1. The problem I’m having:
Caddy is unable to obtain certifications. When it communicates with the CA’s (zerossl or letsencrypt), the logs indicate that they are:
connection refusedi/o timeout
This had previously worked a few weeks before, but I finally noticed the site was down when my rss feeds were quieter than usual. The information given are from a complete re-install, where I have moved to using caddy in Docker instead of as a linux service - but the issue still remained.
I feel like DuckDNS is the issue here, and I would need to move away from DuckDNS to prevent this in the future. Asking just in case if I’m wrong.
2. Error messages and/or full log output:
root@localhost:~# curl -vL "https://rss.mocker-subdivide-uselessly1.duckdns.org"
* Trying [2400:8907::f03c:94ff:fe35:302]:443...
* Connected to rss.mocker-subdivide-uselessly1.duckdns.org (2400:8907::f03c:94ff:fe35:302) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.11: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) OpenSSL/3.0.11: error:0A000438:SSL routines::tlsv1 alert internal error
Pastebin: docker logs caddy
3. Caddy version:
root@localhost:~# docker exec caddy caddy version
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
a. System environment:
Linode’s Nanode 1 GB plan - Debian 12.
Edited firewall via ufw:
root@localhost:~/docker/caddy# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
Installed Docker per installation page, via apt
b. Command:
cd ./caddy
(make Dockerfile (c) and Caddyfile (d))
docker build -t caddy .
docker run --detach \
--name caddy \
--cap-add=NET_ADMIN -p 80:80 -p 443:443 -p 443:443/udp \
-v caddy_data:/data \
-v caddy_config:/config \
caddy
c. Service/unit/compose file:
FROM caddy:builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/duckdns
FROM caddy:latest
COPY Caddyfile /etc/caddy/Caddyfile
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
d. My complete Caddy config:
{
email joeblackclone@gmail.com
}
mocker-subdivide-uselessly1.duckdns.org {
redir https://crouton.net permanent
tls {
dns duckdns DUCKDNS_TOKEN
}
}
#mruac/rssbridge/custom-bridges
rss.mocker-subdivide-uselessly1.duckdns.org {
reverse_proxy localhost:4772
tls {
dns duckdns DUCKDNS_TOKEN
}
}
#bluestream
bluestream.mocker-subdivide-uselessly1.duckdns.org {
reverse_proxy * localhost:7843
tls {
dns duckdns DUCKDNS_TOKEN
}
}
5. Links to relevant resources:
Dockerfile - https://hub.docker.com/_/caddy#:~:text=Adding%20custom%20Caddy%20modules
Linux Service - https://caddyserver.com/docs/running#linux-service
Linode's 1GB Nanode plan - https://www.linode.com/pricing/#compute-shared:~:text=Network%20In/Out-,Nanode%201%20GB,-%245
Docker Install via apt guide - https://docs.docker.com/engine/install/debian/#install-using-the-repository