Cant get https certificates (caddy as reverse proxy)

1. Caddy version (caddy version): 2.1.1

2. How I run Caddy:

I’m running caddy in a docker container.

a. System environment:

Inside the container i’m running Debian:buster

b. Command:

this is the command that should run caddy
CMD ["sh", "-c", "chown app:app /data && exec gosu app /usr/local/bin/caddy run -adapter caddyfile -config /etc/Caddyfile"]

c. Service/unit/compose file:

FROM golang:1.14-buster AS caddy-build
RUN echo 'module caddy' > go.mod && \
    echo 'require v2.1.1' >> go.mod && \
    echo 'require v0.0.0-20200523051447-bc5d19941ac3' >> go.mod
RUN echo 'package main' > caddy.go && \
    echo 'import caddycmd ""' >> caddy.go && \
    echo 'import _ ""' >> caddy.go && \
    echo 'import _ ""' >> caddy.go && \
    echo 'func main() { caddycmd.Main() }' >> caddy.go
RUN go build -o /bin/caddy .

FROM debian:buster

RUN apt-get update -y && \
    apt-get install -y --no-install-recommends gosu && \
    rm -rf /var/lib/apt/lists

COPY --from=caddy-build /bin/caddy /usr/local/bin/
COPY Caddyfile /etc/

RUN groupadd --gid 1000 app && \
    useradd --home-dir /data --shell /bin/bash --uid 1000 --gid 1000 app && \
    mkdir -p /data
VOLUME /data

CMD ["sh", "-c", "chown app:app /data && exec gosu app /usr/local/bin/caddy run -adapter caddyfile -config /etc/Caddyfile"]

d. My complete Caddyfile or JSON config:

} {

    reverse_proxy firefox-backend:8080


3. The problem I’m having:

I’m trying to use Caddy as reverse proxy to obtain a TLS connection with internet for a backend service. The problem is that i can’t get the certificate as expected when i run caddy.
Everything is fine when i work with normal http (if i type in the caddyfile But now i’m tryng to go over https and all i obtain is that “certificate is signed by unknown authority”.

4. Error messages and/or full log output:

{“level”:“info”,“ts”:1618580366.0595984,“msg”:“using provided configuration”,“config_file”:"/etc/Caddyfile",“config_adapter”:“caddyfile”}
{“level”:“info”,“ts”:1618580366.0609994,“logger”:“admin”,“msg”:“admin endpoint started”,“address”:“tcp/localhost:2019”,“enforce_origin”:false,“origins”:[“localhost:2019”,"[::1]:2019",“”]}
{“level”:“info”,“ts”:1618580366.0611317,“logger”:“http”,“msg”:“server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS”,“server_name”:“srv0”,“https_port”:443}
{“level”:“info”,“ts”:1618580366.061146,“logger”:“http”,“msg”:“enabling automatic HTTP->HTTPS redirects”,“server_name”:“srv0”}
{“level”:“info”,“ts”:1618580366.0612822,“logger”:“http”,“msg”:“enabling automatic TLS certificate management”,“domains”:[“”]}
{“level”:“info”,“ts”:1618580366.0613413,“logger”:“tls”,“msg”:“cleaned up storage units”}
2021/04/16 13:39:26 [INFO][cache:0xc0001146c0] Started certificate maintenance routine
{“level”:“info”,“ts”:1618580366.0616293,“msg”:“autosaved config”,“file”:"/data/.config/caddy/autosave.json"}
{“level”:“info”,“ts”:1618580366.0616865,“msg”:“serving initial configuration”}
2021/04/16 13:39:26 [INFO][] Obtain certificate; acquiring lock…
2021/04/16 13:39:26 [INFO][FileStorage:/data/.local/share/caddy] Lock for ‘’ is stale (created: 2021-04-16 13:11:42.062232847 +0000 UTC, last update: 2021-04-16 13:20:12.445279156 +0000 UTC); removing then retrying: /data/.local/share/caddy/locks/
2021/04/16 13:39:26 [INFO][] Obtain: Lock acquired; proceeding…
2021/04/16 13:39:26 [ERROR] Making new ACME client: get directory at ‘’: Get “”: x509: certificate signed by unknown authority (attempt 1/2)
2021/04/16 13:39:29 [ERROR] Making new ACME client: get directory at ‘’: Get “”: x509: certificate signed by unknown authority (attempt 2/2)
2021/04/16 13:39:29 [ERROR] attempt 1: [] Obtain: get directory at ‘’: Get “”: x509: certificate signed by unknown authority - retrying in 1m0s (2.950648965s/720h0m0s elapsed)…

When i try to curl

  • Trying…
  • Connected to ( port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, internal error (592):
  • error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
  • Closing connection 0
    curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

5. What I already tried:

I’ve already tried to modify the caddyfile adding ports, protocols, combo of them, checked my port worwarding rules on my router, looked for an answer everywhere but i cant find a solution.

When i explored the directory of the container i noticed that in the folder .caddy there was no certificate, no file at all. I read that they should be there

6. Links to relevant resources:


I’m really sorry if i made some mistake in posting the info. I’m a newbie both in caddy and docker.
Tell me if i can post more information that you need

Please upgrade to at least v2.3.0! You’re using a pretty old version.

You don’t need to build this way, there’s a caddy-builder image variant you can use which simplifies it significantly. See on Docker Hub the “Adding custom Caddy modules” section.

I think your container is missing CA certificates. This won’t be a problem if you rebuild with the official image.


You are simply AWESOME.

Your tips did the magic. Thank you and to all the guys who mantain the documentation.

Last thing. I’d be glad if i can obscure in my former post the domain and the ip. Is that possible?

Still thank you all


You can edit your posts (but edit histories are still visible).

This topic was automatically closed after 30 days. New replies are no longer allowed.