Error: adapting config using caddyfile: subject does not qualify for certificate: '{env.SSLCERTIFICATE}'

1. The problem I’m having:

Subject does not qualify for certificate

2. Error messages and/or full log output:

Error: adapting config using caddyfile: subject does not qualify for certificate: '{env.SSLCERTIFICATE}'

3. Caddy version:

v2.6.4

4. How I installed and ran Caddy:

I installed it using docker following a guide

a. System environment:

I’m using Synology and docker

b. Command:

sudo docker-compose -f docker-compose_bitwarden-caddy.yml up

c. Service/unit/compose file:

#---
#Docker-compose file for Vaultwarden proxied by caddy 2.0
#--- 
version: "3"
services: 
  vaultwarden: 
    restart: always
    # Dani Garcia image https://github.com/dani-garcia/bitwarden_rs
    image: "vaultwarden/server:latest"
    container_name: vaultwarden
    environment:
      # Timezone settings, important for Fail2ban to work
      - TZ=Europe/Paris
      # Logging connection attemps
      - LOG_FILE=/data/bitwarden.log
      - EXTENDED_LOGGING='true'
      - LOG_LEVEL=warn
      # Beef up a bit
      - ROCKET_WORKERS=20
      - WEBSOCKET_ENABLED='true'
      # Hardening a bit
      - SIGNUPS_ALLOWED='false'
      - DISABLE_ADMIN_TOKEN='true'
      #- ADMIN_TOKEN=YouRandomTokenHere
      - SHOW_PASSWORD_HINT='false'
      - DISABLE_ICON_DOWNLOAD='true'
      #- SMTP_HOST=smtphost
      #- SMTP_PORT=port
      #- SMTP_SSL='true'
      #- SMTP_FROM=address_from@domain.tld
      #- SMTP_USERNAME=smtp_user_name
      #- SMTP_PASSWORD=smtp_password
    expose:
      - "80"
    networks:
      - bitwarden_net
    volumes: 
      - /volume1/docker/bw-data:/data
      
  caddy: 
    restart: always
    #Official Caddy 2.0 image
    image: "caddy:latest"
    container_name: Caddy_proxy
    environment:
      - TZ=Europe/Paris
      - LOG_FILE=/data/logs/caddy.log
      # Update this if SSL required according to the use of your own cert or requuest one from Let's Encrypt
      - SSLCERTIFICATE=/volume1/docker/Cert/origincert.pem
      - SSLKEY=/volume1/docker/Cert/private.pem
      - ACMEE_AGREE='true'
      - DOMAIN=domain
      - EMAIL=email
    ports: 
      - 8040:80
      #- 8443:443
    networks:
      - bitwarden_net
    volumes: 
      - ./caddy-data/config/Caddyfile:/etc/caddy/Caddyfile
      - ./caddy-data/data:/data
      - ./caddy-data/sites:/var/www/html
      - Certfiles:/root/.caddy

volumes:
  Certfiles:

networks:
  bitwarden_net:

d. My complete Caddy config:

# Caddyfile V2.0 config file
:80 {
  #Caddy on port 80 in container to bitwarden_rs private instance
  #Use it if Caddy behind another reverse proxy such as the one embedded on Synology
  log {
	output file {env.LOG_FILE}
	level INFO
	#roll_size 5MiB #Not working on Caddy V2.0.0 Beta20 https://caddyserver.com/docs/caddyfile/directives/log#log
	#roll_keep 5 #Not working on Caddy V2.0.0 Beta20 https://caddyserver.com/docs/caddyfile/directives/log#log
  }
  encode zstd gzip

  header / {
       # Enable cross-site filter (XSS) and tell browser to block detected attacks
       X-XSS-Protection "1; mode=block"
       # Disallow the site to be rendered within a frame (clickjacking protection)
       X-Frame-Options "DENY"
       # Prevent search engines from indexing (optional)
       X-Robots-Tag "none"
	   # Server name remove
	   -Server
   }

  # The negotiation endpoint is also proxied to Rocket
  reverse_proxy /notifications/hub/negotiate vaultwarden:80

  # Notifications redirected to the websockets server
  reverse_proxy /notifications/hub vaultwarden:3012

  # Proxy the Root directory to Rocket
  reverse_proxy vaultwarden:80
}

#{env.DOMAIN}:443 {
#  #Caddy on port 443 in container to bitwarden_rs private instance 
#  #Use it if Caddy exposed to the net 
#  #Doc about automatic HTTPS https://caddyserver.com/docs/automatic-https
#
#  log {
#	output file {env.LOG_FILE}
#	level INFO
#   #roll_size 5MiB #Not working on Caddy V2.0.0 Beta20 https://caddyserver.com/docs/caddyfile/directives/log#log
#   #rool_keep 5 #Not working on Caddy V2.0.0 Beta20 https://caddyserver.com/docs/caddyfile/directives/log#log
#  }
#
#  # Uncomment only one of the 2 lines. Depending if you provide your own cert or request one from Let's Encrypt
  tls {env.SSLCERTIFICATE} {env.SSLKEY}
#  tls {env.EMAIL}
#
#  encode zstd gzip
#
#  header / {
#       # Enable HTTP Strict Transport Security (HSTS)
#       Strict-Transport-Security "max-age=31536000;"
#       # Enable cross-site filter (XSS) and tell browser to block detected attacks
#       X-XSS-Protection "1; mode=block"
#       # Disallow the site to be rendered within a frame (clickjacking protection)
#       X-Frame-Options "DENY"
#       # Prevent search engines from indexing (optional)
#       X-Robots-Tag "none"
#       # Server name remove
#       -Server
#   }
#  # The negotiation endpoint is also proxied to Rocket
#  reverse_proxy /notifications/hub/negotiate vaultwarden:80
#
#  # Notifications redirected to the websockets server
#  reverse_proxy /notifications/hub vaultwarden:3012
#
#  # Proxy the Root directory to Rocket
#  reverse_proxy vaultwarden:80
#}

5. Links to relevant resources:

You have your site address commented out, so your Caddyfile has invalid syntax and it thinks your tls {env.SSLCERTIFICATE} line is your site address. See Caddyfile Concepts — Caddy Documentation

You should not use {env.*} for your site address and cert/key (which is parsed at runtime on each access of the config value), you should use {$ENV} instead which is parsed at config-adapt time, i.e. once just before Caddy starts. See Caddyfile Concepts — Caddy Documentation

that fixed my issue, I am up and running. thank you very much

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.