1. The problem I’m having:
Trying to set up Caddy (specifically caddy-docker-proxy) on a Oracle Cloud Server with Cloudflare as a DNS provider running Portainer. I can get as far as connecting, but get either “Invalid SSL Certificate” or “Client sent an HTTP request to an HTTPS server” errors.
Not exhaustive list of solutions I’ve tried:
- changing Cloudflare security settings (off/flexible/full/full strict)
- regenerating Cloudflare token
- setting
tls
global setting (logs told me the setting was deprecated) - changing portainer port to 8000, 9000, 9443
- changing
tls
to internal in portainer’s container
2. Error messages and/or full log output:
2023/11/13 10:47:28.639 INFO docker-proxy Running caddy proxy server
2023/11/13 10:47:28.645 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/11/13 10:47:28.646 INFO autosaved config (load with --resume flag) {"file": "/config/caddy/autosave.json"}
2023/11/13 10:47:28.646 INFO docker-proxy Running caddy proxy controller
2023/11/13 10:47:28.649 INFO docker-proxy Start {"CaddyfilePath": "", "LabelPrefix": "caddy", "PollingInterval": 30, "ProxyServiceTasks": true, "ProcessCaddyfile": true, "ScanStoppedContainers": true, "IngressNetworks": "[caddy]", "DockerSockets": [""], "DockerCertsPath": [""], "DockerAPIsVersion": [""]}
2023/11/13 10:47:28.651 INFO docker-proxy IngressNetworksMap {"ingres": "map[803ea9311e58d654e0866fe4ece1d18eac01ba9ff5f030092c9f14abf9ab2bf1:true caddy:true]"}
2023/11/13 10:47:28.653 INFO docker-proxy Connecting to docker events {"DockerSocket": ""}
2023/11/13 10:47:28.663 INFO docker-proxy Swarm is available {"new": false}
2023/11/13 10:47:28.674 INFO docker-proxy New Caddyfile {"caddyfile": "{\n\tacme_dns cloudflare {env.CF_API_TOKEN}\n\tdebug\n}\nportainer.bustinbung.com {\n\treverse_proxy 172.30.0.3:9443\n\ttls internal\n}\n"}
2023/11/13 10:47:28.675 INFO docker-proxy New Config JSON {"json": "{\"logging\":{\"logs\":{\"default\":{\"level\":\"DEBUG\"}}},\"apps\":{\"http\":{\"servers\":{\"srv0\":{\"listen\":[\":443\"],\"routes\":[{\"match\":[{\"host\":[\"portainer.bustinbung.com\"]}],\"handle\":[{\"handler\":\"subroute\",\"routes\":[{\"handle\":[{\"handler\":\"reverse_proxy\",\"upstreams\":[{\"dial\":\"172.30.0.3:9443\"}]}]}]}],\"terminal\":true}]}}},\"tls\":{\"automation\":{\"policies\":[{\"subjects\":[\"portainer.bustinbung.com\"],\"issuers\":[{\"module\":\"internal\"}]}]}}}}"}
2023/11/13 10:47:28.675 INFO docker-proxy Sending configuration to {"server": "localhost"}
2023/11/13 10:47:28.677 INFO admin.api received request {"method": "POST", "host": "localhost:2019", "uri": "/load", "remote_ip": "127.0.0.1", "remote_port": "54882", "headers": {"Accept-Encoding":["gzip"],"Content-Length":["463"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}
2023/11/13 10:47:28.679 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//127.0.0.1:2019", "//localhost:2019", "//[::1]:2019"]}
2023/11/13 10:47:28.680 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0x40000baf80"}
2023/11/13 10:47:28.687 INFO http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/11/13 10:47:28.688 INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2023/11/13 10:47:28.688 DEBUG http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["portainer.bustinbung.com"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"172.30.0.3:9443"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2023/11/13 10:47:28.713 WARN pki.ca.local installing root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"}
2023/11/13 10:47:28.713 INFO warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
2023/11/13 10:47:28.713 INFO define JAVA_HOME environment variable to use the Java trust
2023/11/13 10:47:28.792 INFO certificate installed properly in linux trusts
2023/11/13 10:47:28.793 INFO http enabling HTTP/3 listener {"addr": ":443"}
2023/11/13 10:47:28.793 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"}
2023/11/13 10:47:28.793 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2023/11/13 10:47:28.794 DEBUG http starting server loop {"address": "[::]:443", "tls": true, "http3": true}
2023/11/13 10:47:28.794 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/11/13 10:47:28.795 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false}
2023/11/13 10:47:28.795 INFO tls finished cleaning storage units
2023/11/13 10:47:28.795 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/11/13 10:47:28.795 INFO http enabling automatic TLS certificate management {"domains": ["portainer.bustinbung.com"]}
2023/11/13 10:47:28.798 WARN tls stapling OCSP {"error": "no OCSP stapling for [portainer.bustinbung.com]: no OCSP server specified in certificate", "identifiers": ["portainer.bustinbung.com"]}
2023/11/13 10:47:28.798 DEBUG tls.cache added certificate to cache {"subjects": ["portainer.bustinbung.com"], "expiration": "2023/11/13 22:09:59.000", "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90", "cache_size": 1, "cache_capacity": 10000}
2023/11/13 10:47:28.798 DEBUG events event {"name": "cached_managed_cert", "id": "a2ab5ca2-5197-453b-aed2-dfb144133f49", "origin": "tls", "data": {"sans":["portainer.bustinbung.com"]}}
2023/11/13 10:47:28.799 INFO autosaved config (load with --resume flag) {"file": "/config/caddy/autosave.json"}
2023/11/13 10:47:28.799 INFO admin.api load complete
2023/11/13 10:47:28.800 INFO docker-proxy Successfully configured {"server": "localhost"}
2023/11/13 10:47:28.824 INFO admin stopped previous server {"address": "localhost:2019"}
2023/11/13 10:47:40.749 DEBUG events event {"name": "tls_get_certificate", "id": "98cbcaee-4767-4ab3-a2eb-c1853fabf857", "origin": "tls", "data": {"client_hello":{"CipherSuites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[14906,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[39578,772,771],"Conn":{}}}}
2023/11/13 10:47:40.750 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:47:40.750 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:40.750 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "43019", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:40.775 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:43019: remote error: tls: unknown certificate
2023/11/13 10:47:42.055 DEBUG events event {"name": "tls_get_certificate", "id": "9bacedb5-281f-4ebf-9fb6-dd4375d36226", "origin": "tls", "data": {"client_hello":{"CipherSuites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[27242,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[31354,772,771],"Conn":{}}}}
2023/11/13 10:47:42.055 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:47:42.055 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:42.056 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "50559", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:42.077 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:50559: remote error: tls: unknown certificate
2023/11/13 10:47:43.939 DEBUG events event {"name": "tls_get_certificate", "id": "ce7e364c-1330-4a9a-9a00-76f84a38c95c", "origin": "tls", "data": {"client_hello":{"CipherSuites":[27242,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[23130,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[23130,772,771],"Conn":{}}}}
2023/11/13 10:47:43.939 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:47:43.939 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:43.939 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "4809", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:43.959 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:4809: remote error: tls: unknown certificate
2023/11/13 10:47:53.518 DEBUG events event {"name": "tls_get_certificate", "id": "0d7c652a-df01-4d3b-a88e-b89a1a7ed06c", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,173,171,52398,52397,52396,157,169,52395,172,170,156,168,61,60,49208,49206,183,179,149,145,53,175,141,49207,49205,182,178,148,144,47,174,140,255],"ServerName":"cloud.bustinbung.com","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"Conn":{}}}}
2023/11/13 10:47:53.519 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "cloud.bustinbung.com"}
2023/11/13 10:47:53.519 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.bustinbung.com"}
2023/11/13 10:47:53.519 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.com"}
2023/11/13 10:47:53.519 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*"}
2023/11/13 10:47:53.519 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "198.137.18.254", "remote_port": "32159", "server_name": "cloud.bustinbung.com", "remote": "198.137.18.254:32159", "identifier": "cloud.bustinbung.com", "cipher_suites": [4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199, 158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161, 49171, 51, 173, 171, 52398, 52397, 52396, 157, 169, 52395, 172, 170, 156, 168, 61, 60, 49208, 49206, 183, 179, 149, 145, 53, 175, 141, 49207, 49205, 182, 178, 148, 144, 47, 174, 140, 255], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2023/11/13 10:47:53.519 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:32159: no certificate available for 'cloud.bustinbung.com'
2023/11/13 10:47:53.519 DEBUG events event {"name": "tls_get_certificate", "id": "eac6c24a-24ab-416a-bd11-63b391859927", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,173,171,52398,52397,52396,157,169,52395,172,170,156,168,61,60,49208,49206,183,179,149,145,53,175,141,49207,49205,182,178,148,144,47,174,140,255],"ServerName":"cloud.bustinbung.com","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"Conn":{}}}}
2023/11/13 10:47:53.520 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "cloud.bustinbung.com"}
2023/11/13 10:47:53.520 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.bustinbung.com"}
2023/11/13 10:47:53.520 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.com"}
2023/11/13 10:47:53.520 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*"}
2023/11/13 10:47:53.520 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "198.137.18.254", "remote_port": "41285", "server_name": "cloud.bustinbung.com", "remote": "198.137.18.254:41285", "identifier": "cloud.bustinbung.com", "cipher_suites": [4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199, 158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161, 49171, 51, 173, 171, 52398, 52397, 52396, 157, 169, 52395, 172, 170, 156, 168, 61, 60, 49208, 49206, 183, 179, 149, 145, 53, 175, 141, 49207, 49205, 182, 178, 148, 144, 47, 174, 140, 255], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2023/11/13 10:47:53.520 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:41285: no certificate available for 'cloud.bustinbung.com'
2023/11/13 10:47:53.564 DEBUG events event {"name": "tls_get_certificate", "id": "fb33f0f0-fc54-4e68-b8e3-e42aa1bb4c83", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,173,171,52398,52397,52396,157,169,52395,172,170,156,168,61,60,49208,49206,183,179,149,145,53,175,141,49207,49205,182,178,148,144,47,174,140,255],"ServerName":"cloud.bustinbung.com","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"Conn":{}}}}
2023/11/13 10:47:53.564 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "cloud.bustinbung.com"}
2023/11/13 10:47:53.564 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.bustinbung.com"}
2023/11/13 10:47:53.564 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.com"}
2023/11/13 10:47:53.564 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*"}
2023/11/13 10:47:53.564 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "198.137.18.254", "remote_port": "35778", "server_name": "cloud.bustinbung.com", "remote": "198.137.18.254:35778", "identifier": "cloud.bustinbung.com", "cipher_suites": [4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199, 158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161, 49171, 51, 173, 171, 52398, 52397, 52396, 157, 169, 52395, 172, 170, 156, 168, 61, 60, 49208, 49206, 183, 179, 149, 145, 53, 175, 141, 49207, 49205, 182, 178, 148, 144, 47, 174, 140, 255], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2023/11/13 10:47:53.564 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:35778: no certificate available for 'cloud.bustinbung.com'
2023/11/13 10:47:55.194 DEBUG events event {"name": "tls_get_certificate", "id": "95a38a77-b868-458e-aa1b-54e8cf61a5f7", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"ServerName":"portainer.bustinbung.com","SupportedCurves":[29,23,24,25,25497,65074],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513,1539],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"Conn":{}}}}
2023/11/13 10:47:55.195 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:47:55.195 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:55.195 DEBUG tls.handshake matched certificate in cache {"remote_ip": "172.69.58.68", "remote_port": "21590", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:55.215 DEBUG http.stdlib http: TLS handshake error from 172.69.58.68:21590: remote error: tls: unknown certificate authority
2023/11/13 10:47:55.767 DEBUG events event {"name": "tls_get_certificate", "id": "280ed439-9f9c-483f-905f-2320e96d65fe", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"ServerName":"portainer.bustinbung.com","SupportedCurves":[29,23,24,25,25497,65074],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513,1539],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"Conn":{}}}}
2023/11/13 10:47:55.767 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:47:55.767 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:55.768 DEBUG tls.handshake matched certificate in cache {"remote_ip": "172.69.58.69", "remote_port": "19616", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:55.791 DEBUG http.stdlib http: TLS handshake error from 172.69.58.69:19616: remote error: tls: unknown certificate authority
2023/11/13 10:47:55.806 DEBUG events event {"name": "tls_get_certificate", "id": "58e48974-5e75-4c22-8351-48137a20e924", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"ServerName":"portainer.bustinbung.com","SupportedCurves":[29,23,24,25,25497,65074],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513,1539],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"Conn":{}}}}
2023/11/13 10:47:55.806 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:47:55.806 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:55.806 DEBUG tls.handshake matched certificate in cache {"remote_ip": "172.69.58.234", "remote_port": "20432", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:47:55.828 DEBUG http.stdlib http: TLS handshake error from 172.69.58.234:20432: remote error: tls: unknown certificate authority
2023/11/13 10:47:58.650 DEBUG docker-proxy Skipping default Caddyfile because no path is set
2023/11/13 10:47:58.650 DEBUG docker-proxy Skipping swarm config caddyfiles because swarm is not available
2023/11/13 10:47:58.654 DEBUG docker-proxy Skipping swarm services because swarm is not available
2023/11/13 10:48:28.651 DEBUG docker-proxy Skipping default Caddyfile because no path is set
2023/11/13 10:48:28.651 DEBUG docker-proxy Skipping swarm config caddyfiles because swarm is not available
2023/11/13 10:48:28.664 DEBUG docker-proxy Skipping swarm services because swarm is not available
2023/11/13 10:48:40.312 DEBUG events event {"name": "tls_get_certificate", "id": "5220dac9-1d25-4303-b004-8a03797582f8", "origin": "tls", "data": {"client_hello":{"CipherSuites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[19018,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[23130,772,771],"Conn":{}}}}
2023/11/13 10:48:40.313 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:48:40.313 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:40.313 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "18841", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:40.335 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:18841: remote error: tls: unknown certificate
2023/11/13 10:48:40.889 DEBUG events event {"name": "tls_get_certificate", "id": "06ab5df9-f9b7-435b-8a4a-2c0aac982833", "origin": "tls", "data": {"client_hello":{"CipherSuites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[19018,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[27242,772,771],"Conn":{}}}}
2023/11/13 10:48:40.889 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:48:40.889 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:40.889 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "51321", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:40.910 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:51321: remote error: tls: unknown certificate
2023/11/13 10:48:41.070 DEBUG events event {"name": "tls_get_certificate", "id": "ac233d3d-e593-44b5-ac1f-016a806eea82", "origin": "tls", "data": {"client_hello":{"CipherSuites":[19018,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[31354,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"Conn":{}}}}
2023/11/13 10:48:41.070 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:48:41.070 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:41.070 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "2287", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:41.092 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:2287: remote error: tls: unknown certificate
2023/11/13 10:48:41.265 DEBUG events event {"name": "tls_get_certificate", "id": "2ed45cdc-2216-47bc-b79e-28127d8ce664", "origin": "tls", "data": {"client_hello":{"CipherSuites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[27242,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[10794,772,771],"Conn":{}}}}
2023/11/13 10:48:41.265 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:48:41.265 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:41.265 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "28584", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:41.285 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:28584: remote error: tls: unknown certificate
2023/11/13 10:48:41.480 DEBUG events event {"name": "tls_get_certificate", "id": "660c90da-5950-480a-9d60-5a64c90f7fba", "origin": "tls", "data": {"client_hello":{"CipherSuites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[56026,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[27242,772,771],"Conn":{}}}}
2023/11/13 10:48:41.481 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:48:41.481 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:41.481 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "8360", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:41.502 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:8360: remote error: tls: unknown certificate
2023/11/13 10:48:41.688 DEBUG events event {"name": "tls_get_certificate", "id": "ff7f43a7-53d2-4ef2-a97a-3badb5387815", "origin": "tls", "data": {"client_hello":{"CipherSuites":[60138,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[43690,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[23130,772,771],"Conn":{}}}}
2023/11/13 10:48:41.688 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
2023/11/13 10:48:41.688 DEBUG tls.handshake default certificate selection results {"identifier": "portainer.bustinbung.com", "subjects": ["portainer.bustinbung.com"], "managed": true, "issuer_key": "local", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:41.688 DEBUG tls.handshake matched certificate in cache {"remote_ip": "198.137.18.254", "remote_port": "9994", "subjects": ["portainer.bustinbung.com"], "managed": true, "expiration": "2023/11/13 22:09:59.000", "hash": "9e5e4137dec059a75443769a051134d3af19716478d60aa942e6a45c898d0b90"}
2023/11/13 10:48:41.710 DEBUG http.stdlib http: TLS handshake error from 198.137.18.254:9994: remote error: tls: unknown certificate
2023/11/13 10:48:41.844 DEBUG events event {"name": "tls_get_certificate", "id": "521e47c0-fb34-4c7c-9620-28d4b55c7434", "origin": "tls", "data": {"client_hello":{"CipherSuites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"portainer.bustinbung.com","SupportedCurves":[23130,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[2570,772,771],"Conn":{}}}}
2023/11/13 10:48:41.845 DEBUG tls.handshake choosing certificate {"identifier": "portainer.bustinbung.com", "num_choices": 1}
/// cut for character limit ///
3. Caddy version:
caddy v2.7.5
caddy-docker-proxy v2.8.9
portainer v2.19.2
4. How I installed and ran Caddy:
I created a custom Caddy image using Dockerfiles. The image is available on Docker Hub here. I’ve configured Caddy through Portainer by connecting directly to the web UI with the server IP.
a. System environment:
OCI Ampere instance (aarch64)
Ubuntu 22.04.3 LTS
Docker v24.0.7
b. Command:
Run through Portainer
c. Service/unit/compose file:
d. My complete Caddy config:
Configured via labels through caddy-docker-proxy
# in labels
caddy.acme_dns=cloudflare {env.CF_API_TOKEN}
# in environment variables
CF_API_TOKEN=<API Token with Zone:Read and DNS:Edit permissions>