Can't get SSL certificate via Let's Encrypt

1. The problem I’m having:

Hi there,

could you please help me? I am not able to get a Let’s Encrypt Certificate for my instance of Vaultwarden. But let’s start at the beginning.

I am running Ubuntu 24.04.1 LTS for Vaultwarden with docker, compose & caddy.
I want to access Vaultwarden only internally in my network. I am owner of a domain like contoso.de. Vaultwarden would be accessible by vw.contoso.de.
In the past I had used a self-signed certificate, but I learned that using it is problematic. So by connecting vw.contoso.de website is unsecure and there is no access for iPhone App or Bitwarden PC Software. So i want to integrate auto-renew Let’s Encrypt certificate for subdomain.

Here are some details of my Caddyfile config:

vw.contoso.com {
encode gzip
reverse_proxy vaultwarden:80 {
header_up X-Real-IP {remote}
header_up X-Forwarded-For {remote}
header_up X-Forwarded-Proto {scheme}
}
header {
Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
}
tls /etc/caddy/certificates/fullchain.pem /etc/caddy/certificates/privkey.pem
}

2. Error messages and/or full log output:

3. Caddy version:

2.8.4

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 24.04.2 LTS
Docker 27.5.0
Docker Compose 2.32.4
Caddy 2.8.4

b. Command:

docker compose up -d

c. Service/unit/compose file:

d. My complete Caddy config:

https://vaultwarden.hit-technopark.de {
  encode gzip
  reverse_proxy vaultwarden:80 {
      header_up X-Real-IP {remote}
      header_up X-Forwarded-For {remote}
      header_up X-Forwarded-Proto {scheme}
  }
  header {
      Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  }
  tls /etc/caddy/certificates/fullchain.pem /etc/caddy/certificates/privkey.pem
}

5. Links to relevant resources:

It looks like you have Apache sitting in front of your Caddy server. In other words, Caddy needs to be directly reachable to complete the challenge. Otherwise, you’ll need to use a DNS challenge.

Thank you @timelordx > Apache or Nginx shouldn’t be installed and can’t be found by “apt list --installed”. Is there any other process to check this? Or need Caddyfile to be changed?

$ curl -skI https://vaultwarden.hit-technopark.de | grep -iE '^server:'
Server: Apache

However, I missed this earlier (I was initially reading your post on my phone, sorry) - you’re actually assigning the certificate and key to your virtual server, so you’re not doing Let’s Encrypt at all:

Output:

Server: Apache
server: Caddy
server: Rocket 
Server:: command not found

Maybe Rocket is the problem? Should this be deleted by apt remove?
What am I need to do for running Let’s Encrypt instead of this upper command?

Can you please clarify what command you ran to get such output? Four server headers, even with three valid ones, is not a usual response from a web server.

Remove static tls directive from your Caddy virtual, which will make Caddy use TLS-ALPN challenge. However, TLS-ALPN requires Caddy to be reachable from the Internet.

Otherwise, you can use DNS challenge, which does not require Caddy to be exposed to the Internet.

I just run this command a second time.

curl -skI https://my.url.de | grep -iE ‘^server:’ Server: Apache

Now i got this one:
image

I’ve started to implement Rocket long time ago. After running “apt install Rocket” i’ve discovered this doesn’t makes sense while using Caddy. This is probably what left it behind. :roll_eyes:
How am i able to clean this Rocket stuff? Can’t find anything installed by apt for rocket.

The problem may be due to a defective caddy service. So far I have always started the containers with docker compose down or up -d. The feedback was always good. Now I have noticed that the caddy service cannot be started at all (sudo systemctl status caddy). I don’t know when this problem first occurred. How do I deal with this? Should I uninstall Caddy and then reinstall it (sudo apt remove caddy > sudo apt install caddy)? Would this delete configuration files?