Caddy v2 not accepting custom domain

Cyril · June 2, 2020, 4:46pm

1. Caddy version (`caddy version`

Caddy v2

2. How I run Caddy:

I thought I need both config json and caddyfile, so right now I am using both files. Can someone please enlighten me how can I use only caddyfile, should I delete config.json file?

a. System environment:

I am using Caddy as reverse proxy in front of apache, and my main domain is successfully configured but can’t access custom domains, maybe because caddyfile and config.json confusion!

b. My complete Caddyfile or JSON config:

Caddyfile -

domain {
    reverse_proxy 127.0.0.1:8080
}

Config.json

{
  "apps": {
    "tls": {
      "automation": {
        "policies": [
          {
            "issuer": {
              "module": "acme",
              "email": "email"
            },
            "on_demand": true
          }
        ],
        "on_demand": {
          "rate_limit": {
            "interval": "5m",
            "burst": 100
          }
        }
      }
    },
    "http": {
      "http_port": 80,
      "https_port": 443,
      "servers": {
        "tiendas": {
          "listen": [":80", ":443"],
          "max_header_bytes": 41943040,
          "routes": [
            {
              "handle": [
                {
                  "handler": "reverse_proxy",
                  "upstreams": [
                    {
                      "dial": "localhost:8080"
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    }
  }
}

3. The problem I’m having:

I cannot access my custom domains but my main domain is accessible!

4. Error messages and/or full log output:

When I try to visit custom domain, this is the error

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

Jun 02 16:53:08 caddy[15524]: {"level":"info","ts":1591116788.7395413,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jun 02 16:53:08 caddy[12023]: {"level":"info","ts":1591116788.7419527,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_addr":"127.0.0.1:39716","headers":{"AJun 02 16:53:08 caddy[12023]: {"level":"info","ts":1591116788.7425845,"logger":"admin.api","msg":"config is unchanged"}
Jun 02 16:53:08 caddy[12023]: {"level":"info","ts":1591116788.7427702,"logger":"admin.api","msg":"load complete"}
Jun 02 16:53:08  systemd[1]: Reloaded Caddy.
Jun 02 17:02:50  caddy[12023]: 2020/06/02 17:02:50 http: TLS handshake error from 103.61.39.155:47692: no certificate available for 'myip'
Jun 02 17:06:51 caddy[12023]: 2020/06/02 17:06:51 http: TLS handshake error from 195.54.160.135:33716: no certificate available for 'myip'
Jun 02 17:09:27  caddy[12023]: 2020/06/02 17:09:27 http: TLS handshake error from 45.113.249.233:60524: no certificate available for 'custom domain'

5. What I already tried:

I tried using :80,:443 instead of mydomain in caddyfile but caddy throws error while reloading. Should I delete my config.json and use only caddyfile but when I added

tls{
on_demand
}

in my caddyfile, even then it throws error.

Appreciate your help!!

matt · June 2, 2020, 4:57pm

So, which config are you actually using? The JSON or the Caddyfile?

Also, what is your domain name? (The help template you deleted when you composed your post has some crucial questions you omitted. Please go back and fill it out, if you would, and we can help you better.)

Cyril · June 2, 2020, 5:14pm

Edited!!
Thankyou!

matt · June 2, 2020, 5:21pm

Thanks! I’m still confused as to which config file you’re using though. Is it the JSON or the Caddyfile?

Cyril · June 2, 2020, 5:24pm

@matt I thought I need to use both caddyfile and json file, though I was wrong. So right now I am using only caddyfile

mydomain {
    reverse_proxy 127.0.0.1:8080
}

When I added tls directive, it throws error “Unrecognized directive”

Whitestrake · June 3, 2020, 12:55am

Placement is important. Make sure the directives go inside a site block.

Post your full Caddyfile if you want us to have a look at it. Posting what you had that works and then saying “I added X, and now it doesn’t work” won’t help us help you; placement is very important and we’d need to see exactly what you’re trying that isn’t working.

Cyril · June 3, 2020, 2:23am

Right now my caddyfile is set to use only reverse_proxy

domain{
    reverse_proxy localhost:8080
 }

However, when I tried to add tls, is throws “Unrecognized directive”

domain{
    reverse_proxy localhost:8080
    tls{
       on_demand    
    }
 }

I want to enable custom domains with ssl issued on them, looking forward for your reply!!

Whitestrake · June 3, 2020, 3:58am

I can see two potential issues:

domain{

This will cause problems. Likely it will include the brace in your site label, which will result in mismatched braces and might just give Caddy a world of grief trying to figure out your actual Caddyfile structure. Spacing is important.

tls{

Same problem. The directive is not called tls{, it’s called tls, and you need to open a braced block after it, e.g. tls {. Spacing is important! Just like any program you’d use a config file for, it is sensitive to breaking syntax.

Cyril · June 3, 2020, 4:20am

Fixed it!! Just didn’t mentioned it here!
Though how do I accept requests from custom domains?

Whitestrake · June 3, 2020, 4:41am

Use a host-agnostic site address.

The host is, effectively, the domain part of the URL. You can just omit it entirely to accept any host, or use wildcards to accept subdomains.

Have a read through this section of the documentation regarding site addresses: Caddyfile Concepts — Caddy Documentation

Cyril · June 3, 2020, 5:09am

I tried everything, but then my site doesn’t loads at all

:80,
:443,
*:80,
*:443,
localhost

Tried these, I didn’t used them all at once obviously. But when I go back to my default caddyfile

domain {
    reverse_proxy 127.0.0.1:8080   
}

It just doesn’t work, I dont know why? I was working fine before checking for other configs.
Error:

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

Edit: stopped and started server again, reloading didn’t work
But I still can’t access custom domains, even with these

:80,
:443,
*:80,
*:443,
localhost

Whitestrake · June 3, 2020, 5:57am

With the latest example, can you tell us exactly what happens when you try to browse to one of the custom domains?

Do you get an error in your web browser you can share? Is there any output from Caddy when you try?

Cyril · June 3, 2020, 8:43am

Ok looks like I am getting somewhere. So I went through the docs and I disables the config file i.e. config.json using curl cmd. And adapted the caddy file again just in case and successully added :80 and :443 ports
Caddyfile

:80 {
    reverse_proxy 127.0.0.1:8080 
}
:443 {
    reverse_proxy 127.0.0.1:8080
    tls {
        on_demand
    }  
}

So now when I visit my custom domain it still doesn’t shows up and keeps loading for 1-2 min, but this is the status I get when its loading

Jun 03 09:15:47 caddy[27051]: 2020/06/03 09:15:47 [INFO] Obtaining new certificate for customdomain
Jun 03 09:15:47 caddy[27051]: 2020/06/03 09:15:47 [INFO][customdomain] Obtain certificate; acquiring lock...
Jun 03 09:15:47 caddy[27051]: 2020/06/03 09:15:47 [INFO][customdomain] Obtain: Lock acquired; proceeding...
Jun 03 09:15:47 caddy[27051]: 2020/06/03 09:15:47 [INFO][customdomain] Waiting on rate limiter...
Jun 03 09:15:47 caddy[27051]: 2020/06/03 09:15:47 [INFO][customdomain] Done waiting
Jun 03 09:15:47 caddy[27051]: 2020/06/03 09:15:47 [INFO] [customdomain] acme: Obtaining bundled SAN certificate given a CSR
Jun 03 09:15:48 caddy[27051]: 2020/06/03 09:15:48 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  (challenge=tls-alpn-01 remaining=[http-01])
Jun 03 09:15:50 caddy[27051]: 2020/06/03 09:15:50 [INFO] [customdomain] acme: Obtaining bundled SAN certificate given a CSR
Jun 03 09:15:50 caddy[27051]: 2020/06/03 09:15:50 [ERROR] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  (challenge=http-01 remaining=[])
Jun 03 09:15:52 caddy[27051]: 2020/06/03 09:15:52 [ERROR] attempt 1: [customdomain] Obtain: [customdomain] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:  - retrying in 1m0s (4.715916398s/720h0m0s elapsed)...

And after loading stopped, the status was

Jun 03 09:19:10  caddy[27051]: 2020/06/03 09:19:10 [ERROR] attempt 2: [customdomain] Obtain: [customdomain] error: one or more domains had a problem:
Jun 03 09:19:10  caddy[27051]: [customdomain] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tlJun 03 09:19:10  caddy[27051]:  - retrying in 2m0s (3m22.452145205s/720h0m0s elapsed)...
Jun 03 09:19:10  caddy[27051]: 2020/06/03 09:19:10 [INFO][customdomain] Obtain: Releasing lock
Jun 03 09:19:10  caddy[27051]: 2020/06/03 09:19:10 http: TLS handshake error from 162.158.167.162:29112: context canceled
Jun 03 09:19:10  caddy[27051]: 2020/06/03 09:19:10 http: TLS handshake error from 172.69.135.34:56816: no certificate available for 'customdomain'
Jun 03 09:19:10  caddy[27051]: 2020/06/03 09:19:10 http: TLS handshake error from 162.158.167.162:18932: no certificate available for 'customdomain'
Jun 03 09:19:10  caddy[27051]: 2020/06/03 09:19:10 http: TLS handshake error from 162.158.165.114:29484: no certificate available for 'customdomain'
Jun 03 09:19:10  caddy[27051]: 2020/06/03 09:19:10 http: TLS handshake error from 162.158.166.37:14696: no certificate available for 'customdomain'
Jun 03 09:19:10  caddy[27051]: 2020/06/03 09:19:10 http: TLS handshake error from 162.158.165.186:58596: no certificate available for 'customdomain'

Am I missing anything in the caddyfile, I could really use some help!! @matt @Whitestrake

Mohammed90 · June 3, 2020, 9:24am

Your website appears to be behind Cloudflare proxy. cURL-ing your website gives 525 Origin SSL Handshake Error. This means Cloudflare is having issues connecting to your website over HTTPS. Cloudflare is expecting your server to be serving the website over HTTPS, but you’re expecting Caddy to handle HTTP-01 challenge to obtain the first Let’s Encrypt certificate so its first connection must be received over HTTP. This means you’re stuck in Catch-22, Cloudflare will only connect to your server over HTTPS, which you can do but not until you first receive plain HTTP connection, which Cloudflare won’t allow, which denies you the ability to receive the certificate to start serving over HTTPS.

I’m not familiar with Cloudflare configuration & management, so I can’t provide specific instruction on what to do. However, there’s a workaround described in Caddy’s issue tracker (here). There are also these 2 posts on Cloudflare’s own support forum that are directly related to your issue:

Community Tip - Fixing Error 525: SSL handshake failed
Step 2: Setting up SSL with Cloudflare – this one seems to have directed troubleshooting which takes you through the process one-step at a time

P.S.: This is why we prefer you share the real domain in the post. I wouldn’t have been able to arrive at any of this without my eyes catching your real domain in the logs.

Cyril · June 3, 2020, 9:34am

Thank you for the reply, however I am not using cloudflare for any of my sites!! I have updated the reply above, would really appreciate if you take a look at it!!
Thanks!!

Whitestrake · June 3, 2020, 9:48am

Looks like validation has repeatedly failed for this domain and you have been rate limited.

You will have to wait for the rate limit period to pass before any further certificate acquisition can occur from LetsEncrypt. I can’t tell you exactly how long that will be since they use rolling rate limit windows.

This is never the first error Caddy will have given for domain certificate validation requests. This error only occurs once a number of attempts have failed. Caddy’s logs from the earlier failed attempts will tell you why the challenge couldn’t be solved in those cases.

Failure to negotiate ALPN is almost overwhelmingly a sign that secure connections to the IP address listed in public DNS records for this domain name do not directly reach Caddy (e.g. they may be pointed at the wrong server entirely, or there may be a TLS terminating reverse proxy in the way).

Cyril · June 3, 2020, 9:55am

Thankyou so much @matt @Whitestrake for helping me throught out!!
I’ve successfully configured caddy as a reverse proxy in front of my apache server and custom domains are configured with ssl.
I just disable the config.json file and adapted the caddyfile, now everything works just fine!!
Incase anyone needs
This is my caddy file

:80 {
    reverse_proxy 127.0.0.1:8080 
}
:443 {
    reverse_proxy 127.0.0.1:8080
    tls {
        on_demand
    }  
}

This just works for me, also can you please tell how long will the rate limit/restriction will be applied to my custom domain? I have 3 custom domains mapped to my main domain. 1st two have been restricted and third one is configured with ssl through caddy!!

And also is there anything more I need to add in the caddyfile for tls, like rate limits, max certs, anything important?

Thanks again!!!

Whitestrake · June 3, 2020, 9:58am

No worries!

LetsEncrypt have published the details of their rate limits over here:

You’re looking for the Failed Validation limit.

Cyril · June 3, 2020, 10:01am

Ok thanks, 5 failures per hour.
Also is there any need to add other tls stuff in caddyfile, like email, rate_limits, max_certs, etc?

Whitestrake · June 3, 2020, 10:04am

No, there is no requirement for any of those.

rate_limits is only configurable in JSON.

max_certs, I believe, only exists for v1.