Connection refused or timed out when checking DNS propagation. Unable to access reverse_proxy site

1. The problem I’m having:

Caddy is unable to obtain certifications. When it communicates with the CA’s (zerossl or letsencrypt), the logs indicate that they are:

  • connection refused
  • i/o timeout

This had previously worked a few weeks before, but I finally noticed the site was down when my rss feeds were quieter than usual. The information given are from a complete re-install, where I have moved to using caddy in Docker instead of as a linux service - but the issue still remained.

I feel like DuckDNS is the issue here, and I would need to move away from DuckDNS to prevent this in the future. Asking just in case if I’m wrong.

2. Error messages and/or full log output:

root@localhost:~# curl -vL "https://rss.mocker-subdivide-uselessly1.duckdns.org"
*   Trying [2400:8907::f03c:94ff:fe35:302]:443...
* Connected to rss.mocker-subdivide-uselessly1.duckdns.org (2400:8907::f03c:94ff:fe35:302) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.11: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) OpenSSL/3.0.11: error:0A000438:SSL routines::tlsv1 alert internal error

Pastebin: docker logs caddy

3. Caddy version:

root@localhost:~# docker exec caddy caddy version
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Linode’s Nanode 1 GB plan - Debian 12.

Edited firewall via ufw:

root@localhost:~/docker/caddy# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

Installed Docker per installation page, via apt

b. Command:

cd ./caddy
(make Dockerfile (c) and Caddyfile (d))
docker build -t caddy .
docker run --detach \
  --name caddy \
  --cap-add=NET_ADMIN -p 80:80 -p 443:443 -p 443:443/udp \
  -v caddy_data:/data \
  -v caddy_config:/config \
  caddy

c. Service/unit/compose file:

FROM caddy:builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/duckdns

FROM caddy:latest

COPY Caddyfile /etc/caddy/Caddyfile

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

d. My complete Caddy config:

{
        email joeblackclone@gmail.com
}

mocker-subdivide-uselessly1.duckdns.org {
        redir https://crouton.net permanent
        tls {
                dns duckdns DUCKDNS_TOKEN
        }
}

#mruac/rssbridge/custom-bridges
rss.mocker-subdivide-uselessly1.duckdns.org {
        reverse_proxy localhost:4772
        tls {
                dns duckdns DUCKDNS_TOKEN
        }
}

#bluestream
bluestream.mocker-subdivide-uselessly1.duckdns.org {
        reverse_proxy * localhost:7843
        tls {
                dns duckdns DUCKDNS_TOKEN
        }
}

5. Links to relevant resources:

Dockerfile - https://hub.docker.com/_/caddy#:~:text=Adding%20custom%20Caddy%20modules
Linux Service - https://caddyserver.com/docs/running#linux-service
Linode's 1GB Nanode plan - https://www.linode.com/pricing/#compute-shared:~:text=Network%20In/Out-,Nanode%201%20GB,-%245
Docker Install via apt guide - https://docs.docker.com/engine/install/debian/#install-using-the-repository

So I was close to fixing it - I had to make the caddy container talk to the other containers, and looking at the logs later showed that it was unable to get any pages from the other containers, and so returned 502 to the requests.

I learnt that I have to put them into a Docker network, and adjust the Caddyfile accordingly. This site was helpful in showing me how to create the network and add the containers to the network.

Updated Caddyfile:

{
        email joeblackclone@gmail.com
}

mocker-subdivide-uselessly1.duckdns.org {
        redir https://crouton.net permanent
        tls {
                dns duckdns ec42384c-db14-420f-bd3e-30ac8366138b
        }
}

hrt.mocker-subdivide-uselessly1.duckdns.org {
        reverse_proxy hydrus-remote-tagging:3415
        tls {
                dns duckdns DUCKDNS_TOKEN
        }
}

#mruac/rssbridge/custom-bridges
rss.mocker-subdivide-uselessly1.duckdns.org {
        reverse_proxy rss-bridge:80
        tls {
                dns duckdns DUCKDNS_TOKEN
        }
}

#bluestream
bluestream.mocker-subdivide-uselessly1.duckdns.org {
        reverse_proxy bluestream:8000
        tls {
                dns duckdns DUCKDNS_TOKEN
        }
}

I figure I may as well provide an update seeing as I couldn’t delete a topic.

My previous setup had issues renewing the certificates, so Feedly wasn’t able to get to the rss-bridge container through caddy as the certificate had expired.

After messing around I had given up and recreated the entire Linode image and attempted to use caddy in a docker container for the benefits of containerisation. Seems to work for now.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.