1. Output of caddy version
:
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
I am trying to get Caddy setup to act as a reverse proxy for my jellyfin server.
The domain name for my jellyfin server is jellyfin.promosity.io. I have both that and the root pointed toward my public IP using cloudflare DNS. (They are my registarar)
a. System environment:
Sitting on a raspberry pi 4, running kernel 5.15.76-v7l+
b. Command:
sudo caddy reverse-proxy --from jellyfin.promosity.io:5001 --to 127.0.0.1:8096
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
N/A using command line
3. The problem I’m having:
Can't get SSL to work when I use Caddy as a reverse proxy. I am getting
"SSL_ERROR_INTERNAL_ERROR_ALERT"
4. Error messages and/or full log output:
pi@raspberrypi:~ $ sudo caddy reverse-proxy --from jellyfin.promosity.io:5001 --to 127.0.0.1:8096
2022/12/12 01:00:38.550 WARN admin admin endpoint disabled
2022/12/12 01:00:38.551 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "proxy"}
2022/12/12 01:00:38.551 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0x2dffef0"}
2022/12/12 01:00:38.552 INFO tls cleaning storage unit {"description": "FileStorage:/root/.local/share/caddy"}
2022/12/12 01:00:38.552 INFO tls finished cleaning storage units
2022/12/12 01:00:38.552 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2022/12/12 01:00:38.553 INFO http enabling HTTP/3 listener {"addr": ":5001"}
2022/12/12 01:00:38.553 INFO failed to sufficiently increase receive buffer size (was: 176 kiB, wanted: 2048 kiB, got: 352 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2022/12/12 01:00:38.553 INFO http.log server running {"name": "proxy", "protocols": ["h1", "h2", "h3"]}
2022/12/12 01:00:38.553 INFO http enabling automatic TLS certificate management {"domains": ["jellyfin.promosity.io"]}
Caddy proxying https://jellyfin.promosity.io:5001 -> 127.0.0.1:8096
2022/12/12 01:00:38.555 INFO tls.obtain acquiring lock {"identifier": "jellyfin.promosity.io"}
2022/12/12 01:00:38.563 INFO tls.obtain lock acquired {"identifier": "jellyfin.promosity.io"}
2022/12/12 01:00:38.564 INFO tls.obtain obtaining certificate {"identifier": "jellyfin.promosity.io"}
2022/12/12 01:00:38.591 INFO http waiting on internal rate limiter {"identifiers": ["jellyfin.promosity.io"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/12/12 01:00:38.591 INFO http done waiting on internal rate limiter {"identifiers": ["jellyfin.promosity.io"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/12/12 01:00:39.039 INFO http.acme_client trying to solve challenge {"identifier": "jellyfin.promosity.io", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/12/12 01:00:49.675 ERROR http.acme_client challenge failed {"identifier": "jellyfin.promosity.io", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "142.147.101.93: Fetching http://jellyfin.promosity.io/.well-known/acme-challenge/c7z_YMLYXR4T0-tG_xfOqKMZI2qlp4zhN7lka_lne7w: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/12/12 01:00:49.676 ERROR http.acme_client validating authorization {"identifier": "jellyfin.promosity.io", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "142.147.101.93: Fetching http://jellyfin.promosity.io/.well-known/acme-challenge/c7z_YMLYXR4T0-tG_xfOqKMZI2qlp4zhN7lka_lne7w: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/867051977/152194295827", "attempt": 1, "max_attempts": 3}
2022/12/12 01:00:50.740 ERROR tls.obtain could not get certificate from issuer {"identifier": "jellyfin.promosity.io", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}
2022/12/12 01:00:50.750 INFO http waiting on internal rate limiter {"identifiers": ["jellyfin.promosity.io"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/12/12 01:00:50.750 INFO http done waiting on internal rate limiter {"identifiers": ["jellyfin.promosity.io"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/12/12 01:00:58.583 INFO http.acme_client trying to solve challenge {"identifier": "jellyfin.promosity.io", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
^C2022/12/12 01:01:12.158 INFO shutting down {"signal": "SIGINT"}
2022/12/12 01:01:12.159 WARN exiting; byeee!! 👋 {"signal": "SIGINT"}
2022/12/12 01:01:12.159 INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0x2dffef0"}
2022/12/12 01:01:12.161 INFO shutdown complete {"signal": "SIGINT", "exit_code": 0}
5. What I already tried:
- Double checked to make sure my public IP is correct on my domain.
- Port forwarded port 5001 to my raspberry pi (works correctly if I am not using SSL)
- Originally was using port 443 but switched to 5001 to see if it would work.
- Opened WAN on OPNsense to allow all traffic from any protocol to any destination from any source.