Cannot start Caddy via Docker

1. Output of caddy version:


2. How I run Caddy:

sudo docker run -d -p 80:80 -p 443:443 --name caddy -v /etc/Caddyfile:/etc/caddy/Caddyfile -v /etc/caddy:/root/.local/share/caddy --restart on-failure caddy:2

a. System environment:

WSL2 with Ubuntu20.4
Docker Desktop

b. Command:

sudo docker run  -d -p 80:80 -p 443:443 --name caddy -v /etc/Caddyfile:/etc/caddy/Caddyfile -v /etc/caddy:/root/.local/share/caddy --restart on-failure caddy:2

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->

d. My complete Caddy config:

`` {
encode gzip

The negotiation endpoint is also proxied to Rocket

reverse_proxy /notifications/hub/negotiate

Notifications redirected to the websockets server

reverse_proxy /notifications/hub

Send all other traffic to the regular Vaultwarden endpoint


Paste your config here, replacing this text.
Use caddy fmt to make it readable.
DO NOT REDACT anything except credentials.
Make sure the backticks stay on their own lines.

The Caddyfile resides at /etc and etc/caddy/

### 3. The problem I'm having:
<!-- What are you trying to do, and what isn't working? Please describe the issue thoroughly enough so that anyone can reproduce the exact behavior you're seeing. Be as specific as possible. DO NOT USE WEB BROWSERS; use "curl -v" instead. -->

Caddy container was created but failed to start

### 4. Error messages and/or full log output:
    Please DO NOT REDACT any information except credentials. Leave domain names intact!
    Please DO NOT POST TRUNCATED LOG LINES as systemd is notorious for this.
    Please USE THIS COMMAND TO VIEW LOGS with systemd:
        $ journalctl -u caddy --no-pager | less +G`
    Please DO NOT USE WEB BROWSERS. Use `curl -v` instead.
    Please ENABLE DEBUG MODE FIRST by adding "debug" to the global options of your Caddyfile.
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/run/desktop/mnt/host/wsl/docker-desktop-bind-mounts/Ubuntu-20.04/641d0cc536e6a36b2d065081e4109cffb48a2a3427f15e2c0be7cb25a6934b25" to rootfs at "/etc/caddy/Caddyfile": mount /run/desktop/mnt/host/wsl/docker-desktop-bind-mounts/Ubuntu-20.04/641d0cc536e6a36b2d065081e4109cffb48a2a3427f15e2c0be7cb25a6934b25:/etc/caddy/Caddyfile (via /proc/self/fd/14), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.

Paste logs/commands/output here.

### 5. What I already tried:
<!-- Show us what effort you've put in to solving the problem. Be specific -- people are volunteering their time to help you! Low effort posts are not likely to get good answers! -->

### 6. Links to relevant resources:

I did not fill out the resources that I have used. I was installing Docker Vaultwarden …and referring to section Configure Caddy as Reverse Proxy…

How to Self-Host the vaultwarden Password Manager | Linode -

1 Like

I have solved this problem. It was due to an existing /etc/Caddyfile as an directory. The Caddy container now started OK.

However, I cannot reach this url https// but can reach OK

What did I do wrong?

Please post your Caddyfile config to further examine your issue
Example: {
    root * /usr/local/www

One wild guess is you instruct Caddy to use HTTP. You CANNOT reach HTTPS if you do the following: {
} {

Cheers {
	encode gzip

	# The negotiation endpoint is also proxied to Rocket
	reverse_proxy /notifications/hub/negotiate

	# Notifications redirected to the websockets server
	reverse_proxy /notifications/hub

	# Send all other traffic to the regular Vaultwarden endpoint

Also tried …
reverse_proxy which is local address where vaultwarden resides

you reverse_proxy to ??
can you even ping it ?

I was following installation instructions from various source. However, I have tried the following without success. …
reverse_proxy localhost:8008
reverse_proxy :8008

If your Vaultwarden server IP address is
and if you can access it through HTTP , example
then {
    reverse_proxy *

if you can only access through HTTPS , example
then {
    reverse_proxy * {
        header_up Host {http.reverse_proxy.upstream.hostport}
        transport http {
1 Like

My case is of the first option. I applied it to Caddyfile, restarted the Caddy container and it still timed out for

Below is the info from the log …
2023-01-01 17:15:22 {“level”:“error”,“ts”:1672611322.5395856,“logger”:“http.acme_client”,“msg”:“validating authorization”,“identifier”:“”,“problem”:{“type”:“urn:ietf:params:acme:error:connection”,“title”:“”,“detail”:“ Timeout during connect (likely firewall problem)”,“instance”:“”,“subproblems”:[]},“order”:“",“attempt”:1,"max_attempts”:3}
2023-01-01 17:15:23 {“level”:“info”,“ts”:1672611323.813485,“logger”:“http.acme_client”,“msg”:“trying to solve challenge”,“identifier”:“”,“challenge_type”:“http-01”,“ca”:“”}
2023-01-01 17:15:34 {“level”:“error”,“ts”:1672611334.1061301,“logger”:“http.acme_client”,“msg”:“challenge failed”,“identifier”:“”,“challenge_type”:“http-01”,“problem”:{“type”:“urn:ietf:params:acme:error:connection”,“title”:“”,“detail”:“ Fetching Timeout during connect (likely firewall problem)”,“instance”:“”,“subproblems”:[]}}
2023-01-01 17:15:34 {“level”:“error”,“ts”:1672611334.1063597,“logger”:“http.acme_client”,“msg”:“validating authorization”,“identifier”:“”,“problem”:{“type”:“urn:ietf:params:acme:error:connection”,“title”:“”,“detail”:“ Fetching Timeout during connect (likely firewall problem)”,“instance”:“”,“subproblems”:[]},“order”:“",“attempt”:2,"max_attempts”:3}
2023-01-01 17:15:34 {“level”:“error”,“ts”:1672611334.1078453,“logger”:“tls.obtain”,“msg”:“could not get certificate from issuer”,“identifier”:“”,“issuer”:“”,“error”:“HTTP 400 urn:ietf:params:acme:error:connection - Fetching Timeout during connect (likely firewall problem)”}

A firewall problem? from WSL2? if so how to correct it?

(Thank you for helping, @gyfer!)

Usually a firewall problem means that a router or firewall is misconfigured and is not allowing the connection on port 80 or port 443 through to Caddy.

1 Like

Do you see any problem below …
To Action From

80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
443/tcp ALLOW IN
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)

If your Vaultwarden server IP address is, your firewall settings for PORT 80 and 443 should forward it to your Caddy IP (not , and let Caddy do it’s reverse_proxy task.

You should accept ALL connection FROM WAN side for 80/tcp, 443/tcp, 80/tcp(v6), 443/tcp(v6) to your Caddy server / service. I am not sure and not comfortable with “ALLOW IN Anywhere”

I just saw your are using WSL2. I now understand why you are sturggling.
WSL2 networks are all isolated by default. You have to open up and port the port manually, as mentioned here in Microsoft documentation ( Comparing WSL Versions | Microsoft Learn )

I went thought the same issue when I trying to run chia-blockchain through WSL2.
Here is some info : WSL Port Forwarding - DEV Community 👩‍💻👨‍💻
Script here : GitHub - snowphone/WSL2-port-forwarding-guide: Forwards Windows ports into WSL2 at startup (without logging-in)

This person show a quick but less secure way.

Hope above help.

1 Like

Thank you for pointing to me this great resource about WSL port forwarding need. However, I have applied this but the problem remained. I have no experience about Caddy and according to the log Caddy has encountered issues related to validating authorization timeout, or various challenge failures, could not get certificate from issuer

I have tried another way: manually obtaining the SSL certificate via for DSN and specified it in Caddyfile as below … {
encode gzip
tls internal {$HOME/} {$H> reverse_proxy *


now there is no error in the Caddy log but I still could not access vaultwarden by HTTPS …timeout still

Wonder if you can detect any error here

We need to rule out other possibilities to understand what is the problem.
Let’s put caddy config aside, let’s start with something basic. {
    tls internal
    respond "Hello World!"

Apply above caddy config, can you access the page from host computer ?
How about other device at local network ?
If not, are you able to Ping it ?
What happen if you try to access and the host IP in local network ?
When you ping , what IP do you get ?
Is it same as your public IP which you able to find out and obtain here

I ran Caddy with your suggested ‘something basic’ I can access vaultwarden using localhost:8080 or or (i.e. no HTPPS) from another PC on the LAN. Pinging does return the public IP address as set by ISP

localhost:443 or resulted in “Client sent an HTTP request to an HTTPS server.” resulted in

The connection for this site is not secure.

https://x.x.x.x is standard on 443 port, you only need to specify if other than 443.
same goes to http://x.x.x.x:80
hence, vaultwarden is at hostip:8080 , with HTTP protocol., in your case

Because you are using locally issue certificate, your browser will prompt ERR_CERT_AUTH_INVALID “Certificate Invalid” when you try to access it. You can click proceed to continue

If you are getting ERR_SSL_PROTOCOL_ERROR , something is fishy here. We need to check to make sure it come from the Caddy Docker , not other service.

Try to do curl --insecure https://localhost -v , and curl http://localhost:8080 -v

And proper curl response will something like below

zung@Dzungabc:/etc$ curl --insecure https://localhost -v

  • Trying…
  • Connected to localhost ( port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, internal error (592):
  • error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
  • Closing connection 0
    curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

zung@Dzungabc:/etc$ curl http://localhost:8080 -v

  • Trying…
  • Connected to localhost ( port 8080 (#0)

GET / HTTP/1.1
Host: localhost:8080
User-Agent: curl/7.68.0
Accept: /

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < content-type: text/html; charset=utf-8
    < cache-control: public, max-age=600
    < expires: Fri, 06 Jan 2023 14:42:33 GMT
    < server: Rocket
    < x-frame-options: SAMEORIGIN
    < x-content-type-options: nosniff
    < permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
    < referrer-policy: same-origin
    < x-xss-protection: 0
    < content-security-policy: default-src ‘self’; base-uri ‘self’; form-action ‘self’; object-src ‘self’ blob:; script-src ‘self’; style-src ‘self’ ‘unsafe-inline’; child-src ‘self’; frame-src ‘self’; frame-ancestors ‘self’ chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src ‘self’ data: ; connect-src ‘self’ ;
    < content-length: 1240
    < date: Fri, 06 Jan 2023 14:32:33 GMT
    <!doctype html>Vaultwarden Web Vault

by the way port forwarding as seen below …

PS C:\Users\user1> netsh interface portproxy show v4tov4

Listen on ipv4: Connect to ipv4:

Address Port Address Port 80 80 443 443 8080 8080 8443 8443