | {"level":"info","ts":1695400024.171766,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
docker-caddy-1  | {"level":"info","ts":1695400024.1810942,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
docker-caddy-1  | {"level":"info","ts":1695400024.181186,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
docker-caddy-1  | {"level":"info","ts":1695400024.181278,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0001c0000"}
docker-caddy-1  | {"level":"debug","ts":1695400024.1812415,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["docs.eaglewings.com"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"group":"group3","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"seafile:8082"}]}]}]}],"match":[{"path":["/seafhttp*"]}]},{"group":"group3","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"rewrite","strip_path_prefix":"/media"}]},{"handle":[{"handler":"vars","root":"/shared/media"},{"handler":"file_server","hide":["/etc/caddy/Caddyfile"]}]}]}],"match":[{"path":["/media*"]}]},{"group":"group3","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"seafile:80"}]}]}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
docker-caddy-1  | {"level":"debug","ts":1695400024.1918418,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
docker-caddy-1  | {"level":"info","ts":1695400024.1919215,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
docker-caddy-1  | {"level":"info","ts":1695400024.192354,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
docker-caddy-1  | {"level":"info","ts":1695400024.193577,"logger":"tls","msg":"finished cleaning storage units"}
docker-caddy-1  | {"level":"info","ts":1695400024.1936104,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
docker-caddy-1  | {"level":"info","ts":1695400024.1949449,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
docker-caddy-1  | {"level":"debug","ts":1695400024.199848,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
docker-caddy-1  | {"level":"info","ts":1695400024.1998935,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
docker-caddy-1  | {"level":"info","ts":1695400024.199903,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["docs.eaglewings.com"]}
docker-caddy-1  | {"level":"debug","ts":1695400024.2052295,"logger":"tls","msg":"loading managed certificate","domain":"docs.eaglewings.com","expiration":1702773526,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
docker-caddy-1  | {"level":"debug","ts":1695400024.31316,"logger":"tls.cache","msg":"added certificate to cache","subjects":["docs.eaglewings.com"],"expiration":1702773526,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601","cache_size":1,"cache_capacity":10000}
docker-caddy-1  | {"level":"debug","ts":1695400024.3132687,"logger":"events","msg":"event","name":"cached_managed_cert","id":"8b7bab58-5a91-42bd-8d35-680dc786fff8","origin":"tls","data":{"sans":["docs.eaglewings.com"]}}
docker-caddy-1  | {"level":"info","ts":1695400024.3149824,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
docker-caddy-1  | {"level":"info","ts":1695400024.3150237,"msg":"serving initial configuration"}
docker-caddy-1  | {"level":"debug","ts":1695400102.411946,"logger":"events","msg":"event","name":"tls_get_certificate","id":"7bc4e59e-22b8-4e33-8ee9-e6dd113a7e80","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"ServerName":"admin.eaglewings.com","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"Conn":{}}}}
docker-caddy-1  | {"level":"debug","ts":1695400102.413738,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"admin.eaglewings.com"}
docker-caddy-1  | {"level":"debug","ts":1695400102.4137537,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.eaglewings.com"}
docker-caddy-1  | {"level":"debug","ts":1695400102.413759,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
docker-caddy-1  | {"level":"debug","ts":1695400102.4137633,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
docker-caddy-1  | {"level":"debug","ts":1695400102.4137983,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"63.143.42.253","remote_port":"41034","server_name":"admin.eaglewings.com","remote":"63.143.42.253:41034","identifier":"admin.eaglewings.com","cipher_suites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
docker-caddy-1  | {"level":"debug","ts":1695400102.4140089,"logger":"http.stdlib","msg":"http: TLS handshake error from 63.143.42.253:41034: no certificate available for 'admin.eaglewings.com'"}
docker-caddy-1  | {"level":"debug","ts":1695400172.3957837,"logger":"events","msg":"event","name":"tls_get_certificate","id":"aa6d9663-dec1-4970-97e1-42b0542fedc7","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"docs.eaglewings.com","SupportedCurves":[29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"Conn":{}}}}
docker-caddy-1  | {"level":"debug","ts":1695400172.3960202,"logger":"tls.handshake","msg":"choosing certificate","identifier":"docs.eaglewings.com","num_choices":1}
docker-caddy-1  | {"level":"debug","ts":1695400172.39607,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"docs.eaglewings.com","subjects":["docs.eaglewings.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601"}
docker-caddy-1  | {"level":"debug","ts":1695400172.396082,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"24.159.176.133","remote_port":"45576","subjects":["docs.eaglewings.com"],"managed":true,"expiration":1702773526,"hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601"}
docker-caddy-1  | {"level":"debug","ts":1695400172.4961011,"logger":"events","msg":"event","name":"tls_get_certificate","id":"9deee903-6330-43d8-9943-5436c337e775","origin":"tls","data":{"client_hello":{"CipherSuites":[56026,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"docs.eaglewings.com","SupportedCurves":[14906,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[43690,772,771],"Conn":{}}}}
docker-caddy-1  | {"level":"debug","ts":1695400172.496265,"logger":"tls.handshake","msg":"choosing certificate","identifier":"docs.eaglewings.com","num_choices":1}
docker-caddy-1  | {"level":"debug","ts":1695400172.4962895,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"docs.eaglewings.com","subjects":["docs.eaglewings.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601"}
docker-caddy-1  | {"level":"debug","ts":1695400172.4963024,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"24.159.176.133","remote_port":"39424","subjects":["docs.eaglewings.com"],"managed":true,"expiration":1702773526,"hash":"29b22656065e4a1d78a812644fd9e399246da8e305e32d5f2fac2906a30c6601"}
docker-caddy-1  | {"level":"debug","ts":1695400172.5155802,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"seafile:80","total_upstreams":1}
docker-caddy-1  | {"level":"debug","ts":1695400172.5206876,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"seafile:80","duration":0.004933175,"request":{"remote_ip":"24.159.176.133","remote_port":"45576","client_ip":"24.159.176.133","proto":"HTTP/3.0","method":"GET","host":"docs.eaglewings.com","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-For":["24.159.176.133"],"X-Forwarded-Host":["docs.eaglewings.com"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Gpc":["1"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua-Mobile":["?0"],"Upgrade-Insecure-Requests":["1"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Fetch-User":["?1"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua":["\"Brave\";v=\"117\", \"Not;A=Brand\";v=\"8\", \"Chromium\";v=\"117\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"docs.eaglewings.com"}},"error":"dial tcp: lookup seafile on 127.0.0.11:53: server misbehaving"}
docker-caddy-1  | {"level":"error","ts":1695400172.5208502,"logger":"http.log.error","msg":"dial tcp: lookup seafile on 127.0.0.11:53: server misbehaving","request":{"remote_ip":"24.159.176.133","remote_port":"45576","client_ip":"24.159.176.133","proto":"HTTP/3.0","method":"GET","host":"docs.eaglewings.com","uri":"/","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua":["\"Brave\";v=\"117\", \"Not;A=Brand\";v=\"8\", \"Chromium\";v=\"117\""],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.9"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"docs.eaglewings.com"}},"duration":0.008302834,"status":502,"err_id":"n4153tfm2","err_trace":"reverseproxy.statusError (reverseproxy.go:1248)"}

matt · September 22, 2023, 7:32pm

That looks more like a DNS resolver/server problem. I would ensure the DNS server you have at 127.0.0.11:53 is properly configured…

francislavoie · September 22, 2023, 8:54pm

I think your Caddy container is not added to the seafile network, so it doesn’t see that container. Docker’s DNS server will only resolve containers that share a network. If they aren’t in the same network together then they can’t connect to eachother.