We are settings up some new services in aws an decided to give Caddy a try as a reverse proxy to get automatic HTTPS. We are however having some difficulties getting it up and running and would very much appreciate some guidance on what may be the problem. The domain in hosted zone is replaced by DOMAIN.
In aws we have a public hosted zone DOMAIN, and we have a record caddy.DOMAIN. The domain itself has been verified working and we are able resolve dns.
Caddy is started in docker using abisoft/caddy image version 0.10.12 (Docker Hub). As we would like to host caddy behind an elastic load balancer we are trying to obtain certificate using the route53 DNS provider and have built the docker image with this command:
When starting the docker image, we expose ports 80 and 443, mount Caddyfile to /etc/Caddyfile and a certificate path to /etc/caddycerts. We also pass the following environment variables
You note that the domain can be resolved via DNS but I’m not sure if you mean publicly or for the Caddy host specifically - can Caddy inside the container access 172.36.0.2:53 and does that host serve a DNS response?
So I just tested certbot in docker running on the same machine, this worked:
:~$ sudo docker run -it --rm --name certbot \
> -v "/etc/letsencrypt:/etc/letsencrypt" \
> -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
> -e AWS_ACCESS_KEY_ID=<MASKED> \
> -e AWS_SECRET_ACCESS_KEY=<MASKED> \
> certbot/dns-route53 certonly --dns-route53 -d caddy.DOMAIN --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in environment variables.
Plugins selected: Authenticator dns-route53, Installer None
Registering without email!
/usr/local/lib/python2.7/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for caddy.DOMAIN
Starting new HTTPS connection (1): route53.amazonaws.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: route53.amazonaws.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/caddy.DOMAIN/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/caddy.DOMAIN/privkey.pem
Your cert will expire on 2018-07-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
:~$ sudo ls -lah /etc/letsencrypt/live/caddy.DOMAIN/
total 12K
drwxr-xr-x 2 root root 4.0K Apr 16 06:42 .
drwx------ 3 root root 4.0K Apr 16 06:42 ..
-rw-r--r-- 1 root root 543 Apr 16 06:42 README
lrwxrwxrwx 1 root root 41 Apr 16 06:42 cert.pem -> ../../archive/caddy.DOMAIN/cert1.pem
lrwxrwxrwx 1 root root 42 Apr 16 06:42 chain.pem -> ../../archive/caddy.DOMAIN/chain1.pem
lrwxrwxrwx 1 root root 46 Apr 16 06:42 fullchain.pem -> ../../archive/caddy.DOMAIN/fullchain1.pem
lrwxrwxrwx 1 root root 44 Apr 16 06:42 privkey.pem -> ../../archive/caddy.DOMAIN/privkey1.pem