Caddy throws error getting certificate

Ulrich_Huckinghaus · January 26, 2025, 2:15pm

1. The problem I’m having:

After starting caddy container, it hangs.
All other seafile containers are running.

2. Error messages and/or full log output:

INF ts=1737899364.221883 logger=docker-proxy msg=Running caddy proxy server

INF ts=1737899364.224399 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]

INF ts=1737899364.2246318 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

INF ts=1737899364.2246413 logger=docker-proxy msg=Running caddy proxy controller

INF ts=1737899364.2267985 logger=docker-proxy msg=Start CaddyfilePath= EnvFile= LabelPrefix=caddy PollingInterval=30 ProxyServiceTasks=true ProcessCaddyfile=true ScanStoppedContainers=false IngressNetworks=[seafile-net] DockerSockets=[""] DockerCertsPath=[""] DockerAPIsVersion=[""]

INF ts=1737899364.2282453 logger=docker-proxy msg=Connecting to docker events DockerSocket=

INF ts=1737899364.229256 logger=docker-proxy msg=IngressNetworksMap ingres=map[d84e5c06f4b0cd7174dab0dfa1d12d1875b38edce3a087c4d227f443ec32dbc6:true seafile-net:true]

INF ts=1737899364.239696 logger=docker-proxy msg=Swarm is available new=false

INF ts=1737899364.2442374 logger=docker-proxy msg=New Caddyfile caddyfile=https://1i09sldzcisqwou6.myfritz.net {
	reverse_proxy 172.18.0.2:80
}

INF ts=1737899364.2445607 logger=docker-proxy msg=New Config JSON json={"apps":{"http":{"servers":{"srv0":{"listen":[":443"],"routes":[{"match":[{"host":["xxx.net"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"172.18.0.2:80"}]}]}]}],"terminal":true}]}}}}}

INF ts=1737899364.2445989 logger=docker-proxy msg=Sending configuration to server=localhost

INF ts=1737899364.2456284 logger=admin.api msg=received request method=POST host=localhost:2019 uri=/load remote_ip=127.0.0.1 remote_port=51858 headers={"Accept-Encoding":["gzip"],"Content-Length":["304"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}

INF ts=1737899364.2464602 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]

INF ts=1737899364.2466884 logger=http.auto_https msg=server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS server_name=srv0 https_port=443

INF ts=1737899364.2467208 logger=http.auto_https msg=enabling automatic HTTP->HTTPS redirects server_name=srv0

INF ts=1737899364.2473896 logger=http msg=enabling HTTP/3 listener addr=:443

INF ts=1737899364.2484214 msg=failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.

INF ts=1737899364.2491727 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]

INF ts=1737899364.2493827 logger=http.log msg=server running name=remaining_auto_https_redirects protocols=["h1","h2","h3"]

INF ts=1737899364.24976 logger=http msg=enabling automatic TLS certificate management domains=["xxx.net"]

INF ts=1737899364.2503335 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

INF ts=1737899364.2503633 logger=admin.api msg=load complete

INF ts=1737899364.2511952 logger=tls.obtain msg=acquiring lock identifier=xxx.net

INF ts=1737899364.248169 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0xc000588180

INF ts=1737899364.2518275 logger=docker-proxy msg=Successfully configured server=localhost

INF ts=1737899364.2541792 logger=tls msg=storage cleaning happened too recently; skipping for now storage=FileStorage:/data/caddy instance=552ebb34-199a-44c5-adde-c4360b973a63 try_again=1737985764.254171 try_again_in=86399.999997695

INF ts=1737899364.2544715 logger=tls msg=finished cleaning storage units

INF ts=1737899364.257041 logger=admin msg=stopped previous server address=localhost:2019

INF ts=1737899364.25884 logger=tls.obtain msg=obtaining certificate identifier=xxx.net

WRN ts=1737899364.2782385 logger=http.acme_client msg=HTTP request failed; retrying url=https://acme-v02.api.letsencrypt.org/directory error=performing request: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: network is unreachable

3. Caddy version:

2.9-alpine

4. How I installed and ran Caddy:

using this link: https://manual.seafile.com/12.0/setup/setup_ce_by_docker/

a. System environment:

linux alpine container in proxmox with docker 25.0.5

b. Command:

docker compose up -d

c. Service/unit/compose file:

services:

  caddy:
    image: ${SEAFILE_CADDY_IMAGE:-lucaslorentz/caddy-docker-proxy:2.9-alpine}
    restart: unless-stopped
    container_name: seafile-caddy
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=seafile-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${SEAFILE_CADDY_VOLUME:-/opt/seafile-caddy}:/data/caddy
    networks:
      - seafile-net
    healthcheck:
      test: ["CMD-SHELL", "curl --fail http://localhost:2019/metrics || exit 1"]
      start_period: 20s
      interval: 20s
      timeout: 5s
      retries: 3

networks:
  seafile-net:
    name: seafile-net

d. My complete Caddy config:

auto configured

5. Links to relevant resources:

Mohammed90 · January 26, 2025, 2:30pm

There’s no evidence of any error in the log. I also don’t see any Caddy config. auto configured is not configuration. It must be receiving the config from somewhere, and you haven’t shared this “where”.

Ulrich_Huckinghaus · January 26, 2025, 3:19pm

I have no access to the caddy container, because it’s not running properly.

WRN ts=1737899364.2782385 logger=http.acme_client msg=HTTP request failed; retrying url=https://acme-v02.api.letsencrypt.org/directory error=performing request: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: network is unreachable

contains an error: dial tcp 172.65.32.248:443: connect: network is unreachable

Mohammed90 · January 26, 2025, 3:26pm

This means the Caddy container is not able to reach the Internet to connect to Let’s Encrypt for a certificate. You have a network issue blocking Caddy.

Ulrich_Huckinghaus · January 26, 2025, 4:20pm

Yes, you are right.
I have no clue why. There is no firewall installed for this container and the site is not blocked:

curl https://acme-v02.api.letsencrypt.org/directory

works fine. Ports 80 and 443 have been forwarded to this machine.
After playing around (disabling global firewall, Toredo-Filter and WPAD) I got additional error and warnings:

WRN ts=1737907080.324477 logger=http.acme_client msg=HTTP request failed; retrying url=https://acme-v02.api.letsencrypt.org/directory error=performing request: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: server misbehaving

WRN ts=1737907084.5981374 logger=http.acme_client msg=HTTP request failed; retrying url=https://acme-v02.api.letsencrypt.org/directory error=performing request: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: network is unreachable

ERR ts=1737907084.5982218 logger=tls.obtain msg=could not get certificate from issuer identifier=1i09sldzcisqwou6.myfritz.net issuer=acme-v02.api.letsencrypt.org-directory error=registering account [] with server: provisioning client: performing request: Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: network is unreachable

I have therefore undone the settings.
Maybe, my problem is related to this: https://caddy.community/t/acme-timeouts-upon-server-start/13943
But I have no clue what I should change in the docker file.

update:
After playing around, I get this from the log-files:

INF ts=1737985200.5663588 logger=docker-proxy msg=Running caddy proxy server

INF ts=1737985200.5676525 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]

INF ts=1737985200.5678926 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

INF ts=1737985200.5679018 logger=docker-proxy msg=Running caddy proxy controller

INF ts=1737985200.5757825 logger=docker-proxy msg=Start CaddyfilePath= EnvFile= LabelPrefix=caddy PollingInterval=30 ProxyServiceTasks=true ProcessCaddyfile=true ScanStoppedContainers=false IngressNetworks=[seafile-net] DockerSockets=[""] DockerCertsPath=[""] DockerAPIsVersion=[""]

INF ts=1737985200.577011 logger=docker-proxy msg=Connecting to docker events DockerSocket=

INF ts=1737985200.5792189 logger=docker-proxy msg=IngressNetworksMap ingres=map[d84e5c06f4b0cd7174dab0dfa1d12d1875b38edce3a087c4d227f443ec32dbc6:true seafile-net:true]

INF ts=1737985200.6086283 logger=docker-proxy msg=Swarm is available new=false

INF ts=1737985200.614931 logger=docker-proxy msg=New Caddyfile caddyfile=# Empty caddyfile

WRN ts=1737985200.6188383 logger=docker-proxy msg=Caddyfile to json warning warn=[Caddyfile:1: Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies]

INF ts=1737985200.6188626 logger=docker-proxy msg=New Config JSON json={}

INF ts=1737985200.6188974 logger=docker-proxy msg=Sending configuration to server=localhost

INF ts=1737985200.6197598 logger=admin.api msg=received request method=POST host=localhost:2019 uri=/load remote_ip=127.0.0.1 remote_port=42570 headers={"Accept-Encoding":["gzip"],"Content-Length":["41"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}

INF ts=1737985200.6198 msg=config is unchanged

INF ts=1737985200.6198075 logger=admin.api msg=load complete

INF ts=1737985200.61994 logger=docker-proxy msg=Successfully configured server=localhost

INF ts=1737985220.8674793 logger=docker-proxy msg=New Caddyfile caddyfile=http://xxx.net {
	reverse_proxy 172.18.0.5:80
}

INF ts=1737985220.86789 logger=docker-proxy msg=New Config JSON json={"apps":{"http":{"servers":{"srv0":{"listen":[":80"],"routes":[{"match":[{"host":["xxx.net"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"172.18.0.5:80"}]}]}]}],"terminal":true}]}}}}}

INF ts=1737985220.8679152 logger=docker-proxy msg=Sending configuration to server=localhost

INF ts=1737985220.8683324 logger=admin.api msg=received request method=POST host=localhost:2019 uri=/load remote_ip=127.0.0.1 remote_port=42570 headers={"Accept-Encoding":["gzip"],"Content-Length":["303"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}

INF ts=1737985220.868914 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]

WRN ts=1737985220.8690743 logger=http.auto_https msg=server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server server_name=srv0 http_port=80

INF ts=1737985220.8693285 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]

INF ts=1737985220.8694649 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

INF ts=1737985220.8694751 logger=admin.api msg=load complete

INF ts=1737985220.8697443 logger=admin msg=stopped previous server address=localhost:2019

INF ts=1737985220.8697898 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0xc0005fcc80

INF ts=1737985220.8707812 logger=docker-proxy msg=Successfully configured server=localhost

INF ts=1737985220.8760989 logger=tls msg=cleaning storage unit storage=FileStorage:/data/caddy

INF ts=1737985220.876505 logger=tls msg=finished cleaning storage units

But the container is still unhealthy.

Ulrich_Huckinghaus · January 27, 2025, 6:50pm

I started from scratch - caddy is working now.