ERROR 525 cloudflare subdomain ipv6

iliadril · September 28, 2022, 1:01pm

1. Output of `caddy version`:

v2.6.1 h1:EDqo59TyYWhXQnfde93Mmv4FJfYe00dO60zMiEt+pzo=

2. How I run Caddy:

a. System environment:

Virtualization: lxc
Operating System: Ubuntu 20.04.5 LTS
Kernel: Linux 5.4.162-1-pve
Architecture: x86-64

b. Command:

I’ve downloaded caddy using

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

and then added cloudflare package using
caddy add-package

I’m starting caddy by:

caddy start

keycloak docker container

docker run -d -p 2709:8080 --name keycloak-dev -e KEYCLOAK_ADMIN=example -e KEYCLOAK_ADMIN_PASSWORD=example -e KC_PROXY=edge -e PROXY_ADDRESS_FORWARDING=true quay.io/keycloak/keycloak:19.0.2 start-dev

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

(cloudflare) {
        tls example@example.com {
                dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
        }
}

keycloak.iliadril.xyz {
        import cloudflare
        respond "Hello! I am finally working!"
}

iliadril.xyz {
        import cloudflare
        reverse_proxy :2709
}

3. The problem I’m having:

I intend to run a docker keycloak container under separate subdomain, but I’m getting SSL handshake failed Error code 525 on both domains. Keycloak ran successfully on main domain (iliadril.xyz) but after sudo systemctl restart caddy it doesn’t work on both main and subdomain.
My VPS provider isn’t handing out IPv4 addresses so I have to proxy my IPv6 through cloudflare which gives me some trouble.

4. Error messages and/or full log output:

curl -kIL iliadril.xyz --resolve iliadril.xyz:[IPv6] --resolve iliadril.xyz:[IPv6]

HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://iliadril.xyz/
Server: Caddy
Date: Wed, 28 Sep 2022 12:51:56 GMT

curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

sudo journalctl -u caddy

wrz 28 12:52:05 j242 caddy[954]: {"level":"error","ts":1664369525.2136521,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":>
wrz 28 12:52:05 j242 caddy[954]: {"level":"error","ts":1664369525.2139134,"logger":"tls.obtain","msg":"will retry","error":"[iliadril.xyz] Obtain: [iliadri>
wrz 28 12:52:05 j242 caddy[954]: {"level":"error","ts":1664369525.7783217,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"iliadril.del>
wrz 28 12:52:07 j242 caddy[954]: {"level":"error","ts":1664369527.8812165,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":>
wrz 28 12:52:07 j242 caddy[954]: {"level":"error","ts":1664369527.8817258,"logger":"tls.obtain","msg":"will retry","error":"[keycloak.iliadril.xyz] Obtain:>
wrz 28 12:52:09 j242 caddy[954]: {"level":"error","ts":1664369529.0813124,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":>
wrz 28 12:52:09 j242 caddy[954]: {"level":"error","ts":1664369529.0818322,"logger":"tls.obtain","msg":"will retry","error":"[keycloak.deloitte.cyou] Obtain>

5. What I already tried:

I tried to follow Error 525 ssl handshake failed - #14 by francislavoie
made sure I use correct cloudflare API token
tried several Caddyfiles that I’ve found on this forum
set SSL/TLS full (strict) on cloudflare
tried to disable proxy status (unchecked the cloudflare cloud)

6. Links to relevant resources:

https://iliadril.xyz/
https://keycloak.iliadril.xyz/

francislavoie · September 28, 2022, 5:59pm

The right way to use a custom build with plugins is by following these steps, to make sure that upgrading the apt package doesn’t clobber your custom build:

Don’t use caddy start. That should only be used for temporary/development usecases.

When you install Caddy with the apt repo, Caddy is set up to run as a systemd service. Follow this guide to understand how to use it that way:

Your logs are all truncated. Notice the > at the end of the line. So we can’t actually see the real error message. Please use the command we recommend in the docs to see your systemd logs: Keep Caddy Running — Caddy Documentation

iliadril · October 24, 2022, 1:28pm

Hi! Thank You so much for your reply and sorry for the late response.

I’ve scraped the old caddy instance and installed new one using xcaddy, after that I’ve followed the Keep Caddy Running — Caddy Documentation

It seems that on the previous install I had missed to properly define environmental variable env.CLOUDFLARE_AUTH_TOKEN inside the [Service] when using sudo systemctl edit caddy.
After setting it up and reloading the service, everything seems to be working properly

system · October 28, 2022, 1:02pm

This topic was automatically closed after 30 days. New replies are no longer allowed.