1. The problem I’m having:
I have been testing around a bit and wanted to start from scratch, I have uninstalled caddy including all certificates that were previously created in /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/duelify.com/duelify.com.crt etc.
I’m trying to run Caddy service with the caddy-dns/cloudflare
plugin. But it seems to me that there are either permission problems or Caddy doesn’t create the certificates in the given storage file system path.
systemctl status caddy.service
2. Error messages and/or full log output:
Jun 08 08:23:34 new-duelify caddy[23034]: {"level":"info","ts":1686212614.428661,"msg":"using provided configuration","config_file":"/etc/caddy/caddy.json","config_adapter":""}
Jun 08 08:23:34 new-duelify caddy[23034]: {"level":"info","ts":1686212614.4300416,"msg":"redirected default logger","from":"stderr","to":"/var/log/caddy/error.log"}
Jun 08 08:23:34 new-duelify caddy[23034]: Error: loading initial config: loading new config: tls app module: start: automate: managing [*.duelify.com]: automate: manage [*.duelify.com]: *.duelify.com: caching certificate: open /root/tls/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.duelify.com/wildcard_.duelify.com.key: permission denied
Jun 08 08:23:34 new-duelify systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Jun 08 08:23:34 new-duelify systemd[1]: caddy.service: Failed with result 'exit-code'.
Jun 08 08:23:34 new-duelify systemd[1]: Failed to start Caddy.
/var/log/caddy/error.log
{"level":"warn","ts":1686212614.430258,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"warn","ts":1686212614.4312956,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"h1","http_port":80}
{"level":"info","ts":1686212614.431734,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0001d6ee0"}
{"level":"info","ts":1686212614.431749,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0001d6ee0"}
3. Caddy version:
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
mkdir ~/tls
chown caddy:caddy ~/tls/
apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
apt update
apt install caddy
systemctl stop caddy
sudo curl -o /usr/bin/caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&p=github.com%2FWeidiDeng%2Fcaddy-cloudflare-ip&p=github.com%2Fmastercactapus%2Fcaddy2-proxyprotocol&p=github.com%2Fimgk%2Fcaddy-trojan"
sed -i "s/Caddyfile/caddy.json/" /lib/systemd/system/caddy.service
systemctl daemon-reload
systemctl start caddy
a. System environment:
Debian 11
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/caddy.json
ExecReload=/usr/bin/caddy reload --config /etc/caddy/caddy.json --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
CLOUDFLARE_API_TOKEN in Service has to be redacted to be able to post this here.
d. My complete Caddy config:
{
"admin": {
"disabled": true
},
"logging": {
"logs": {
"default": {
"writer": {
"output": "file",
"filename": "/var/log/caddy/error.log"
},
"level": "ERROR"
}
}
},
"storage": {
"module": "file_system",
"root": "/root/tls"
},
"apps": {
"http": {
"servers": {
"h1": {
"listen": [
":80"
],
"routes": [
{
"handle": [
{
"handler": "static_response",
"headers": {
"Location": [
"https://{http.request.host}{http.request.uri}"
]
},
"status_code": 301
}
]
}
]
},
"h1h2c": {
"listen": [
"127.0.0.1:88"
],
"listener_wrappers": [
{
"wrapper": "proxy_protocol"
}
],
"routes": [
{
"handle": [
{
"handler": "headers",
"response": {
"set": {
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains; preload"
]
}
}
},
{
"handler": "file_server",
"root": "/srv/http/default"
}
]
}
],
"protocols": [
"h1",
"h2c"
]
}
}
},
"tls": {
"certificates": {
"automate": [
"*.duelify.com"
]
},
"automation": {
"policies": [
{
"issuers": [
{
"module": "acme",
"email": "myemail.com",
"challenges": {
"dns": {
"provider": {
"name": "cloudflare",
"api_token": "{env.CLOUDFLARE_API_TOKEN}"
}
}
}
},
{
"module": "zerossl",
"email": "myemail.com",
"challenges": {
"dns": {
"provider": {
"name": "cloudflare",
"api_token": "{env.CLOUDFLARE_API_TOKEN}"
}
}
}
}
]
}
]
}
}
}
}
Thank you