Cant get https certificates (caddy as reverse proxy)

1. Caddy version (caddy version): 2.1.1

2. How I run Caddy:

I’m running caddy in a docker container.

a. System environment:

Inside the container i’m running Debian:buster

b. Command:

this is the command that should run caddy
CMD ["sh", "-c", "chown app:app /data && exec gosu app /usr/local/bin/caddy run -adapter caddyfile -config /etc/Caddyfile"]

c. Service/unit/compose file:

FROM golang:1.14-buster AS caddy-build
WORKDIR /src
RUN echo 'module caddy' > go.mod && \
    echo 'require github.com/caddyserver/caddy/v2 v2.1.1' >> go.mod && \
    echo 'require github.com/mholt/caddy-webdav v0.0.0-20200523051447-bc5d19941ac3' >> go.mod
RUN echo 'package main' > caddy.go && \
    echo 'import caddycmd "github.com/caddyserver/caddy/v2/cmd"' >> caddy.go && \
    echo 'import _ "github.com/caddyserver/caddy/v2/modules/standard"' >> caddy.go && \
    echo 'import _ "github.com/mholt/caddy-webdav"' >> caddy.go && \
    echo 'func main() { caddycmd.Main() }' >> caddy.go
RUN go build -o /bin/caddy .

FROM debian:buster

RUN apt-get update -y && \
    apt-get install -y --no-install-recommends gosu && \
    rm -rf /var/lib/apt/lists

COPY --from=caddy-build /bin/caddy /usr/local/bin/
COPY Caddyfile /etc/
EXPOSE 443
EXPOSE 80



RUN groupadd --gid 1000 app && \
    useradd --home-dir /data --shell /bin/bash --uid 1000 --gid 1000 app && \
    mkdir -p /data
VOLUME /data

WORKDIR /data
CMD ["sh", "-c", "chown app:app /data && exec gosu app /usr/local/bin/caddy run -adapter caddyfile -config /etc/Caddyfile"]

d. My complete Caddyfile or JSON config:

{
	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	email mymail@yahoo.it
}

dockertestgui.ddns.net {

    log
    reverse_proxy firefox-backend:8080

}


3. The problem I’m having:

I’m trying to use Caddy as reverse proxy to obtain a TLS connection with internet for a backend service. The problem is that i can’t get the certificate as expected when i run caddy.
Everything is fine when i work with normal http (if i type in the caddyfile http://dockertestgui.ddns.net). But now i’m tryng to go over https and all i obtain is that “certificate is signed by unknown authority”.

4. Error messages and/or full log output:

{“level”:“info”,“ts”:1618580366.0595984,“msg”:“using provided configuration”,“config_file”:"/etc/Caddyfile",“config_adapter”:“caddyfile”}
{“level”:“info”,“ts”:1618580366.0609994,“logger”:“admin”,“msg”:“admin endpoint started”,“address”:“tcp/localhost:2019”,“enforce_origin”:false,“origins”:[“localhost:2019”,"[::1]:2019",“127.0.0.1:2019”]}
{“level”:“info”,“ts”:1618580366.0611317,“logger”:“http”,“msg”:“server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS”,“server_name”:“srv0”,“https_port”:443}
{“level”:“info”,“ts”:1618580366.061146,“logger”:“http”,“msg”:“enabling automatic HTTP->HTTPS redirects”,“server_name”:“srv0”}
{“level”:“info”,“ts”:1618580366.0612822,“logger”:“http”,“msg”:“enabling automatic TLS certificate management”,“domains”:[“dockertestgui.ddns.net”]}
{“level”:“info”,“ts”:1618580366.0613413,“logger”:“tls”,“msg”:“cleaned up storage units”}
2021/04/16 13:39:26 [INFO][cache:0xc0001146c0] Started certificate maintenance routine
{“level”:“info”,“ts”:1618580366.0616293,“msg”:“autosaved config”,“file”:"/data/.config/caddy/autosave.json"}
{“level”:“info”,“ts”:1618580366.0616865,“msg”:“serving initial configuration”}
2021/04/16 13:39:26 [INFO][dockertestgui.ddns.net] Obtain certificate; acquiring lock…
2021/04/16 13:39:26 [INFO][FileStorage:/data/.local/share/caddy] Lock for ‘cert_acme_dockertestgui.ddns.net_acme-staging-v02.api.letsencrypt.org-directory’ is stale (created: 2021-04-16 13:11:42.062232847 +0000 UTC, last update: 2021-04-16 13:20:12.445279156 +0000 UTC); removing then retrying: /data/.local/share/caddy/locks/cert_acme_dockertestgui.ddns.net_acme-staging-v02.api.letsencrypt.org-directory.lock
2021/04/16 13:39:26 [INFO][dockertestgui.ddns.net] Obtain: Lock acquired; proceeding…
2021/04/16 13:39:26 [ERROR] Making new ACME client: get directory at ‘https://acme-staging-v02.api.letsencrypt.org/directory’: Get “https://acme-staging-v02.api.letsencrypt.org/directory”: x509: certificate signed by unknown authority (attempt 1/2)
2021/04/16 13:39:29 [ERROR] Making new ACME client: get directory at ‘https://acme-staging-v02.api.letsencrypt.org/directory’: Get “https://acme-staging-v02.api.letsencrypt.org/directory”: x509: certificate signed by unknown authority (attempt 2/2)
2021/04/16 13:39:29 [ERROR] attempt 1: [dockertestgui.ddns.net] Obtain: get directory at ‘https://acme-staging-v02.api.letsencrypt.org/directory’: Get “https://acme-staging-v02.api.letsencrypt.org/directory”: x509: certificate signed by unknown authority - retrying in 1m0s (2.950648965s/720h0m0s elapsed)…

When i try to curl https://dockertestgui.ddns.net

  • Trying 95.250.55.133:443…
  • Connected to dockertestgui.ddns.net (95.250.55.133) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, internal error (592):
  • error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
  • Closing connection 0
    curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

5. What I already tried:

I’ve already tried to modify the caddyfile adding ports, protocols, combo of them, checked my port worwarding rules on my router, looked for an answer everywhere but i cant find a solution.

When i explored the directory of the container i noticed that in the folder .caddy there was no certificate, no file at all. I read that they should be there

6. Links to relevant resources:

none

I’m really sorry if i made some mistake in posting the info. I’m a newbie both in caddy and docker.
Tell me if i can post more information that you need

Please upgrade to at least v2.3.0! You’re using a pretty old version.

You don’t need to build this way, there’s a caddy-builder image variant you can use which simplifies it significantly. See on Docker Hub the “Adding custom Caddy modules” section.

I think your container is missing CA certificates. This won’t be a problem if you rebuild with the official image.

2 Likes

You are simply AWESOME.

Your tips did the magic. Thank you and to all the guys who mantain the documentation.

Last thing. I’d be glad if i can obscure in my former post the domain and the ip. Is that possible?

Still thank you all

2 Likes

You can edit your posts (but edit histories are still visible).

This topic was automatically closed after 30 days. New replies are no longer allowed.