Erorr With Dockerization On Unraid

GregHilston · February 14, 2021, 5:21pm

Hey Caddy community! I appreciate all your time and help. Happy to provide any additional information. My goal is to replace my current working usage of Nginx with Caddy. I did not ever get TLS/HTTPs working with Nginx, so I figured using Caddy to do automatic TLS would be a fun experiment.

My goal is to use Caddy to create useful subdomains for the many applications I’m running on an Unraid machine. The machine is only accessible on the local network or through a static IP that’s only available through a VPN. I do not have this machine exposed to the internet, the VPN is required.

Rather than remember the static IP and various ports, I currently use Nginx to use subdomains for ease of usage and would love to replace it with Caddy with TLS.

I’m cofident I’m making a silly mistake, either with my caddyfile or the DNS setup that worked with Nginx requires a tweak to work with Caddy…

1. Caddy version (`caddy version`):

2.3.0

2. How I run Caddy:

a. System environment:

Running on an Unraid server using the latest caddy:alpine Docker image.

b. Command:

Since I’m using Unraid, I simply click on the Caddy2 icon and ask it to run.

c. Service/unit/compose file:

Again, since its Unraid, I’m using their GUI to configure the service. I’ll transcribe all the contents of the GUI here.

name: CaddyV2
repository: caddy:alpine
network type: Bridge
console shell command: Shell
Privileged: off
HTTP: 80
- Container Port: 80
HTTPS: 443
- Container Port: 443
Data: /mnt/user/Docker/conf/caddyv2/data
- Container Path: /data
Config: /mnt/user/appdata/CaddyV2
- Container Path: /config
Caddyfile: /mnt/user/Docker/conf/caddyv2/Caddyfile/caddyfile

d. My complete Caddyfile or JSON config:

{
  # Uncomment for debug
  debug
}

unraid.grehg.xyz {
  reverse_proxy 172.24.0.2:8080
}

3. The problem I’m having:

I’m trying to replace my working usage of Nginx with Caddyv2. I’m interested in using Caddyv2 for the HTTPS/Let’s Encrypt automatic configuration.

When starting the Docker container described above, I’m experiencing a Secure Connection Failed.

4. Error messages and/or full log output:

The following error message is displayed in my Firefox web browser when navigating to unraid.grehg.xyz

Secure Connection Failed

An error occurred during a connection to unraid.grehg.xyz. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

The following logs can are produced from the Caddyv2 container:

{"level":"info","ts":1613311362.6244876,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1613311362.6271276,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1613311362.6274478,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0003d2460"}
{"level":"info","ts":1613311362.7414167,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1613311362.7414553,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1613311362.7449307,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1613311362.7496035,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1613311362.749628,"msg":"serving initial configuration"}
{"level":"info","ts":1613311362.7896144,"logger":"tls.obtain","msg":"acquiring lock","identifier":"unraid.grehg.xyz"}
{"level":"info","ts":1613311362.7908468,"logger":"tls.obtain","msg":"lock acquired","identifier":"unraid.grehg.xyz"}
{"level":"info","ts":1613311362.8358848,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["unraid.grehg.xyz"]}
{"level":"info","ts":1613311362.8359134,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["unraid.grehg.xyz"]}
{"level":"info","ts":1613311363.621296,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613311364.1144583,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613311364.1144931,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-v02.api.letsencrypt.org/acme/order/112437493/7904505438","attempt":1,"max_attempts":3}
{"level":"info","ts":1613311365.317856,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613311365.7185018,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613311365.718539,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-v02.api.letsencrypt.org/acme/order/112437493/7904505831","attempt":2,"max_attempts":3}
{"level":"info","ts":1613311367.046424,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["unraid.grehg.xyz"]}
{"level":"info","ts":1613311367.0465088,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["unraid.grehg.xyz"]}
{"level":"info","ts":1613311368.7006106,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1613311669.6372132,"logger":"tls.obtain","msg":"will retry","error":"[unraid.grehg.xyz] Obtain: [unraid.grehg.xyz] solving challenges: [unraid.grehg.xyz] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/2au2eUN-pdrwoJ23UhYhwQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":306.846336473,"max_duration":2592000}
{"level":"info","ts":1613311730.295023,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613311731.3704333,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613311731.3705115,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18042893/240263624","attempt":1,"max_attempts":3}
{"level":"info","ts":1613311732.7081492,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613311733.236309,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613311733.236349,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18042893/240263645","attempt":2,"max_attempts":3}
{"level":"info","ts":1613311735.7454767,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1613312037.0335948,"logger":"tls.obtain","msg":"will retry","error":"[unraid.grehg.xyz] Obtain: [unraid.grehg.xyz] solving challenges: [unraid.grehg.xyz] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/ir_NM9bXM7kk9zkzi9lAXw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":674.242720478,"max_duration":2592000}
{"level":"info","ts":1613312157.5465395,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613312157.9624379,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613312157.9624746,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18042893/240267115","attempt":1,"max_attempts":3}
{"level":"info","ts":1613312159.139391,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613312159.745343,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613312159.7453814,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18042893/240267131","attempt":2,"max_attempts":3}
{"level":"info","ts":1613312162.2983823,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1613312463.4226704,"logger":"tls.obtain","msg":"will retry","error":"[unraid.grehg.xyz] Obtain: [unraid.grehg.xyz] solving challenges: [unraid.grehg.xyz] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/t8FQdv9FM075kQWoFDC8Pg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":1100.631795524,"max_duration":2592000}
{"level":"info","ts":1613312584.0692773,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613312584.5004144,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613312584.5004644,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18042893/240270470","attempt":1,"max_attempts":3}
{"level":"info","ts":1613312585.6766846,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613312586.0910618,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613312586.0910912,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18042893/240270480","attempt":2,"max_attempts":3}
{"level":"info","ts":1613312588.8719897,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1613312892.7510471,"logger":"tls.obtain","msg":"will retry","error":"[unraid.grehg.xyz] Obtain: [unraid.grehg.xyz] solving challenges: [unraid.grehg.xyz] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/oLJyVzhWkG06iqryuTPfwQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":1529.960170603,"max_duration":2592000}
{"level":"info","ts":1613313194.5689545,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613313194.9773667,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613313194.9774048,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18042893/240274456","attempt":1,"max_attempts":3}
{"level":"info","ts":1613313196.156005,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1613313196.5727189,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"unraid.grehg.xyz","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for unraid.grehg.xyz"}
{"level":"error","ts":1613313196.5727549,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"unraid.grehg.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for unraid.grehg.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18042893/240274470","attempt":2,"max_attempts":3}
{"level":"info","ts":1613313199.4684935,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"unraid.grehg.xyz","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1613313500.3908622,"logger":"tls.obtain","msg":"will retry","error":"[unraid.grehg.xyz] Obtain: [unraid.grehg.xyz] solving challenges: [unraid.grehg.xyz] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/IoQ6vuhG8Yea-ArP_1R1mQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":2137.59998557,"max_duration":2592000}
{"level":"info","ts":1613313889.3462927,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
{"level":"info","ts":1613313890.3848588,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0003d2460"}
{"level":"info","ts":1613313890.384885,"logger":"tls.obtain","msg":"releasing lock","identifier":"unraid.grehg.xyz"}
{"level":"error","ts":1613313890.3861017,"logger":"tls","msg":"job failed","error":"unraid.grehg.xyz: obtaining certificate: context canceled"}

5. What I already tried:

I’ve turne don debugging to see if I can find any additional information.

I’ve checked my DNS, from Namecheap, and everything looks correct there. Again, I have a working Nginx setup, so I imagine the DNS is configured correctly. For completion. here is what my DNS looks like:

| Type         | Host | Value                    | TTL       |
|--------------|------|--------------------------|-----------|
| A Record     | @    | 172.24.0.2 | Automatic |
| CNAME Record | *    | grehg.xyz    | Automatic |

6. Links to relevant resources:

francislavoie · February 14, 2021, 8:24pm

The ACME HTTP and ALPN challenges, which are used by ACME servers like Let’s Encrypt and ZeroSSL require that the server be publicly accessible to solve.

If you’re only serving your sites locally but still want publicly trusted certificates, you’ll need to use the DNS challenge instead, which requires Caddy to be built with the appropriate plugin.

You mentioned you use namecheap as your DNS provider; Caddy doesn’t have a caddy-dns plugin for namecheap yet, so you’ll need to use the lego-deprecated plugin, which provides a namecheap provider:

https://go-acme.github.io/lego/dns/namecheap/

Building Caddy with modules is quite easy with Docker, there’s a section that explains it here: Docker, see the “Adding custom Caddy modules” section.

The trouble though, is that you’re using Unraid, which sits as a layer on top of Docker, and as far as I know doesn’t support building images from a Dockerfile via its interface. This means you’ll need to build the image yourself, from a terminal on the Unraid machine. You’ll make a file called Dockerfile somewhere, then run:

docker build -t my-custom-caddy .

The . is important, it means “look for a Caddyfile in this directory”. After this, you’ll be able to use my-custom-caddy as your image name instead of caddy:alpine.

francislavoie · February 15, 2021, 3:33am

Actually I have a better option for you instead of using lego-deprecated plus namecheap’s frankly terrible API.

You can sign up for a https://duckdns.org account, then use the duckdns plugin via its “Challenge Delegation” feature:

Basically you just need to add a CNAME entry on namecheap from _acme-challenge.unraid.grehg.xyz to your DuckDNS domain you’ve created (let’s say grehg.duckdns.org, if that’s available), then configure Caddy with the duckdns plugin, setting override_domain to, let’s say grehg.duckdns.org.

system · March 16, 2021, 5:22pm

This topic was automatically closed after 30 days. New replies are no longer allowed.