1. My Caddy version (caddy -version
):
docker caddy/caddy:alpine
2. How I run Caddy:
Please provide all of the relevant information and DO NOT REDACT anything except passwords/keys. Thank you!
a. System environment:
OS, relevant versions, systemd? docker? etc.
Ubuntu 1804
docker 19.0.3
b. Command:
CURRENT_UID=$(id -u):$(id -g) docker-compose up
c. Service/unit/compose file:
# run this with: " CURRENT_UID=$(id -u):$(id -g) docker-compose up ""
version: "3"
services:
percy:
# docker run -it -p 80:80 -p 443:443 -p 2019:2019 --rm --name perception_caddy perception_caddy
container_name: perception_caddy
image: perception_caddy
# user: root
user: ${CURRENT_UID}
ports:
- 443:443
- 80:80
- 2020:2020
volumes:
- ./caddy_secrets/ssl/:/etc/ssl
- ./caddy_secrets/dotcaddy:/root/.caddy # to save certificates on disk
- ./caddy_secrets/dotconfig:/.config # to save certificates on disk
- ./caddy_secrets/Caddyfile:/etc/Caddyfile # to save certificates on disk
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
cap_add:
- CAP_NET_BIND_SERVICE
perceptionist:
# docker run --user $(id -u):$(id -g) -it -p 8888:8888 -v "/home/florian/flow/perception_experiments/uploads/":"/perception_express/uploads/" --rm --name perception_express perception_express
image: perception_express
volumes:
- /home/********/uploads/:/perception_express/uploads/
container_name: perception_express
user: ${CURRENT_UID}
depends_on:
- "percy"
ports:
# TODO protect this with a reverse proxy
- 8888:8888
bratsstarz:
# docker run -it -p 8080:80 --rm --name brats_starz brats_starz
container_name: brats_starz_nginx
image: brats_starz
# TODO rervse proxy me
ports:
- 8080:80
depends_on:
- "perceptionist"
- "percy"
# inspiration
# https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15
# https://medium.com/faun/set-current-host-user-for-docker-container-4e521cef9ffc
d. My complete Caddyfile:
translatum.spdns.org {
respond "let the neurons flow!"
redir /hello* https://translatum.spdns.org:2020
reverse_proxy /glioma_stars* brats_starz:8080
reverse_proxy /upload perception_express:8888
}
https://translatum.spdns.org:2020 {
respond * "hello!"
}
localhost/glioma_stars {
reverse_proxy * brats_starz:8080
}
3. The problem I’m having:
Please describe the issue thoroughly enough so that anyone can reproduce the exact behavior you’re seeing. Be as specific as possible.
I created a web application. The frontend (bratsstarz) is served via nginx on port 8080, the backend (perceptionist) is a node express application running on port 8888. I want to setup a third docker container (percy / perception_caddy) to handle the let’s encrypt certificates and reverse proxying all the requests within the internal docker network so I do not have to expose the frontend and backend ports anymore, which should run on port 443. Unfortunately running caddy inside a docker does not seem to work for me.
4. Error messages and/or full log output:
$ CURRENT_UID=$(id -u):$(id -g) docker-compose up
Starting perception_caddy ...
Starting perception_caddy ... done
Creating perception_express ...
Creating perception_express ... done
Creating brats_starz_nginx ...
Creating brats_starz_nginx ... done
Attaching to perception_caddy, perception_express, brats_starz_nginx
perception_caddy | 2020/02/16 10:41:00.797 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
perception_express | yarn run v1.21.1
perception_caddy | 2020/02/16 10:41:00.805 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
perception_express | $ node run.js
perception_caddy | 2020/02/16 10:41:00.805 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
perception_express | NODE_ENV: production
perception_caddy | 2020/02/16 10:41:00.805 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
perception_caddy | 2020/02/16 10:41:00.805 INFO http enabling automatic TLS certificate management {"domains": ["translatum.spdns.org"]}
perception_caddy | 2020/02/16 10:41:00 [INFO][cache:0xc0006d2cd0] Started certificate maintenance routine
perception_express | CORSWHITELIST: ['http://translatum.spdns.org:8080']
perception_caddy | 2020/02/16 10:41:00.805 INFO tls cleaned up storage units
perception_express | [Perception express] listening on port 8888!
perception_caddy | 2020/02/16 10:41:00.806 INFO autosaved config {"file": "/root/.config/caddy/autosave.json"}
perception_caddy | 2020/02/16 10:41:00.806 INFO serving initial configuration
perception_caddy | 2020/02/16 10:41:01 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 1/3)
perception_caddy | 2020/02/16 10:41:02 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 2/3)
perception_caddy | 2020/02/16 10:41:03 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 3/3)
perception_caddy | 2020/02/16 10:41:04 [ERROR] translatum.spdns.org: obtaining certificate: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority - backing off and retrying (attempt 1/46)...
perception_caddy | 2020/02/16 10:41:07 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 1/3)
perception_caddy | 2020/02/16 10:41:09 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 2/3)
perception_caddy | 2020/02/16 10:41:10 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority (attempt 3/3)
perception_caddy | 2020/02/16 10:41:11 [ERROR] translatum.spdns.org: obtaining certificate: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority - backing off and retrying (attempt 2/46)...
^CGracefully stopping... (press Ctrl+C again to force)
Stopping brats_starz_nginx ... done
Stopping perception_express ... done
Stopping perception_caddy ... done
5. What I already tried:
I tried starting the container as non-root and root user. I added
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
cap_add:
- CAP_NET_BIND_SERVICE
so caddy can bind to low port numbers for getting the certificate. Interestingly all my volume mounts stay empty, but so do the folders inside the docker container if I check with:
docker exec -it perception_caddy sh
interestingly the whole caddy seems to spinup if I just run caddy start
without the docker around it.
My dockerfile for building the percy service looks like this, which is why I don’t volume mount a caddyfile
FROM caddy/caddy:alpine
COPY Caddyfile /etc/caddy/Caddyfile
Thanks for your assistance!