Caddy works with caddy start but not as server

ctt · June 27, 2025, 9:50pm

1. The problem I’m having:

When I run using “caddy start” in the /etc/caddy folder redirecting works fine.
When I start caddy as “service caddy start” there is no response from caddy
I am new to caddy so not sure how to answer the other questions. I did confirm that there is read access to /etc/caddy/Caddyfile.

2. Error messages and/or full log output:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

3. Caddy version:

v2.6.4

4. How I installed and ran Caddy:

a. System environment:

Linux vsifax 3.10.0-327.4.4.el7.x86_64 #1

b. Command:

caddy start
or 
service caddy start

c. Service/unit/compose file:

d. My complete Caddy config:

twl.patientcareassociates.com {
        reverse_proxy 172.20.100.38:7080
}
dwl.patientcareassociates.com {
        reverse_proxy 172.20.100.38:7000
}

5. Links to relevant resources:

timelordx · June 27, 2025, 10:32pm

What does your caddy init script look like?

ctt · June 28, 2025, 4:28pm

/etc/systemd/system/caddy.service

[Unit]
Description=Caddy
Documentation=Welcome — Caddy Documentation
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

timelordx · June 28, 2025, 5:06pm

At a quick glance, that seems to be OK.

Do you have any log files? You can add the debug directive to your Caddyfile to get more detailed log output.

ctt · June 29, 2025, 7:49pm

I add the debug to the Caddyfile but it has not effect unless I run as root.
I am fairly certain there is some permission issue but not sure where. Below is the debug output when run as caddy

2025/06/29 19:44:38.289 DEBUG   http.stdlib     http: TLS handshake error from 68.175.54.57:54118: no certificate available for 'twl.patientcareassociates.com'
2025/06/29 19:44:38.766 DEBUG   events  event   {"name": "tls_get_certificate", "id": "d74081c5-b7f7-43f3-87a7-598c7bbfa6c3", "origin": "tls", "data": {"client_hello":{"CipherSuites":[56026,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"twl.patientcareassociates.com","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"Conn":{}}}}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "twl.patientcareassociates.com"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.patientcareassociates.com"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.com"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.*"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   all external certificate managers yielded no certificates and no errors {"remote_ip": "68.175.54.57", "remote_port": "54119", "sni": "twl.patientcareassociates.com"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "68.175.54.57", "remote_port": "54119", "server_name": "twl.patientcareassociates.com", "remote": "68.175.54.57:54119", "identifier": "twl.patientcareassociates.com", "cipher_suites": [56026, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2025/06/29 19:44:38.766 DEBUG   http.stdlib     http: TLS handshake error from 68.175.54.57:54119: no certificate available for 'twl.patientcareassociates.com'
2025/06/29 19:44:38.816 DEBUG   events  event   {"name": "tls_get_certificate", "id": "9371bb17-30c2-4914-bf08-9e50dfdd080e", "origin": "tls", "data": {"client_hello":{"CipherSuites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"twl.patientcareassociates.com","SupportedCurves":[31354,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[27242,772,771],"Conn":{}}}}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "twl.patientcareassociates.com"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.patientcareassociates.com"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.com"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.*"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   all external certificate managers yielded no certificates and no errors {"remote_ip": "68.175.54.57", "remote_port": "54120", "sni": "twl.patientcareassociates.com"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "68.175.54.57", "remote_port": "54120", "server_name": "twl.patientcareassociates.com", "remote": "68.175.54.57:54120", "identifier": "twl.patientcareassociates.com", "cipher_suites": [10794, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2025/06/29 19:44:38.816 DEBUG   http.stdlib     http: TLS handshake error from 68.175.54.57:54120: no certificate available for 'twl.patientcareassociates.com'
2025/06/29 19:44:54.773 DEBUG   events  event   {"name": "tls_get_certificate", "id": "f52231b0-5094-4912-b4df-76df8f589755", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{}}}}
2025/06/29 19:44:54.773 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "172.20.100.32"}
2025/06/29 19:44:54.773 DEBUG   tls.handshake   all external certificate managers yielded no certificates and no errors {"remote_ip": "204.76.203.208", "remote_port": "38698", "sni": ""}
2025/06/29 19:44:54.773 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "204.76.203.208", "remote_port": "38698", "server_name": "", "remote": "204.76.203.208:38698", "identifier": "172.20.100.32", "cipher_suites": [49195, 49199, 49196, 49200, 52393, 52392, 49161, 49171, 49162, 49172, 4865, 4866, 4867], "cert_cache_fill": 0, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2025/06/29 19:44:54.773 DEBUG   http.stdlib     http: TLS handshake error from 204.76.203.208:38698: no certificate available for '172.20.100.32'
2025/06/29 19:44:54.868 DEBUG   http.stdlib     http: TLS handshake error from 204.76.203.208:38684: EOF
2025/06/29 19:44:38.289 DEBUG   http.stdlib     http: TLS handshake error from 68.175.54.57:54118: no certificate available for 'twl.patientcareassociates.com'
2025/06/29 19:44:38.766 DEBUG   events  event   {"name": "tls_get_certificate", "id": "d74081c5-b7f7-43f3-87a7-598c7bbfa6c3", "origin": "tls", "data": {"client_hello":{"CipherSuites":[56026,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"twl.patientcareassociates.com","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"Conn":{}}}}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "twl.patientcareassociates.com"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.patientcareassociates.com"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.com"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.*"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   all external certificate managers yielded no certificates and no errors {"remote_ip": "68.175.54.57", "remote_port": "54119", "sni": "twl.patientcareassociates.com"}
2025/06/29 19:44:38.766 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "68.175.54.57", "remote_port": "54119", "server_name": "twl.patientcareassociates.com", "remote": "68.175.54.57:54119", "identifier": "twl.patientcareassociates.com", "cipher_suites": [56026, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2025/06/29 19:44:38.766 DEBUG   http.stdlib     http: TLS handshake error from 68.175.54.57:54119: no certificate available for 'twl.patientcareassociates.com'
2025/06/29 19:44:38.816 DEBUG   events  event   {"name": "tls_get_certificate", "id": "9371bb17-30c2-4914-bf08-9e50dfdd080e", "origin": "tls", "data": {"client_hello":{"CipherSuites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"twl.patientcareassociates.com","SupportedCurves":[31354,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[27242,772,771],"Conn":{}}}}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "twl.patientcareassociates.com"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.patientcareassociates.com"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.com"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.*"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   all external certificate managers yielded no certificates and no errors {"remote_ip": "68.175.54.57", "remote_port": "54120", "sni": "twl.patientcareassociates.com"}
2025/06/29 19:44:38.816 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "68.175.54.57", "remote_port": "54120", "server_name": "twl.patientcareassociates.com", "remote": "68.175.54.57:54120", "identifier": "twl.patientcareassociates.com", "cipher_suites": [10794, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2025/06/29 19:44:38.816 DEBUG   http.stdlib     http: TLS handshake error from 68.175.54.57:54120: no certificate available for 'twl.patientcareassociates.com'
2025/06/29 19:44:54.773 DEBUG   events  event   {"name": "tls_get_certificate", "id": "f52231b0-5094-4912-b4df-76df8f589755", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{}}}}
2025/06/29 19:44:54.773 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "172.20.100.32"}
2025/06/29 19:44:54.773 DEBUG   tls.handshake   all external certificate managers yielded no certificates and no errors {"remote_ip": "204.76.203.208", "remote_port": "38698", "sni": ""}
2025/06/29 19:44:54.773 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "204.76.203.208", "remote_port": "38698", "server_name": "", "remote": "204.76.203.208:38698", "identifier": "172.20.100.32", "cipher_suites": [49195, 49199, 49196, 49200, 52393, 52392, 49161, 49171, 49162, 49172, 4865, 4866, 4867], "cert_cache_fill": 0, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2025/06/29 19:44:54.773 DEBUG   http.stdlib     http: TLS handshake error from 204.76.203.208:38698: no certificate available for '172.20.100.32'
2025/06/29 19:44:54.868 DEBUG   http.stdlib     http: TLS handshake error from 204.76.203.208:38684: EOF

timelordx · June 29, 2025, 8:46pm

Looks like a permission error. Your caddy, when running as non-root, cannot get into its data directory.

Could you check permissions for that?

ctt · June 30, 2025, 12:57pm

I agree - I am just not sure where.
It seems most things are downed by caddy - I am not sure which dir is “data” but below is what I would guess

-rw-r–r-- 1 caddy caddy 98 Jun 29 15:45 issue_cert_residentcareassociates.com.lock
-rw-r–r-- 1 caddy caddy 96 Jun 29 15:45 issue_cert_twl.patientcareassociates.com.lock
-rw-r–r-- 1 caddy caddy 98 Jun 29 15:45 issue_cert_www.residentcareassociates.com.lock
-rw-r–r-- 1 caddy caddy 98 Jun 29 15:26 issue_cert_www.twl.patientcareassociates.com.lock
[root@vsifax locks]# pwd
/var/lib/caddy/.local/share/caddy/locks

wrong place?
Thank you