1. The problem I’m having:
Caddy/Vaultwarden no longer recognizes the letscrypted certificate. So I tried to fix the problem, and eventually I threw away the conatiner and images and rebuilt from scratch with the same docker-compose file. Now Caddy is trying to get a letscrypt certificate but can’t resolve the DNS name.
2. Error messages and/or full log output:
ERR ts=1744800786.5669062 logger=tls.obtain msg=will retry error=[solarsystem.ddnss.de] Obtain: account pre-registration callback: performing EAB credentials request: Post "https://api.zerossl.com/acme/eab-credentials-email": dial tcp: lookup api.zerossl.com on 127.0.0.11:53: read udp 127.0.0.1:39013->127.0.0.11:53: i/o timeout attempt=12 retrying_in=1800 elapsed=7687.709121117 max_duration=2592000
When I get into the docker container using a shell, I tried to do some tests to find out what the problem is:When I get into the docker container using a shell, I tried to do some tests to find out what the problem is, I see that the problem is with DNS:
/bin # ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=59 time=15.574 ms
64 bytes from 9.9.9.9: seq=1 ttl=59 time=11.729 ms
64 bytes from 9.9.9.9: seq=2 ttl=59 time=11.563 ms
64 bytes from 9.9.9.9: seq=3 ttl=59 time=10.392 ms
^C
--- 9.9.9.9 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 10.392/12.314/15.574 ms
/bin # nslookup google.com
;; connection timed out; no servers could be reached
/bin # cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0
3. Caddy version:
v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=
4. How I installed and ran Caddy:
I am running Caddy using docker.
a. System environment:
Docker, on a raspberry pi
b. Command:
docker-compose up -d
c. Service/unit/compose file:
version: '3'
services:
bitwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
- WEBSOCKET_ENABLED=true
- SIGNUPS_ALLOWED=false
- DOMAIN=https://solarsystem.ddnss.de
- SMTP_HOST=posteo.de
- SMTP_FROM=XXX@posteo.de
- SMTP_PORT=587
- SMTP_SECURITY=starttls
- SMTP_USERNAME=XXX@posteo.de
- SMTP_PASSWORD=***
- ADMIN_TOKEN=***
volumes:
- ./bw-data:/data
labels:
- "com.centurylinklabs.watchtower.enable=true"
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- 80:80 # Needed for the ACME HTTP-01 challenge.
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./caddy-config:/config
- ./caddy-data:/data
environment:
- DOMAIN=solarsystem.ddnss.de
- EMAIL=****@posteo.de # The email address to use for ACME registration.
- LOG_FILE=/data/access.log
labels:
- "com.centurylinklabs.watchtower.enable=true"
d. My complete Caddy config:
{
log {
level ERROR
}
}
{$DOMAIN}:443 {
log {
level ERROR
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
# Use the ACME HTTP-01 challenge to get a cert for the configured domain.
tls {$EMAIL}
# This setting may have compatibility issues with some browsers
# (e.g., attachment downloading on Firefox). Try disabling this
# if you encounter issues.
encode gzip
# Notifications redirected to the WebSocket server
reverse_proxy /notifications/hub vaultwarden:3012
# Proxy everything else to Rocket
reverse_proxy bitwarden:80 {
# Send the true remote IP to Rocket, so that bitwarden_rs can put this in the
# log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host}
}
}