1. The problem I’m having:
I can manually run caddy with adjacent Caddyfile, struggling to make any progress with systemctl.
I have set ownership of file to caddy user, and readable by all, caddy seems to read the file and try to solve challenges.
2. Error messages and/or full log output:
Jan 15 15:57:05 caddy3 systemd[1]: Starting caddy.service - Caddy...
Jan 15 15:57:05 caddy3 caddy[208096]: caddy.HomeDir=/var/lib/caddy
Jan 15 15:57:05 caddy3 caddy[208096]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Jan 15 15:57:05 caddy3 caddy[208096]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Jan 15 15:57:05 caddy3 caddy[208096]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Jan 15 15:57:05 caddy3 caddy[208096]: caddy.Version=v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
Jan 15 15:57:05 caddy3 caddy[208096]: runtime.GOOS=linux
Jan 15 15:57:05 caddy3 caddy[208096]: runtime.GOARCH=amd64
Jan 15 15:57:05 caddy3 caddy[208096]: runtime.Compiler=gc
Jan 15 15:57:05 caddy3 caddy[208096]: runtime.NumCPU=1
Jan 15 15:57:05 caddy3 caddy[208096]: runtime.GOMAXPROCS=1
Jan 15 15:57:05 caddy3 caddy[208096]: runtime.Version=go1.21.5
Jan 15 15:57:05 caddy3 caddy[208096]: os.Getwd=/
Jan 15 15:57:05 caddy3 caddy[208096]: LANG=C
Jan 15 15:57:05 caddy3 caddy[208096]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Jan 15 15:57:05 caddy3 caddy[208096]: NOTIFY_SOCKET=/run/systemd/notify
Jan 15 15:57:05 caddy3 caddy[208096]: HOME=/var/lib/caddy
Jan 15 15:57:05 caddy3 caddy[208096]: LOGNAME=caddy
Jan 15 15:57:05 caddy3 caddy[208096]: USER=caddy
Jan 15 15:57:05 caddy3 caddy[208096]: INVOCATION_ID=f5ded2e93deb4bd8b68ca4006c9b982c
Jan 15 15:57:05 caddy3 caddy[208096]: JOURNAL_STREAM=8:60558778
Jan 15 15:57:05 caddy3 caddy[208096]: SYSTEMD_EXEC_PID=208096
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.299964,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"warn","ts":1705352225.309751,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3137376,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3152032,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3153255,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3155782,"logger":"crowdsec","msg":"Using API key auth","address":"http://localhost:8080/"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3170726,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00095cc80"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.318558,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3188226,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.318953,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.319032,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.319076,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["tautulli.bagin.duckdns.org","jelly.bagin.duckdns.org","sabnzbd.bagin.duckdns.org","homarr.bagin.duckdns.org","kavita.bagin.duckdns.org","prowlarr.bagin.duckdns.org","plex.bagin.duckdns.org","changedetection.bagin.duckdns.org","whisparr.bagin.duckdns.org","portainer.bagin.duckdns.org","adguard.bagin.duckdns.org","nextcloud.bagin.duckdns.org","paperlessngx.bagin.duckdns.org","sonarr.bagin.duckdns.org","bazarr.bagin.duckdns.org","proxmox.bagin.duckdns.org","readarr.bagin.duckdns.org","photoprism.bagin.duckdns.org","vaultwarden.bagin.duckdns.org","kuma.bagin.duckdns.org","overseerr.bagin.duckdns.org","webmin.bagin.duckdns.org","lidarr.bagin.duckdns.org","hass.bagin.duckdns.org","homepage.bagin.duckdns.org","radarr.bagin.duckdns.org"]}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3207953,"logger":"tls.obtain","msg":"acquiring lock","identifier":"tautulli.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3220062,"logger":"tls.obtain","msg":"acquiring lock","identifier":"jelly.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3223019,"logger":"tls.obtain","msg":"lock acquired","identifier":"tautulli.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3224602,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"tautulli.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3234494,"logger":"tls.obtain","msg":"lock acquired","identifier":"jelly.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3235433,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"jelly.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3239777,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["jelly.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.323991,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["jelly.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3249164,"logger":"tls.obtain","msg":"acquiring lock","identifier":"sabnzbd.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3253245,"logger":"tls.obtain","msg":"acquiring lock","identifier":"homarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3261669,"logger":"tls.obtain","msg":"acquiring lock","identifier":"prowlarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.326943,"logger":"tls.obtain","msg":"lock acquired","identifier":"homarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3359404,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"homarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.336822,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["homarr.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.336988,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["homarr.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3375027,"logger":"tls.obtain","msg":"lock acquired","identifier":"prowlarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3377502,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"prowlarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3382673,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["prowlarr.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3294563,"logger":"tls.obtain","msg":"acquiring lock","identifier":"sonarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.342013,"logger":"tls.obtain","msg":"lock acquired","identifier":"sonarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3422751,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"sonarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3426101,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["sonarr.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3314066,"logger":"tls.obtain","msg":"acquiring lock","identifier":"photoprism.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3440504,"logger":"tls.obtain","msg":"lock acquired","identifier":"photoprism.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3444047,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"photoprism.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3448708,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["photoprism.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3327303,"logger":"tls.obtain","msg":"acquiring lock","identifier":"webmin.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3463795,"logger":"tls.obtain","msg":"lock acquired","identifier":"webmin.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.346748,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"webmin.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3475363,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["webmin.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3334663,"logger":"tls.obtain","msg":"acquiring lock","identifier":"radarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3495746,"logger":"tls.obtain","msg":"lock acquired","identifier":"radarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.349934,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"radarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3510325,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["radarr.bagin.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"benagin1@gmail.com"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3356702,"logger":"tls.obtain","msg":"acquiring lock","identifier":"kavita.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3529098,"logger":"tls.obtain","msg":"lock acquired","identifier":"kavita.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3558364,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"kavita.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3270497,"logger":"tls.obtain","msg":"acquiring lock","identifier":"changedetection.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3274179,"logger":"tls.obtain","msg":"acquiring lock","identifier":"whisparr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.327769,"logger":"tls.obtain","msg":"acquiring lock","identifier":"portainer.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.328052,"logger":"tls.obtain","msg":"acquiring lock","identifier":"adguard.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.328334,"logger":"tls.obtain","msg":"acquiring lock","identifier":"nextcloud.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3290362,"logger":"tls.obtain","msg":"acquiring lock","identifier":"paperlessngx.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.3298273,"logger":"tls.obtain","msg":"acquiring lock","identifier":"bazarr.bagin.duckdns.org"}
Jan 15 15:57:05 caddy3 caddy[208096]: {"level":"info","ts":1705352225.330205,"logger":"tls.obtain","msg":"acquiring lock","identifier":"proxmox.bagin.duckdns.org"}
this is my most recent run with debug enabled
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2228067,"logger":"events","msg":"event","name":"tls_get_certificate","id":"4fa3edec-c039-40fb-87fe-00f57e3903af","origin":"tls","data":{"client_hello":{"CipherSuites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"readarr.bagin.duckdns.org","SupportedCurves":[39578,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[31354,772,771],"RemoteAddr":{"IP":"74.215.78.143","Port":51671,"Zone":""},"LocalAddr":{"IP":"192.168.4.136","Port":443,"Zone":""}}}}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.225732,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"readarr.bagin.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2257676,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.bagin.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2257836,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2257988,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2258139,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2258356,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"74.215.78.143","remote_port":"51671","server_name":"readarr.bagin.duckdns.org","remote":"74.215.78.143:51671","identifier":"readarr.bagin.duckdns.org","cipher_suites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0,"load_or_obtain_if_necessary":true,"on_demand":false}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2259252,"logger":"http.stdlib","msg":"http: TLS handshake error from 74.215.78.143:51671: no certificate available for 'readarr.bagin.duckdns.org'"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2269459,"logger":"http.stdlib","msg":"http: TLS handshake error from 74.215.78.143:51670: no certificate available for 'radarr.bagin.duckdns.org'"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.263778,"logger":"events","msg":"event","name":"tls_get_certificate","id":"0cea10e1-1c61-4100-b1c8-9076a2186680","origin":"tls","data":{"client_hello":{"CipherSuites":[27242,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"radarr.bagin.duckdns.org","SupportedCurves":[56026,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"74.215.78.143","Port":51672,"Zone":""},"LocalAddr":{"IP":"192.168.4.136","Port":443,"Zone":""}}}}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2639751,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"radarr.bagin.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2639995,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.bagin.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2640152,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2640295,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2640445,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.26407,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"74.215.78.143","remote_port":"51672","server_name":"radarr.bagin.duckdns.org","remote":"74.215.78.143:51672","identifier":"radarr.bagin.duckdns.org","cipher_suites":[27242,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0,"load_or_obtain_if_necessary":true,"on_demand":false}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.264297,"logger":"http.stdlib","msg":"http: TLS handshake error from 74.215.78.143:51672: no certificate available for 'radarr.bagin.duckdns.org'"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.265513,"logger":"events","msg":"event","name":"tls_get_certificate","id":"bcfe1ced-a359-4451-835f-c05d73be35bb","origin":"tls","data":{"client_hello":{"CipherSuites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"readarr.bagin.duckdns.org","SupportedCurves":[23130,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[31354,772,771],"RemoteAddr":{"IP":"74.215.78.143","Port":51673,"Zone":""},"LocalAddr":{"IP":"192.168.4.136","Port":443,"Zone":""}}}}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.265622,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"readarr.bagin.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2656424,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.bagin.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2656581,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.duckdns.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.265676,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.org"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2656908,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.2657118,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"74.215.78.143","remote_port":"51673","server_name":"readarr.bagin.duckdns.org","remote":"74.215.78.143:51673","identifier":"readarr.bagin.duckdns.org","cipher_suites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0,"load_or_obtain_if_necessary":true,"on_demand":false}
Jan 15 18:50:18 caddy3 caddy[163]: {"level":"debug","ts":1705362618.265793,"logger":"http.stdlib","msg":"http: TLS handshake error from 74.215.78.143:51673: no certificate available for 'readarr.bagin.duckdns.org'"}
Jan 15 18:50:19 caddy3 caddy[163]: {"level":"debug","ts":1705362619.4077406,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Mon, 15 Jan 2024 23:50:19 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["SmTfSqweCB5lVnKV9LkGqPc7YoHp9kTCMgaRT1plEFo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
Jan 15 18:50:21 caddy3 caddy[163]: {"level":"error","ts":1705362621.5928197,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"readarr.bagin.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.readarr.bagin.duckdns.org\" (usually OK if presenting also failed)"}
Jan 15 18:50:21 caddy3 caddy[163]: {"level":"debug","ts":1705362621.7069635,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10633795364","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["132394644"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["834"],"Content-Type":["application/json"],"Date":["Mon, 15 Jan 2024 23:50:21 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Jarfjukg0FIdHUHAYSPZZ9GQH0oFX4oYzJcUfkjtsTtuplyRAdc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 15 18:50:21 caddy3 caddy[163]: {"level":"error","ts":1705362621.707349,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"readarr.bagin.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[readarr.bagin.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.readarr.bagin.duckdns.org\": unexpected response code 'SERVFAIL' for _acme-challenge.readarr.bagin.duckdns.org. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/132394644/13704613724) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Jan 15 18:50:21 caddy3 caddy[163]: {"level":"debug","ts":1705362621.707403,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
Jan 15 18:50:21 caddy3 caddy[163]: {"level":"debug","ts":1705362621.9558177,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["286"],"Content-Type":["application/json"],"Date":["Mon, 15 Jan 2024 23:50:21 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/p-ns9uSC2WRzqN7-VOgWDw"],"Replay-Nonce":["8_Xy2JJQuc8_ayCwhEobDuFUzWUW6Mmr6x3iVAsyuJQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
with crowdsec and duckdns plugins
4. How I installed and ran Caddy:
xcaddy build with plugins above, did steps to move to /bin(?). I setup caddy service for systemctl with caddy user etc
a. System environment:
up to date proxmox debian container, all versions new within the month
b. Command:
caddy start
systemctl start caddy
manual version works, systemctl gives no errors but does not work
c. Service/unit/compose file:
my caddy.service file:
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
GNU nano 7.2 Caddyfile
{
# debug # this is optional; makes Caddy log more details
order crowdsec first
crowdsec {
api_url http://localhost:8080 # the URL where your CrowdSec LAPI can be reached
api_key __KEY__
}
email __EMAIL__
}
## imports:
(crowdsec) {
crowdsec
log {
output file /var/log/caddy/access.log
}
}
(duckdns) {
tls {
dns duckdns __KEY__ {
override_domain bagin.duckdns.org
}
}
}
(notHomeIp) {
@notHomeIp {
not remote_ip __ADDRESS__
}
respond @notHomeIp 403
}
## reverse proxies:
kavita.bagin.duckdns.org {
import crowdsec
import duckdns
import notHomeIp
reverse_proxy __ADDRESS__
}
proxmox.bagin.duckdns.org {
import crowdsec
import duckdns
import notHomeIp
reverse_proxy __ADDRESS__ {
transport http {
tls_trusted_ca_certs /etc/pve/pve-root-ca.pem # Path to PVE root cert
}
}
}
sabnzbd.bagin.duckdns.org {
import crowdsec
import duckdns
import notHomeIp
reverse_proxy __ADDRESS__
}
(continued...)