1. Caddy version (caddy version
):
Caddy2 docker version caddy:2.3.0
2. How I run Caddy:
Running caddy in a container on a qnap NAS. DuckDNS with caddy as reverse proxy. https://renna.duckdns.org is primary for home assistant but several other subdomains such as: https://blueiris.renna.duckdns.org, https://grafana.renna.duckdns.org
a. System environment:
Docker
b. Command:
c. Service/unit/compose file:
version: "3.7"
services:
caddy:
image: caddy:2.3.0
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- '/share/Container/caddy2/etc/caddy:/etc/caddy'
- '/share/Container/caddy2/data:/data'
- '/share/Container/caddy2/config:/config'
d. My complete Caddyfile or JSON config:
renna.duckdns.org {
reverse_proxy http://192.168.0.14:8123
tls mike.renna@live.com
}
grafana.renna.duckdns.org {
reverse_proxy http://192.168.0.14:3000
tls mike.renna@live.com
}
blueiris.renna.duckdns.org {
reverse_proxy http://192.168.0.3:81
tls mike.renna@live.com
}
plex.renna.duckdns.org {
reverse_proxy http://192.168.0.14:32400
tls mike.renna@live.com
}
portainer.renna.duckdns.org {
reverse_proxy http://192.168.0.14:9000
tls mike.renna@live.com
}
3. The problem I’m having:
External access recently stopped working and I’m at a loss. Only one reverse proxy still works (blueiris.renna.dickdns.org). I get 502 error in the caddy logs for most for the others. I’ve reviewed networking and it appears to be ok (and unchanged). Strangely while grafana shows a 502 in caddy log, home assistant (base url at https://renna.duckdns.org) doesn’t show anything in the caddy terminal when it fails and the browser will show a home assistant logo in the center of the display and an error, with a retry link, which on click returns a 403: Forbidden, which seems like it’s reaching it but failing. This is the most important url.
if i try the urls using curl from the host machine, for grafana it doesn’t show anything strange to me (see below) but for the base url is references expired certificates, which i’m not sure how to respond.
about six months ago in moving to new NAS, i inadvertently moved to caddy2 and had to update some configurations. any chance that impacted this? could it have used same certs since i did not change the bind mount location? could that cert have expired and not properly renewed because caddy2 config was goofy? Thank you in advance for any insight.
4. Error messages and/or full log output:
[~] # curl -v https://renna.duckdns.org
* Trying 70.188.225.116:443...
* TCP_NODELAY set
* Connected to renna.duckdns.org (70.188.225.116) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
[~] # curl -v grafana.renna.duckdns.org
* Trying 70.188.225.116:80...
* TCP_NODELAY set
* Connected to grafana.renna.duckdns.org (70.188.225.116) port 80 (#0)
> GET / HTTP/1.1
> Host: grafana.renna.duckdns.org
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://grafana.renna.duckdns.org/
< Server: Caddy
< Date: Thu, 30 Dec 2021 15:30:17 GMT
< Content-Length: 0
<
* Closing connection 0
5. What I already tried:
reading, searching, config changes to move containers around and validate networking configs.