1. Caddy version (caddy version
): 2.1.1
2. How I run Caddy:
I’m running caddy in a docker container.
a. System environment:
Inside the container i’m running Debian:buster
b. Command:
this is the command that should run caddy
CMD ["sh", "-c", "chown app:app /data && exec gosu app /usr/local/bin/caddy run -adapter caddyfile -config /etc/Caddyfile"]
c. Service/unit/compose file:
FROM golang:1.14-buster AS caddy-build
WORKDIR /src
RUN echo 'module caddy' > go.mod && \
echo 'require github.com/caddyserver/caddy/v2 v2.1.1' >> go.mod && \
echo 'require github.com/mholt/caddy-webdav v0.0.0-20200523051447-bc5d19941ac3' >> go.mod
RUN echo 'package main' > caddy.go && \
echo 'import caddycmd "github.com/caddyserver/caddy/v2/cmd"' >> caddy.go && \
echo 'import _ "github.com/caddyserver/caddy/v2/modules/standard"' >> caddy.go && \
echo 'import _ "github.com/mholt/caddy-webdav"' >> caddy.go && \
echo 'func main() { caddycmd.Main() }' >> caddy.go
RUN go build -o /bin/caddy .
FROM debian:buster
RUN apt-get update -y && \
apt-get install -y --no-install-recommends gosu && \
rm -rf /var/lib/apt/lists
COPY --from=caddy-build /bin/caddy /usr/local/bin/
COPY Caddyfile /etc/
EXPOSE 443
EXPOSE 80
RUN groupadd --gid 1000 app && \
useradd --home-dir /data --shell /bin/bash --uid 1000 --gid 1000 app && \
mkdir -p /data
VOLUME /data
WORKDIR /data
CMD ["sh", "-c", "chown app:app /data && exec gosu app /usr/local/bin/caddy run -adapter caddyfile -config /etc/Caddyfile"]
d. My complete Caddyfile or JSON config:
{
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
email mymail@yahoo.it
}
dockertestgui.ddns.net {
log
reverse_proxy firefox-backend:8080
}
3. The problem I’m having:
I’m trying to use Caddy as reverse proxy to obtain a TLS connection with internet for a backend service. The problem is that i can’t get the certificate as expected when i run caddy.
Everything is fine when i work with normal http (if i type in the caddyfile http://dockertestgui.ddns.net). But now i’m tryng to go over https and all i obtain is that “certificate is signed by unknown authority”.
4. Error messages and/or full log output:
{“level”:“info”,“ts”:1618580366.0595984,“msg”:“using provided configuration”,“config_file”:"/etc/Caddyfile",“config_adapter”:“caddyfile”}
{“level”:“info”,“ts”:1618580366.0609994,“logger”:“admin”,“msg”:“admin endpoint started”,“address”:“tcp/localhost:2019”,“enforce_origin”:false,“origins”:[“localhost:2019”,"[::1]:2019",“127.0.0.1:2019”]}
{“level”:“info”,“ts”:1618580366.0611317,“logger”:“http”,“msg”:“server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS”,“server_name”:“srv0”,“https_port”:443}
{“level”:“info”,“ts”:1618580366.061146,“logger”:“http”,“msg”:“enabling automatic HTTP->HTTPS redirects”,“server_name”:“srv0”}
{“level”:“info”,“ts”:1618580366.0612822,“logger”:“http”,“msg”:“enabling automatic TLS certificate management”,“domains”:[“dockertestgui.ddns.net”]}
{“level”:“info”,“ts”:1618580366.0613413,“logger”:“tls”,“msg”:“cleaned up storage units”}
2021/04/16 13:39:26 [INFO][cache:0xc0001146c0] Started certificate maintenance routine
{“level”:“info”,“ts”:1618580366.0616293,“msg”:“autosaved config”,“file”:"/data/.config/caddy/autosave.json"}
{“level”:“info”,“ts”:1618580366.0616865,“msg”:“serving initial configuration”}
2021/04/16 13:39:26 [INFO][dockertestgui.ddns.net] Obtain certificate; acquiring lock…
2021/04/16 13:39:26 [INFO][FileStorage:/data/.local/share/caddy] Lock for ‘cert_acme_dockertestgui.ddns.net_acme-staging-v02.api.letsencrypt.org-directory’ is stale (created: 2021-04-16 13:11:42.062232847 +0000 UTC, last update: 2021-04-16 13:20:12.445279156 +0000 UTC); removing then retrying: /data/.local/share/caddy/locks/cert_acme_dockertestgui.ddns.net_acme-staging-v02.api.letsencrypt.org-directory.lock
2021/04/16 13:39:26 [INFO][dockertestgui.ddns.net] Obtain: Lock acquired; proceeding…
2021/04/16 13:39:26 [ERROR] Making new ACME client: get directory at ‘https://acme-staging-v02.api.letsencrypt.org/directory’: Get “https://acme-staging-v02.api.letsencrypt.org/directory”: x509: certificate signed by unknown authority (attempt 1/2)
2021/04/16 13:39:29 [ERROR] Making new ACME client: get directory at ‘https://acme-staging-v02.api.letsencrypt.org/directory’: Get “https://acme-staging-v02.api.letsencrypt.org/directory”: x509: certificate signed by unknown authority (attempt 2/2)
2021/04/16 13:39:29 [ERROR] attempt 1: [dockertestgui.ddns.net] Obtain: get directory at ‘https://acme-staging-v02.api.letsencrypt.org/directory’: Get “https://acme-staging-v02.api.letsencrypt.org/directory”: x509: certificate signed by unknown authority - retrying in 1m0s (2.950648965s/720h0m0s elapsed)…
When i try to curl https://dockertestgui.ddns.net
- Trying 95.250.55.133:443…
- Connected to dockertestgui.ddns.net (95.250.55.133) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS alert, internal error (592):
- error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
- Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
5. What I already tried:
I’ve already tried to modify the caddyfile adding ports, protocols, combo of them, checked my port worwarding rules on my router, looked for an answer everywhere but i cant find a solution.
When i explored the directory of the container i noticed that in the folder .caddy there was no certificate, no file at all. I read that they should be there
6. Links to relevant resources:
none
I’m really sorry if i made some mistake in posting the info. I’m a newbie both in caddy and docker.
Tell me if i can post more information that you need