Caddyfile Tutorial fails - how do I access caddy by a hostname (not localhost)

1. Caddy version (caddy version):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

I used docker-compose.

a. System environment:

:arrow_forward: uname -a
Linux ubuntu 5.4.0-66-generic #74-Ubuntu SMP Wed Jan 27 22:54:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

:arrow_forward: docker -v
Docker version 20.10.3, build 48d30b5

:arrow_forward: docker-compose -v
docker-compose version 1.28.4, build cabd5cfb

b. Command:

# inside the container
/app # curl https://localhost
Hello, world!
/app # 
# on the host
/caddy $ curl https://localhost
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

/caddy $ 

c. Service/unit/compose file:

version: "3"
services:
  caddy:
    image: caddy
    volumes:
      - ./caddy:/app
    tty: true
    network_mode: host
    working_dir: /app
    command: ash -c "caddy run --watch"

d. My complete Caddyfile or JSON config:

# Caddyfile

localhost

respond "Hello, world!"

3. The problem I’m having:

  1. Accessing to https://localhost from container seems to be working.
  2. Accessing to the same from the host seems to fail even with this option network_mode: host.
  3. Accessing to https://hostname through a browser also fails with ERR_SSL_PROTOCOL_ERROR.
  4. On the tutorial, it says it will ask for a password, but it doesn’t.

Caddyfile Tutorial — Caddy Documentation
The first time, you’ll be asked for your password. This is so Caddy can serve your site over HTTPS.

I simply want to use Caddy to develop a server like this below.

ANY CLIENTS in LAN → HTTPS → HOST (docker) → Caddy container → reverse proxy to other containers

It seems that only accessing Caddy from the localhost (container) is getting granted to respond correctly.

4. Error messages and/or full log output:

Attaching to caddy_caddy_1
caddy_1  | 2021/05/02 07:58:47.837      INFO    using adjacent Caddyfile
caddy_1  | 2021/05/02 07:58:47.838      INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
caddy_1  | 2021/05/02 07:58:47.839      INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS       {"server_name": "srv0", "https_port": 443}
caddy_1  | 2021/05/02 07:58:47.839      INFO    http    enabling automatic HTTP->HTTPS redirects     {"server_name": "srv0"}
caddy_1  | 2021/05/02 07:58:47.839      INFO    tls.cache.maintenance   started background certificate maintenance    {"cache": "0xc000366bd0"}
caddy_1  | 2021/05/02 07:58:47.872      INFO    pki.ca.local    root certificate is already trusted by system {"path": "storage:pki/authorities/local/root.crt"}
caddy_1  | 2021/05/02 07:58:47.872      INFO    http    enabling automatic TLS certificate management{"domains": ["localhost"]}
caddy_1  | 2021/05/02 07:58:47.873      WARN    tls     stapling OCSP   {"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate"}
caddy_1  | 2021/05/02 07:58:47.873      INFO    autosaved config        {"file": "/config/caddy/autosave.json"}
caddy_1  | 2021/05/02 07:58:47.873      INFO    serving initial configuration
caddy_1  | 2021/05/02 07:58:47.873      INFO    watcher watching config file for changes        {"config_file": "Caddyfile"}
caddy_1  | 2021/05/02 07:58:47.874      INFO    tls     cleaned up storage units

5. What I already tried:

I changed localhost to its hostname, but then Caddy started to fetching certificates? from let’s encrypt or something and it was giving errors.

caddy_1  | 2021/05/02 08:03:41.863      ERROR   tls.obtain      will retry      {"error": "[ubuntu] Obtain: [ubuntu] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [ubuntu] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 3.040546303, "max_duration": 2592000}

6. Links to relevant resources:

The guide assumes that you’re running Caddy outside of Docker, on the host machine. When using the local CA to issue certificates (e.g. for localhost which is not a valid public domain), Caddy will attempt to install the root CA certificate to the system’s trust store. Since you’re in the Docker container, Caddy can’t do that because it’s isolated from the host (it actually installed the root certificate in the container’s trust store, which is why it works if you get a shell into the container), so you’d need to do that yourself.

You’re missing a volume for /data as mentioned on Docker Hub, which is necessary to persist certificates that Caddy issues, and would make it possible to manually grab the root CA cert. It’ll be found in the container at /data/pki/authorities/local/root.crt. See the docs about Local HTTPS:

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.