I’ve got a DDNS setup through Google that seems to work fine.
After setting up the port forwarding as shown above, the logs no longer showed any errors regarding its connection (previously I had forwarded the wrong ports). The desired interface to be shown through the URL (Synology NAS File Station Login page) was however still not showing up. From here I understood the certificates need to be grabbed and installed on the NAS, but that also did not remedy the issue.
There’s probably something glaringly obvious I am missing.
I don’t think you’re actually reaching Caddy. I think some broken (outdated) HTTPS server is intercepting the request. You’ll need to dig deeper on your networking to make sure it’s all wired up correctly.
Thanks for your reply. Is there any way to properly debug/trace what is interfering? My network is quite simple as in apart from a router, some accesspoints and a NAS nothing should intercept the request.
Basically, the connection is broken. Curl isn’t receiving any information after sending the initial TLS handshake. This makes me think something in front of your home network is intercepting or cancelling the requests. Maybe your ISP blocks traffic on port 443? You might want to reach out to them and ask.
Interesting. I see your curl response is also different from my own.
This is what I get:
curl -v https://files.wichelo.nl
* Trying 37.251.33.34:443...
* Connected to files.wichelo.nl (37.251.33.34) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
My ISP shouldn’t block anything, as far as I’ve read. Whether that is actually the case is hard to know, but I will give them a call.
Is it definitely something in front of my home network or could it also be something within? I’d love to exclude at least something to narrow down this search…
This will force the domain to resolve to 127.0.0.1 instead of your WAN IP, and it should reach Caddy directly. If that works, then it’s a problem either with your router or your ISP.
Not sure if the latter makes sense but I can imagine from inside the network these ports should be accessible. The former also puzzles me a bit as the nginx server from the synology apparently forwards the request again to port 5000/5001
Sorry for my late reply, had a lot of things on my plate the last few days.
I started completely from scratch and now Caddy is working perfectly!
A few more questions:
I see the following error in the logs when I access the domain. The URL resolves completely fine, but this does worry me slightly: logger=http msg=looking up info for HTTP challenge host=files.wichelo.nl error=no information found to solve challenge for identifier: files.wichelo.nl)
Accessing the URL by prepending www does not work. How do I fix this?
I have not added the generated certificate to my server. Should I?
We’ve seen evidence in the past that ZeroSSL continues making requests for ACME HTTP challenge verification long after it still makes sense to do so. That might be where that log is coming from.
This reminds me that we should probably enhance the logs for that kind of error to show the User-Agent on that request so that we can collect more evidence of ZeroSSL. I just spoke to @matt and we’ll add that in for a future release to we can better keep track of that.
Anyways, ignore this for now, if it still seems like a problem in let’s say a month, feel free to reach out to us again (there’ll probably be a release with the more detailed logging by that point I hope).
That’s a separate domain. You need to configure Caddy to serve that domain as well.
I don’t understand the question. But my guess is “probably not”, but I don’t know what you’re referring to.
@francislavoie thanks for the additional info.
As for the certificate, Synology allows for importing them, which I figured was necessary. I supppose that is all handled by Caddy then?
Thanks for your answer. I’m still a bit fuzzy on the why, though. So currently the connection is secured, right? What makes it that I would need to manually add it every few months? I currently haven’t added the certificate anywhere within the Synology environment.
Also what is the benefit of not directing to https, through your suggested config? As Caddy already redirects to https that seems way more secure.
You don’t need to do anything of that sort. Caddy is managing the certs for you. That interface is for those who want Synology to do the TLS termination with certs obtained from elsewhere. If your system is working, you’re good. Don’t fix something that isn’t broken.