Custom SSL certificate

Hello there !

I’m running caddy inside a docker network with other services which are API for most of them.
I have a custom ssl certificate et the corresponding private key from Cloudflare I would like to use.
I also use Cloudflare DNS.

Unfortunately, Caddy keeps using port 2015 which seems to indicate that the ssl certificate wasn’t used.

Here is my caddy file :

xyz.org {
tls /etc/ssl/certs/cloudfare/cert.pem /etc/ssl/certs/cloudflare/key.pem
}
api.xyz.org {
tls /etc/ssl/certs/cloudfare/cert.pem /etc/ssl/certs/cloudflare/key.pem
proxy / log-api:8080
}

And here is the caddy part from my compose file :

server:
image: abiosoft/caddy
container_name: caddy
restart: always
ports:
- ‘80:80’
- ‘443:443’
networks:
- logger-network
volumes:
- caddy-data:/root/.caddy
- ./caddy/Caddyfile:/etc/Caddyfile
- ./caddy/certs/:/etc/ssl/certs/cloudflare/

Am i missing something ?
Thanks by advance !

Caddy’s default port is 2015. When automatic HTTPS is activated, it changes any qualifying, unspecified ports to 443 for you (and 80 for the redirects to HTTPS).

Automatic HTTPS is not activated when you provide your own certificates, hence why Caddy is still binding to port 2015 in your case. If you provide your own certificates, then HTTPS is not managed/automatic, so you will have to set up redirects: Caddy doesn’t want to step on your configuration.

Thanks for your answer !

After binding port 2015 to 80 in my compose file, my browser still warns me that the SSL certificate is not trusted.

Is there anything else to add to my configuration ?

You might consider, instead of using this method, configuring Caddy specifically to listen on HTTP and HTTPS default ports by specifying the scheme for each site.

e.g.:

# HTTP->S redirects
http://xyz.example, http://api.xyz.example {
  redir https://{host}{uri}
}

https://xyz.example {
  tls /etc/ssl/certs/cloudfare/cert.pem /etc/ssl/certs/cloudflare/key.pem
}

https://api.xyz.example {
  tls /etc/ssl/certs/cloudfare/cert.pem /etc/ssl/certs/cloudflare/key.pem
  proxy / log-api:8080
}