I’ve set the https_port as 10443 in the global option, but when i visit the 10080 port, my browser still auto redirect to 443 port. I except it should auto redirect to 10443 port.
2.
When caddy auto issue certifacates from Let’s Encrypt, it failed because caddy still use 80 port to host the .well-known files instead of using 10080 port.
4. Error messages and/or full log output:
[ ts.i.oonlyone.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://ts.i.oonlyone.com/.well-known/acme-challenge/_uCEbQfaAxqrUfh3yNyOgybuQf9dhboazlOakCqbIBQ [45.15.131.89]: 404, url:
(challenge=http-01 remaining=[])
2020/05/09 15:13:02 [ERROR] attempt 2: [ts.i.oonlyone.com] Obtain: [ts.i.oonlyone.com] error: one or more domains had a problem:
[ ts.i.oonlyone.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://ts.i.oonlyone.com/.well-known/acme-challenge/_uCEbQfaAxqrUfh3yNyOgybuQf9dhboazlOakCqbIBQ [45.15.131.89]: 404, url:
- retrying in 2m0s (1m44.096652041s/720h0m0s elapsed)...
Those port global options are only meant to change the ports from the perspective of your local machine. Externally, they still need to be mapped to 80 and 443. Let’s Encrypt will only try to connect on those ports, and the HTTP->HTTPS redirect will always assume your site is accessible on port 443 externally.
It’s simply an impossibility. Let’s Encrypt will never make requests for the HTTP challenge on any port other than 80, and will never make requests for the ALPN challenge on any port other than 443.
If you must run it on different ports, then you should consider using the ACME DNS challenge instead, which doesn’t have any specific port requirements.
You can also implement the HTTP->HTTPS redirect yourself by adding a site block like this:
The usage of http_port and https_port is effectively intended for scenarios where your public ports remain default but your internal ports are different, e.g. your router is port forwarding from port 80 externally to port 10080 on your server.
Wrong way around - with http_port, Caddy will be listening on port 10080 for the challenge, but as @francislavoie has shared, the ACME server actually needs it to be on port 80!
Technically, Caddy 2 does support ACME challenges on arbitrary ports, and you’ve got the right settings for them! Downside is, no trusted ACME provider I know of actually does issue challenges on non-standard ports!
If you somehow do find one, you can specify the acme_ca in your global options alongside http_port/https_port and you’ll be off to the races… Just make sure to specify your ports manually in your redirects and it’ll work.