How to run Caddy v2 inside a docker container and reverse proxy between docker containers?

Help
1

1. My Caddy version (caddy -version):

docker caddy/caddy:alpine

2. How I run Caddy:

Please provide all of the relevant information and DO NOT REDACT anything except passwords/keys. Thank you!

a. System environment:

OS, relevant versions, systemd? docker? etc.
Ubuntu 1804
docker 19.0.3

b. Command:

CURRENT_UID=$(id -u):$(id -g) docker-compose up

c. Service/unit/compose file:

# run this with: "  CURRENT_UID=$(id -u):$(id -g) docker-compose up ""
version: "3"
services:
  percy:
    # docker run -it -p 80:80 -p 443:443 -p 2019:2019 --rm --name perception_caddy perception_caddy
    container_name: perception_caddy
    image: perception_caddy
    # user: root
    user: ${CURRENT_UID}
    ports:
      - 443:443
      - 80:80
      - 2020:2020
    volumes:
      - ./caddy_secrets/ssl/:/etc/ssl
      - ./caddy_secrets/dotcaddy:/root/.caddy # to save certificates on disk
      - ./caddy_secrets/dotconfig:/.config # to save certificates on disk
      - ./caddy_secrets/Caddyfile:/etc/Caddyfile # to save certificates on disk
    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0
    cap_add:
      - CAP_NET_BIND_SERVICE
  perceptionist:
    # docker run --user $(id -u):$(id -g) -it -p 8888:8888 -v "/home/florian/flow/perception_experiments/uploads/":"/perception_express/uploads/" --rm --name perception_express perception_express
    image: perception_express
    volumes:
      - /home/********/uploads/:/perception_express/uploads/
    container_name: perception_express
    user: ${CURRENT_UID}
    depends_on:
      - "percy"
    ports:
      # TODO protect this with a reverse proxy
      - 8888:8888
  bratsstarz:
    # docker run -it -p 8080:80 --rm --name brats_starz brats_starz
    container_name: brats_starz_nginx
    image: brats_starz
    # TODO rervse proxy me
    ports:
      - 8080:80
    depends_on:
      - "perceptionist"
      - "percy"
  # inspiration
  # https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15
  # https://medium.com/faun/set-current-host-user-for-docker-container-4e521cef9ffc

d. My complete Caddyfile:


translatum.spdns.org {
    respond "let the neurons flow!"
    
    redir /hello* https://translatum.spdns.org:2020

    reverse_proxy /glioma_stars* brats_starz:8080
    reverse_proxy /upload perception_express:8888
}


https://translatum.spdns.org:2020 {
    respond * "hello!"
}
localhost/glioma_stars {
    reverse_proxy * brats_starz:8080
}

3. The problem I’m having:

Please describe the issue thoroughly enough so that anyone can reproduce the exact behavior you’re seeing. Be as specific as possible.
I created a web application. The frontend (bratsstarz) is served via nginx on port 8080, the backend (perceptionist) is a node express application running on port 8888. I want to setup a third docker container (percy / perception_caddy) to handle the let’s encrypt certificates and reverse proxying all the requests within the internal docker network so I do not have to expose the frontend and backend ports anymore, which should run on port 443. Unfortunately running caddy inside a docker does not seem to work for me.

4. Error messages and/or full log output:

$ CURRENT_UID=$(id -u):$(id -g) docker-compose up
Starting perception_caddy ... 
Starting perception_caddy ... done
Creating perception_express ... 
Creating perception_express ... done
Creating brats_starz_nginx ... 
Creating brats_starz_nginx ... done
Attaching to perception_caddy, perception_express, brats_starz_nginx
perception_caddy | 2020/02/16 10:41:00.797      INFO    using provided configuration    {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
perception_express | yarn run v1.21.1
perception_caddy | 2020/02/16 10:41:00.805      INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
perception_express | $ node run.js
perception_caddy | 2020/02/16 10:41:00.805      INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS  {"server_name": "srv0", "https_port": 443}
perception_express | NODE_ENV: production
perception_caddy | 2020/02/16 10:41:00.805      INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
perception_caddy | 2020/02/16 10:41:00.805      INFO    http    enabling automatic TLS certificate management   {"domains": ["translatum.spdns.org"]}
perception_caddy | 2020/02/16 10:41:00 [INFO][cache:0xc0006d2cd0] Started certificate maintenance routine
perception_express | CORSWHITELIST: ['http://translatum.spdns.org:8080']
perception_caddy | 2020/02/16 10:41:00.805      INFO    tls     cleaned up storage units
perception_express | [Perception express] listening on port 8888!
perception_caddy | 2020/02/16 10:41:00.806      INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
perception_caddy | 2020/02/16 10:41:00.806      INFO    serving initial configuration
perception_caddy | 2020/02/16 10:41:01 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 1/3)
perception_caddy | 2020/02/16 10:41:02 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 2/3)
perception_caddy | 2020/02/16 10:41:03 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 3/3)
perception_caddy | 2020/02/16 10:41:04 [ERROR] translatum.spdns.org: obtaining certificate: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority - backing off and retrying (attempt 1/46)...
perception_caddy | 2020/02/16 10:41:07 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 1/3)
perception_caddy | 2020/02/16 10:41:09 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 2/3)
perception_caddy | 2020/02/16 10:41:10 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 3/3)
perception_caddy | 2020/02/16 10:41:11 [ERROR] translatum.spdns.org: obtaining certificate: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority - backing off and retrying (attempt 2/46)...
^CGracefully stopping... (press Ctrl+C again to force)
Stopping brats_starz_nginx  ... done
Stopping perception_express ... done
Stopping perception_caddy   ... done

5. What I already tried:

I tried starting the container as non-root and root user. I added

    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0
    cap_add:
      - CAP_NET_BIND_SERVICE

so caddy can bind to low port numbers for getting the certificate. Interestingly all my volume mounts stay empty, but so do the folders inside the docker container if I check with:

docker exec -it perception_caddy sh

interestingly the whole caddy seems to spinup if I just run caddy start without the docker around it.

My dockerfile for building the percy service looks like this, which is why I don’t volume mount a caddyfile

FROM caddy/caddy:alpine
COPY Caddyfile /etc/caddy/Caddyfile

Thanks for your assistance!

6. Links to relevant resources:

2

When you run containers using docker-compose, it adds hosts for each of your services to the docker network’s DNS server. These hosts are the service name by default. In your case, this would be perceptionist and bratsstarz. I think that the container_name option will override that, so I think you may need to use brats_starz_nginx instead (try both to see which works).

So I think your Caddyfile should have this:

    reverse_proxy /glioma_stars* brats_starz_nginx:8080
    reverse_proxy /upload perceptionist:8888
3

Thank you I am confident I will figure the routing out.

But how to handle the certificate error? Outside the docker getting the cert works fine, but inside I get the errors above.

4

Ah, I think that’s because you’re overriding the CA store with your ./caddy_secrets/ssl/:/etc/ssl volume, which means that Caddy doesn’t know how to trust the Let’s Encrypt CA.

5

Ah that folder does not exist when I start the docker, so it gets created in the process. I also tried without this volume mount. But will try again.

6

I tried again with the following settings…maybe it fails now because I tried too often in the last hours?
I think the cert files should be somehow volume mounted to avoid caddy getting new certs, every time the docker restarts?

Caddyfile:

{	
    email   ****@gmail.com
}

translatum.spdns.org www.translatum.spdns.org {
    respond "let the neurons flow!"
    
    redir /hello* https://translatum.spdns.org:2020

    reverse_proxy /glioma_stars* brats_starz_nginx:8080
    reverse_proxy /upload perceptionist:8888
}


https://translatum.spdns.org:2020 {
    respond * "hello!"
}

docker-compose:

# run this with: "  CURRENT_UID=$(id -u):$(id -g) docker-compose up ""
version: "3"
services:
  percy:
    # docker run -it -p 80:80 -p 443:443 -p 2019:2019 --rm --name perception_caddy perception_caddy
    container_name: perception_caddy
    image: perception_caddy
    user: root
    # user: ${CURRENT_UID}
    ports:
      - 443:443
      - 80:80
      - 2020:2020
    # volumes:
    # - ./caddy_secrets/ssl/:/etc/ssl
    # - ./caddy_secrets/dotcaddy:/root/.caddy # to save certificates on disk
    # - ./caddy_secrets/dotconfig:/.config # to save certificates on disk
    # - ./caddy_secrets/Caddyfile:/etc/Caddyfile # to save certificates on disk

    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0
    cap_add:
      - CAP_NET_BIND_SERVICE
  perceptionist:
    # docker run --user $(id -u):$(id -g) -it -p 8888:8888 -v "/home/florian/flow/perception_experiments/uploads/":"/perception_express/uploads/" --rm --name perception_express perception_express
    image: perception_express
    volumes:
      - /home/florian/flow/perception_experiments/uploads/:/perception_express/uploads/
    container_name: perception_express
    user: ${CURRENT_UID}
    depends_on:
      - "percy"
    # ports:
    #   # TODO protect this with a reverse proxy
    #   - 8888:8888
  bratsstarz:
    # docker run -it -p 8080:80 --rm --name brats_starz brats_starz
    container_name: brats_starz_nginx
    image: brats_starz
    # TODO rervse proxy me
    # ports:
    #   - 8080:80
    depends_on:
      - "perceptionist"
      - "percy"
  # inspiration
  # https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15
  # https://medium.com/faun/set-current-host-user-for-docker-container-4e521cef9ffc

output:

CURRENT_UID=$(id -u):$(id -g) docker-compose up
Creating perception_caddy ... 
Creating perception_caddy ... done
Recreating perception_express ... 
Recreating perception_express ... done
Recreating brats_starz_nginx ... 
Recreating brats_starz_nginx ... done
Attaching to perception_caddy, perception_express, brats_starz_nginx
perception_caddy | 2020/02/16 20:02:42.670      INFO    using provided configuration    {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
perception_caddy | 2020/02/16 20:02:42.677      INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
perception_caddy | 2020/02/16 20:02:42.678      INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS  {"server_name": "srv0", "https_port": 443}
perception_caddy | 2020/02/16 20:02:42.678      INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
perception_express | yarn run v1.21.1
perception_express | $ node run.js
perception_caddy | 2020/02/16 20:02:42.678      INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv1"}
perception_express | NODE_ENV: production
perception_express | CORSWHITELIST: ['http://translatum.spdns.org:8080']
perception_caddy | 2020/02/16 20:02:42.679      INFO    http    enabling automatic TLS certificate management   {"domains": ["www.translatum.spdns.org", "translatum.spdns.org"]}
perception_express | [Perception express] listening on port 8888!
perception_caddy | 2020/02/16 20:02:42.679      INFO    http    enabling automatic TLS certificate management   {"domains": ["translatum.spdns.org"]}
perception_caddy | 2020/02/16 20:02:42 [INFO][cache:0xc00023e460] Started certificate maintenance routine
perception_caddy | 2020/02/16 20:02:42.679      INFO    tls     cleaned up storage units
perception_caddy | 2020/02/16 20:02:42.679      INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
perception_caddy | 2020/02/16 20:02:42.679      INFO    serving initial configuration
perception_caddy | 2020/02/16 20:02:43 [INFO] acme: Registering account for zournyque@gmail.com
perception_caddy | 2020/02/16 20:02:43 [INFO] acme: Registering account for zournyque@gmail.com
perception_caddy | 2020/02/16 20:02:43 [INFO] acme: Registering account for zournyque@gmail.com
perception_caddy | 2020/02/16 20:02:43 [INFO][translatum.spdns.org] Obtain certificate
perception_caddy | 2020/02/16 20:02:43 [INFO][translatum.spdns.org] Obtain: Waiting on rate limiter...
perception_caddy | 2020/02/16 20:02:43 [INFO][translatum.spdns.org] Obtain: Done waiting
perception_caddy | 2020/02/16 20:02:43 [INFO] [translatum.spdns.org] acme: Obtaining bundled SAN certificate
perception_caddy | 2020/02/16 20:02:43 [INFO][www.translatum.spdns.org] Obtain certificate
perception_caddy | 2020/02/16 20:02:43 [INFO][www.translatum.spdns.org] Obtain: Waiting on rate limiter...
perception_caddy | 2020/02/16 20:02:43 [INFO][www.translatum.spdns.org] Obtain: Done waiting
perception_caddy | 2020/02/16 20:02:43 [INFO] [www.translatum.spdns.org] acme: Obtaining bundled SAN certificate
perception_caddy | 2020/02/16 20:02:43 [INFO][translatum.spdns.org] Obtain certificate
perception_caddy | 2020/02/16 20:02:43 [INFO][translatum.spdns.org] Obtain: Waiting on rate limiter...
perception_caddy | 2020/02/16 20:02:43 [INFO][translatum.spdns.org] Obtain: Done waiting
perception_caddy | 2020/02/16 20:02:43 [ERROR][translatum.spdns.org] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.spdns.org: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 1/2; challenge=http-01)
perception_caddy | 2020/02/16 20:02:44 [INFO] [www.translatum.spdns.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2852591722
perception_caddy | 2020/02/16 20:02:44 [INFO] [www.translatum.spdns.org] acme: Could not find solver for: tls-alpn-01
perception_caddy | 2020/02/16 20:02:44 [INFO] [www.translatum.spdns.org] acme: use http-01 solver
perception_caddy | 2020/02/16 20:02:44 [INFO] [www.translatum.spdns.org] acme: Trying to solve HTTP-01
perception_caddy | 2020/02/16 20:02:44 [INFO] [translatum.spdns.org] acme: Obtaining bundled SAN certificate
perception_caddy | 2020/02/16 20:02:45 [ERROR][translatum.spdns.org] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.spdns.org: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 2/2; challenge=http-01)
perception_caddy | 2020/02/16 20:02:46 [INFO] [translatum.spdns.org] acme: Obtaining bundled SAN certificate
perception_caddy | 2020/02/16 20:02:46 http: TLS handshake error from 127.0.0.1:47154: EOF
perception_caddy | 2020/02/16 20:02:46 [ERROR][translatum.spdns.org] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.spdns.org: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 1/2; challenge=tls-alpn-01)
perception_caddy | 2020/02/16 20:02:47 [INFO] [translatum.spdns.org] acme: Obtaining bundled SAN certificate
perception_caddy | 2020/02/16 20:02:47 [ERROR][translatum.spdns.org] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.spdns.org: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 2/2; challenge=tls-alpn-01)
perception_caddy | 2020/02/16 20:02:48 [ERROR] translatum.spdns.org: obtaining certificate: failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.spdns.org: see https://letsencrypt.org/docs/rate-limits/, url: - backing off and retrying (attempt 1/46)...
perception_caddy | 2020/02/16 20:02:48 [INFO] [translatum.spdns.org] acme: Obtaining bundled SAN certificate
perception_caddy | 2020/02/16 20:02:48 http: TLS handshake error from 127.0.0.1:47162: EOF
perception_caddy | 2020/02/16 20:02:48 [ERROR][translatum.spdns.org] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.spdns.org: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 1/2; challenge=tls-alpn-01)
perception_caddy | 2020/02/16 20:02:49 [INFO] [translatum.spdns.org] acme: Obtaining bundled SAN certificate
perception_caddy | 2020/02/16 20:02:50 [ERROR][translatum.spdns.org] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.spdns.org: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 2/2; challenge=tls-alpn-01)
^CGracefully stopping... (press Ctrl+C again to force)
Stopping brats_starz_nginx  ... done
Stopping perception_express ... done
Stopping perception_caddy   ... done
7

In v2, the paths you need to persist are /root/.config/caddy and /root/.local/share/caddy, assuming you’re running the docker image with the root user. See Conventions — Caddy Documentation

See below, the new paths are /data and /config in the latest Docker images.

8

Just a note - as of the latest caddy/caddy images, these locations are now /config/caddy and /data/caddy. See the (new!) docs for some details: GitHub - caddyserver/caddy-docker: Source for the official Caddy v2 Docker Image

3 Likes
9

Thanks for the headsup just resumed work on my project! Hope I will get it running now!

10

Alright I moved on with the project and made some small progress. Accessing the base route with ssl cert works, but the proxy to my nginx backend working on 8080 does not:

docker-compose

# run this with: "  CURRENT_UID=$(id -u):$(id -g) docker-compose up ""
version: "3"
services:
  percy:
    # docker run -it -p 80:80 -p 443:443 -p 2019:2019 --rm --name perception_caddy perception_caddy
    image: perception_caddy
    container_name: percy
    hostname: percy
    user: root
    # user: ${CURRENT_UID}
    ports:
      - 443:443
      - 80:80
      - 2020:2020
    volumes:
      # Just a note - as of the latest caddy/caddy images, these locations are now /config/caddy and /data/caddy. See the (new!) docs for some details: https://github.com/caddyserver/caddy-docker#️-a-note-about-persisted-data 1
      - ./caddy_secrets/config:/config # to save certificates on disk
      - ./caddy_secrets/data:/data
    # sysctls:
    #   - net.ipv4.ip_unprivileged_port_start=0
    # cap_add:
    #   - CAP_NET_BIND_SERVICE
  perceptionist:
    # docker run --user $(id -u):$(id -g) -it -p 8888:8888 -v "/home/florian/flow/perception_experiments/uploads/":"/perception_express/uploads/" --rm --name perception_express perception_express
    image: perception_express
    container_name: perceptionist
    hostname: perceptionist
    user: ${CURRENT_UID}
    depends_on:
      - "percy"
    volumes:
      - /home/florian/flow/perception_experiments/uploads/:/perception_express/uploads/
    # ports:
    #   # TODO protect this with a reverse proxy
    #   - 8888:8888
  bratsstarz:
    # docker run -it -p 8080:80 --rm --name brats_starz brats_starz
    image: brats_starz
    container_name: bratsstarz
    hostname: bratsstarz
    # TODO rervse proxy me
    # ports:
    #   - 8080:80
    depends_on:
      - "perceptionist"
      - "percy"
  # inspiration
  # https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15
  # https://medium.com/faun/set-current-host-user-for-docker-container-4e521cef9ffc

Caddyfile (included in the docker image during build)

{	
    email   ***@gmail.com
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

translatum.xyz {
    respond "let the neurons flow - translatum.xyz!"
}


glioma.translatum.xyz {
    reverse_proxy {
        to bratsstarz:8080
    }
}

perceptionist.translatum.xyz {
    reverse_proxy {
        to perceptionist:8888
    }
}

# localhost:2020 {
#     respond /hello* "hello!"
# }


# translatum.spdns.org {
#     respond "let the neurons flow - translatum.spdns.org!"
# }

terminal output when acessing my entry point: glioma.translatum.xyz I get 502 errors

Recreating percy ... done
Recreating perceptionist ... done
Recreating bratsstarz    ... done
Attaching to percy, perceptionist, bratsstarz
percy            | 2020/03/03 07:38:23.526	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
percy            | 2020/03/03 07:38:23.531	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
percy            | 2020/03/03 07:38:23.531	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
percy            | 2020/03/03 07:38:23.532	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
perceptionist    | yarn run v1.21.1
perceptionist    | $ node run.js
perceptionist    | NODE_ENV: production
perceptionist    | CORSWHITELIST: ['https://translatum.xyz', 'https://glioma.translatum.xyz']
perceptionist    | [Perception express] listening on port 8888!
percy            | 2020/03/03 07:38:23.532	INFO	http	enabling automatic TLS certificate management	{"domains": ["perceptionist.translatum.xyz", "glioma.translatum.xyz", "translatum.xyz"]}
percy            | 2020/03/03 07:38:23.532	INFO	tls	cleaned up storage units
percy            | 2020/03/03 07:38:23.538	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
percy            | 2020/03/03 07:38:23.538	INFO	serving initial configuration
percy            | 2020/03/03 07:38:23 [INFO][cache:0xc0003b6190] Started certificate maintenance routine
percy            | 2020/03/03 07:38:24 [INFO] acme: Registering account for ***@gmail.com
percy            | 2020/03/03 07:38:24 [INFO] acme: Registering account for ***@gmail.com
percy            | 2020/03/03 07:38:24 [INFO] acme: Registering account for ***@gmail.com
percy            | 2020/03/03 07:38:24 [INFO][translatum.xyz] Obtain certificate
percy            | 2020/03/03 07:38:24 [INFO][translatum.xyz] Obtain: Waiting on rate limiter...
percy            | 2020/03/03 07:38:24 [INFO][translatum.xyz] Obtain: Done waiting
percy            | 2020/03/03 07:38:24 http: TLS handshake error from 127.0.0.1:53230: EOF
percy            | 2020/03/03 07:38:24 [INFO] [translatum.xyz] acme: Obtaining bundled SAN certificate
percy            | 2020/03/03 07:38:24 [INFO][glioma.translatum.xyz] Obtain certificate
percy            | 2020/03/03 07:38:24 [INFO][glioma.translatum.xyz] Obtain: Waiting on rate limiter...
percy            | 2020/03/03 07:38:24 [INFO][glioma.translatum.xyz] Obtain: Done waiting
percy            | 2020/03/03 07:38:24 [INFO] [glioma.translatum.xyz] acme: Obtaining bundled SAN certificate
percy            | 2020/03/03 07:38:24 [INFO] [perceptionist.translatum.xyz] acme: Obtaining bundled SAN certificate
percy            | 2020/03/03 07:38:24 [INFO][perceptionist.translatum.xyz] Obtain certificate
percy            | 2020/03/03 07:38:24 [INFO][perceptionist.translatum.xyz] Obtain: Waiting on rate limiter...
percy            | 2020/03/03 07:38:24 [INFO][perceptionist.translatum.xyz] Obtain: Done waiting
percy            | 2020/03/03 07:38:24 http: TLS handshake error from 127.0.0.1:53236: EOF
percy            | 2020/03/03 07:38:25 [INFO] [glioma.translatum.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3125891514
percy            | 2020/03/03 07:38:25 [INFO] [glioma.translatum.xyz] acme: Could not find solver for: tls-alpn-01
percy            | 2020/03/03 07:38:25 [INFO] [glioma.translatum.xyz] acme: use http-01 solver
percy            | 2020/03/03 07:38:25 [INFO] [glioma.translatum.xyz] acme: Trying to solve HTTP-01
percy            | 2020/03/03 07:38:25 [INFO] [translatum.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3125891526
percy            | 2020/03/03 07:38:25 [INFO] [translatum.xyz] acme: use tls-alpn-01 solver
percy            | 2020/03/03 07:38:25 [INFO] [translatum.xyz] acme: Trying to solve TLS-ALPN-01
percy            | 2020/03/03 07:38:25 [INFO] [perceptionist.translatum.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3125891536
percy            | 2020/03/03 07:38:25 [INFO] [perceptionist.translatum.xyz] acme: use tls-alpn-01 solver
percy            | 2020/03/03 07:38:25 [INFO] [perceptionist.translatum.xyz] acme: Trying to solve TLS-ALPN-01
percy            | 2020/03/03 07:38:25 [INFO][glioma.translatum.xyz] Served key authentication (distributed)
percy            | 2020/03/03 07:38:25 [INFO][glioma.translatum.xyz] Served key authentication (distributed)
percy            | 2020/03/03 07:38:25 [INFO][glioma.translatum.xyz] Served key authentication (distributed)
percy            | 2020/03/03 07:38:26 [INFO][glioma.translatum.xyz] Served key authentication (distributed)
percy            | 2020/03/03 07:38:29 [INFO] [translatum.xyz] The server validated our request
percy            | 2020/03/03 07:38:29 [INFO] [translatum.xyz] acme: Validations succeeded; requesting certificates
percy            | 2020/03/03 07:38:30 [INFO] [translatum.xyz] Server responded with a certificate.
percy            | 2020/03/03 07:38:30 [INFO] [perceptionist.translatum.xyz] The server validated our request
percy            | 2020/03/03 07:38:30 [INFO] [perceptionist.translatum.xyz] acme: Validations succeeded; requesting certificates
percy            | 2020/03/03 07:38:30 [WARNING] Stapling OCSP: no OCSP stapling for [translatum.xyz]: parsing OCSP response: ocsp: error from server: unauthorized
percy            | 2020/03/03 07:38:31 [INFO] [perceptionist.translatum.xyz] Server responded with a certificate.
percy            | 2020/03/03 07:38:31 [INFO] [glioma.translatum.xyz] The server validated our request
percy            | 2020/03/03 07:38:31 [INFO] [glioma.translatum.xyz] acme: Validations succeeded; requesting certificates
percy            | 2020/03/03 07:38:31 [WARNING] Stapling OCSP: no OCSP stapling for [perceptionist.translatum.xyz]: parsing OCSP response: ocsp: error from server: unauthorized
percy            | 2020/03/03 07:38:32 [INFO] [glioma.translatum.xyz] Server responded with a certificate.
percy            | 2020/03/03 07:38:32 [WARNING] Stapling OCSP: no OCSP stapling for [glioma.translatum.xyz]: parsing OCSP response: ocsp: error from server: unauthorized
percy            | 2020/03/03 07:38:44.701	ERROR	http.log.error	dial tcp 172.18.0.4:8080: connect: connection refused	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "62.216.209.90:5256", "host": "glioma.translatum.xyz", "headers": {"Accept-Language": ["en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36"], "Sec-Fetch-Dest": ["document"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Sec-Fetch-Mode": ["navigate"], "Sec-Fetch-User": ["?1"], "Sec-Fetch-Site": ["none"], "Accept-Encoding": ["gzip, deflate, br"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "glioma.translatum.xyz"}}, "status": 502, "err_id": "ictf09dia", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:362)"}
percy            | 2020/03/03 07:38:46.446	ERROR	http.log.error	dial tcp 172.18.0.4:8080: connect: connection refused	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "62.216.209.90:5256", "host": "glioma.translatum.xyz", "headers": {"Cache-Control": ["max-age=0"], "Upgrade-Insecure-Requests": ["1"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Sec-Fetch-User": ["?1"], "Sec-Fetch-Dest": ["document"], "Sec-Fetch-Site": ["cross-site"], "Sec-Fetch-Mode": ["navigate"], "Accept-Encoding": ["gzip, deflate, br"], "Accept-Language": ["en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7"], "Dnt": ["1"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "glioma.translatum.xyz"}}, "status": 502, "err_id": "hc5gv7nsy", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:362)"}
percy            | 2020/03/03 07:38:46.822	ERROR	http.log.error	dial tcp 172.18.0.4:8080: connect: connection refused	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "62.216.209.90:5256", "host": "glioma.translatum.xyz", "headers": {"Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36"], "Sec-Fetch-Site": ["cross-site"], "Sec-Fetch-User": ["?1"], "Accept-Encoding": ["gzip, deflate, br"], "Accept-Language": ["en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7"], "Cache-Control": ["max-age=0"], "Sec-Fetch-Dest": ["document"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Sec-Fetch-Mode": ["navigate"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "glioma.translatum.xyz"}}, "status": 502, "err_id": "3td972n27", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:362)"}
11

I found it the port was still mapped to 8080 as I remapped my docker there but nginx usually is served on 80 :slightly_smiling_face:

now I only need to get my backend running

12

I had everything working now and restarted my docker compose a couple of times to continue development. Now I am running into let’s encrypt rate limits and wonder why?

It seems my volume mount does not work the config and data in caddy_secrets folder are empty :frowning:

What did I do wrong, how long do I have to wait now to continue my development? Is there a way to somehow obtain and sideload the certificates I created to continue?

# run this with: "  CURRENT_UID=$(id -u):$(id -g) docker-compose up ""
version: "3"
services:
  percy:
    # docker run -it -p 80:80 -p 443:443 -p 2019:2019 --rm --name perception_caddy perception_caddy
    image: perception_caddy
    container_name: percy
    hostname: percy
    user: root
    # user: ${CURRENT_UID}
    ports:
      - 443:443
      - 80:80
      # - 2020:2020
    volumes:
      # Just a note - as of the latest caddy/caddy images, these locations are now /config/caddy and /data/caddy. See the (new!) docs for some details: https://github.com/caddyserver/caddy-docker#️-a-note-about-persisted-data 1
      - ./caddy_secrets/config:/config # to save certificates on disk
      - ./caddy_secrets/data:/data
    # sysctls:
    #   - net.ipv4.ip_unprivileged_port_start=0
    # cap_add:
    #   - CAP_NET_BIND_SERVICE
  perceptionist:
    # docker run --user $(id -u):$(id -g) -it -p 8888:8888 -v "/home/florian/flow/perception_experiments/uploads/":"/perception_express/uploads/" --rm --name perception_express perception_express
    image: perception_express
    container_name: perceptionist
    hostname: perceptionist
    user: ${CURRENT_UID}
    depends_on:
      - "percy"
    volumes:
      - /uploads:/uploads
    # ports:
    #  behind reverse proxy
    #   - 8888:8888
  bratsstarz:
    # docker run -it -p 8080:80 --rm --name brats_starz brats_starz
    image: brats_starz
    container_name: bratsstarz
    hostname: bratsstarz
    # ports:
    # behind reverse proxy
    #   - 8080:80
    depends_on:
      - "perceptionist"
      - "percy"
  # inspiration
  # https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15
  # https://medium.com/faun/set-current-host-user-for-docker-container-4e521cef9ffc

errors

n:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.xyz: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 1/2; challenge=tls-alpn-01)
percy            | 2020/03/03 11:25:34 [INFO] [glioma.translatum.xyz] acme: Obtaining bundled SAN certificate
percy            | 2020/03/03 11:25:34 http: TLS handshake error from 127.0.0.1:60066: EOF
percy            | 2020/03/03 11:25:34 [INFO] [translatum.xyz] acme: Obtaining bundled SAN certificate
percy            | 2020/03/03 11:25:35 [ERROR][glioma.translatum.xyz] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: glioma.translatum.xyz: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 1/2; challenge=tls-alpn-01)
percy            | 2020/03/03 11:25:35 [ERROR][translatum.xyz] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.xyz: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 2/2; challenge=tls-alpn-01)
percy            | 2020/03/03 11:25:36 [INFO] [glioma.translatum.xyz] acme: Obtaining bundled SAN certificate
percy            | 2020/03/03 11:25:36 [ERROR] translatum.xyz: obtaining certificate: failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: translatum.xyz: see https://letsencrypt.org/docs/rate-limits/, url: - backing off and retrying (attempt 8/46)...
percy            | 2020/03/03 11:25:36 [ERROR][glioma.translatum.xyz] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: glioma.translatum.xyz: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 2/2; challenge=tls-alpn-01)
percy            | 2020/03/03 11:25:37 [ERROR] glioma.translatum.xyz: obtaining certificate: failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: glioma.translatum.xyz: see https://letsencrypt.org/docs/rate-limits/, url: - backing off and retrying (attempt 8/46)...
13

Looks like you got the help you needed here! Config and data are not persisted even though I am mounting volumes · Issue #42 · caddyserver/caddy-docker · GitHub

14

A post was split to a new topic: Usage in Docker with --network=host

15

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.