Caddy2 with DNS challenge and Namecheap in Docker

1. Caddy version (caddy version):

Caddy 2.1 Docker with DNS challenge namecheap

2. How I run Caddy:

Here is my Dockerfile:

||FROM caddy:builder AS builder|
| --- | --- |
|||
||RUN caddy-builder \|
||github.com/caddy-dns/lego-deprecated|
|||
||FROM caddy:latest|
|||
||COPY --from=builder /usr/bin/caddy /usr/bin/caddy|

environment:

Docker as per above dockerfile and compose etc.
I suspect I may not need the ports?

b. Command:

docker-compose up caddy2

c. Service/unit/compose file:

Here is my docker-compose

version: '3.8'
services:
  caddy2:
    container_name: caddy2
    restart: unless-stopped
    image: davidfw1960/caddy2-lego-deprecated
    volumes:
      - /home/docker/caddy2/caddy_config:/config
      - /home/docker/caddy2/caddy_data:/data
      - /home/docker/caddy2/Caddyfile:/usr/share/hassio/share/caddy
    environment:
      - PGID=1000
      - PUID=1000
      - TZ=Australia/Sydney
      - NAMECHEAP_API_USER=xxxx
      - NAMECHEAP_API_KEY=xxxx
    ports:
      - "80:80"
      - "443:443"

d. My complete Caddyfile or JSON config:

Here is my Caddyfile

{   email david@wilfam.net
}
rebuild2.win:30443 {
    tls {
            dns lego_deprecated namecheap
        }
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
    -Server
}
    reverse_proxy / localhost:8123 {
    }
}
proxmox.rebuild2.win:30443 {
    tls {
            dns lego_deprecated namecheap
        }
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
    -Server
}
    reverse_proxy / 10.90.11.150:8006 {
    }
}


### 3. The problem I'm having:
<!-- What are you trying to do, and what isn't working? Please describe the issue thoroughly enough so that anyone can reproduce the exact behavior you're seeing. Be as specific as possible. -->
It just hangs. It's not trying to get certificates


### 4. Error messages and/or full log output:
<!-- Please **DO NOT REDACT** any information except credentials. -->

david@debian-pm:~$ docker-compose up caddy2
Creating caddy2 … done
Attaching to caddy2
caddy2 | {“level”:“info”,“ts”:1593232838.3610024,“msg”:“using provided configuration”,“config_file”:"/etc/caddy/Caddyfile",“config_adapter”:“caddyfile”}
caddy2 | {“level”:“info”,“ts”:1593232838.362422,“logger”:“admin”,“msg”:“admin endpoint started”,“address”:“tcp/localhost:2019”,“enforce_origin”:false,“origins”:[“localhost:2019”,"[::1]:2019",“127.0.0.1:2019”]}
caddy2 | {“level”:“info”,“ts”:1593232838.3631501,“logger”:“http”,“msg”:“server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server”,“server_name”:“srv0”,“http_port”:80}
caddy2 | {“level”:“info”,“ts”:1593232838.3634052,“logger”:“tls”,“msg”:“cleaned up storage units”}
caddy2 | 2020/06/27 04:40:38 [INFO][cache:0xc00083c460] Started certificate maintenance routine
caddy2 | {“level”:“info”,“ts”:1593232838.364195,“msg”:“autosaved config”,“file”:"/config/caddy/autosave.json"}
caddy2 | {“level”:“info”,“ts”:1593232838.364431,“msg”:“serving initial configuration”}

### 5. What I already tried:
<!-- Show us what effort you've put in to solving the problem. Be specific -- people are volunteering their time to help you! Low effort posts are not likely to get good answers! -->



### 6. Links to relevant resources:

The caddy container is actually being created. But no certs so I can't access it.....

This is wrong, the Caddyfile location used by default is /etc/caddy/Caddyfile unless you change the command (which you don’t appear to in your docker-compose file).

Please use the caddy fmt command to clean up your Caddyfile, the syntax is all over the place and messy.

Also, in Caddy v2, path matching is exact-match, so your / matchers will only match requests to / and nothing else. You can omit the / in your directives such as reverse_proxy and header to match all requests instead.

It also doesn’t make sense to listen on port 30443 in your Caddyfile, since your container has port 443 mapped to the host machine.

ok. I fixed the Caddyfile Location
here is the new log:

david@debian-pm:~$ docker-compose up caddy2
caddy2 is up-to-date
Attaching to caddy2
caddy2           | {"level":"info","ts":1593235814.4512703,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy2           | {"level":"info","ts":1593235814.4530365,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["[::1]:2019","127.0.0.1:2019","localhost:2019"]}
caddy2           | {"level":"info","ts":1593235814.45324,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
caddy2           | {"level":"info","ts":1593235814.453365,"logger":"tls","msg":"cleaned up storage units"}
caddy2           | 2020/06/27 05:30:14 [INFO][cache:0xc0006e9540] Started certificate maintenance routine
caddy2           | {"level":"info","ts":1593235814.454209,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
caddy2           | {"level":"info","ts":1593235814.454234,"msg":"serving initial configuration"}

I also removed all port mappings.
With Caddy this worked perfectly. I only have port 30443 opened and that syntax worked before.
Here is my latest Caddyfile

}
rebuild2.win:30443 {
    tls {
            dns lego_deprecated namecheap
        }
    header {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    reverse_proxy localhost:8123 {
    }
}
proxmox.rebuild2.win:30443 {
    tls {
            dns lego_deprecated namecheap
        }
    header {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    reverse_proxy 10.90.11.150:8006 {
    }
}

I ran it through caddy fmt as suggested. I removed the /

Are you sure you pasted the right thing? You Caddyfile looks the same to me.

Should look like this:

{
	email david@wilfam.net
}

rebuild2.win {
	tls {
		dns lego_deprecated namecheap
	}
	header {
		Strict-Transport-Security "max-age=31536000; includeSubdomains"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
		Referrer-Policy "same-origin"
		-Server
	}
	reverse_proxy localhost:8123
}

proxmox.rebuild2.win {
	tls {
		dns lego_deprecated namecheap
	}
	header {
		Strict-Transport-Security "max-age=31536000; includeSubdomains"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
		Referrer-Policy "same-origin"
		-Server
	}
	reverse_proxy 10.90.11.150:8006
}

yeah I have no clue what happened there… I did just fix it…

This line seems to be the relevant error…
caddy2 | {“level”:“info”,“ts”:1593237926.307782,“logger”:“http”,“msg”:“server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server”,“server_name”:“srv0”,“http_port”:80}

It’s not even trying to get certificates

It’s clearly not using your Caddyfile. Did you fix your docker-compose volume?

  caddy2:
    container_name: caddy2
    restart: unless-stopped
    image: davidfw1960/caddy2-lego-deprecated
    volumes:
      - /home/docker/caddy2/caddy_config:/config
      - /home/docker/caddy2/caddy_data:/data
      - $PWD/Caddyfile:/usr/share/hassio/share/caddy
    environment:
      - PGID=1000
      - PUID=1000
      - TZ=Australia/Sydney
      - NAMECHEAP_API_USER=xxxx
      - NAMECHEAP_API_KEY=xxxx   
  ports:
      - "30443:443"

david@debian-pm:~$ sudo nano docker-compose.yml
david@debian-pm:~$ ls /usr/share/hassio/share/caddy
caddy  Caddyfile
david@debian-pm:~$

Oh… the caddy is a binary for 2.1 I compiled from source when I was using a different plugin from someone else.

You misunderstood. This won’t work. The default command for the Caddy docker image uses /etc/caddy/Caddyfile as the config location, not /usr/share/hassio/share/caddy. You’re running Caddy with its default config rather than overriding it with your own.

So how can I make it use /usr/share/hassio/share/caddy?
How do I need to change my caddyfile?

Doesn’t this here… - $PWD/Caddyfile:/usr/share/hassio/share/caddy tell Caddy where to find the Caddyfile?

oh shit! I think it needs to be - $PWD/Caddyfile:/usr/share/hassio/share/caddy/Caddyfile

OK I moved the Caddyfile to /etc/caddy/Caddyfile

      - $PWD/Caddyfile:/etc/caddy/Caddyfile

Errors:

ERROR: for caddy2  Cannot start service caddy2: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/home/david/Caddyfile\\\" to rootfs \\\"/var/lib/docker/overlay2/9960d072e4edcdf519024b1b93be25b4107ed6ee929af4abb9aa6299aa7c8fb1/merged\\\" at \\\"/var/lib/docker/overlay2/9960d072e4edcdf519024b1b93be25b4107ed6ee929af4abb9aa6299aa7c8fb1/merged/etc/caddy/Caddyfile\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

ERROR: for caddy2  Cannot start service caddy2: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/home/david/Caddyfile\\\" to rootfs \\\"/var/lib/docker/overlay2/9960d072e4edcdf519024b1b93be25b4107ed6ee929af4abb9aa6299aa7c8fb1/merged\\\" at \\\"/var/lib/docker/overlay2/9960d072e4edcdf519024b1b93be25b4107ed6ee929af4abb9aa6299aa7c8fb1/merged/etc/caddy/Caddyfile\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
ERROR: Encountered errors while bringing up the project.

$PWD/Caddyfile must not be a file that exists on your host machine then. If you’re saying your Caddyfile is on your host machine at /usr/share/hassio/share/caddy/Caddyfile, then you should mount it like this:

- /usr/share/hassio/share/caddy/Caddyfile:/etc/caddy/Caddyfile

The part to the right of the : is the path inside the container, the part to the left of the : is the path on the host machine.

ok… same error I was getting with someone else’s docker build

caddy2           |  (challenge=dns-01 remaining=[])
caddy2           | 2020/06/27 07:14:03 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5503652801
caddy2           | 2020/06/27 07:14:04 [ERROR] error: one or more domains had a problem:
caddy2           | [proxmox.rebuild2.win] time limit exceeded: last error: NS dns1.registrar-servers.com. did not return the expected TXT record [fqdn: rebuild2.win., value: IbtqTJIcipGMTYBRgSji4CnadPmapWUgm8nZjWUNnWY]:
caddy2           |  (challenge=dns-01 remaining=[])
caddy2           | 2020/06/27 07:14:05 [ERROR] attempt 1: [rebuild2.win] Obtain: [rebuild2.win] error: one or more domains had a problem:
caddy2           | [rebuild2.win] time limit exceeded: last error: NS dns1.registrar-servers.com. did not return the expected TXT record [fqdn: rebuild2.win., value: YTkyfMgA4hKDrH5WfF3WbsYRMFZclUq2vbgUVmddp4Y]:
caddy2           |  - retrying in 1m0s (1m20.026219937s/720h0m0s elapsed)...
caddy2           | 2020/06/27 07:14:06 [ERROR] attempt 1: [proxmox.rebuild2.win] Obtain: [proxmox.rebuild2.win] error: one or more domains had a problem:
caddy2           | [proxmox.rebuild2.win] time limit exceeded: last error: NS dns1.registrar-servers.com. did not return the expected TXT record [fqdn: rebuild2.win., value: IbtqTJIcipGMTYBRgSji4CnadPmapWUgm8nZjWUNnWY]:
caddy2           |  - retrying in 1m0s (1m20.374319983s/720h0m0s elapsed)...

I do see the txt record at namecheap as well

This topic was automatically closed after 30 days. New replies are no longer allowed.