I'm able to get certs in staging area but not when I remove it

Help
1

1. The problem I’m having:

Not able to connect to proxied Caddy URL’s either outside of WAN or inside but it appears that caddy has created certs successfully.

2. Error messages and/or full log output:


--------This is what I get in staging area---
{"level":"info","ts":1705797460.6548862,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"recipes.naff.casa"}
{"level":"info","ts":1705797460.6550267,"logger":"tls.obtain","msg":"releasing lock","identifier":"recipes.naff.casa"}
{"level":"info","ts":1705797460.8296165,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2bb56ba06a121214e566d27c46ff221ca3f3"}
{"level":"info","ts":1705797460.8308103,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"remote.naff.casa"}
{"level":"info","ts":1705797460.831067,"logger":"tls.obtain","msg":"releasing lock","identifier":"remote.naff.casa"}
{"level":"error","ts":1705797512.3760707,"logger":"http.log.error","msg":"dial tcp 192.168.1.213:8711: connect: connection refused","request":{"remote_ip":"2.58.56.121","remote_port":"37038","client_ip":"2.58.56.121","proto":"HTTP/1.1","method":"GET","host":"bw.naff.casa","uri":"/.git/config","headers":{"Accept-Encoding":["gzip"],"Connection":["close"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.145 Safari/537.36 Vivaldi/2.6.1566.49"],"Accept-Charset":["utf-8"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"bw.naff.casa"}},"duration":0.002060774,"status":502,"err_id":"kcvmzvbvd","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
{"level":"error","ts":1705797628.8417413,"logger":"http.log.error","msg":"dial tcp 192.168.1.213:8085: connect: connection refused","request":{"remote_ip":"202.43.6.43","remote_port":"60579","client_ip":"202.43.6.43","proto":"HTTP/1.1","method":"GET","host":"paste.naff.casa","uri":"/","headers":{"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 Autopliuslt/7.8.0 EmbeddedBrowser (iPhone; CPU iPhone OS 17_1_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile DeviceUID:  VendorUID:  AppPkgID: lt.plius.auto"],"Connection":["close, Te"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"],"Te":["trailers"],"Accept-Language":["en-GB,en-US;q=0.9,en;q=0.8"],"Accept-Encoding":["gzip, deflate"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"paste.naff.casa"}},"duration":0.001347382,"status":502,"err_id":"pcqjpwxz5","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
{"level":"error","ts":1705797628.8633652,"logger":"http.log.error","msg":"dial tcp 192.168.1.213:8085: connect: connection refused","request":{"remote_ip":"164.90.241.135","remote_port":"59708","client_ip":"164.90.241.135","proto":"HTTP/1.1","method":"GET","host":"paste.naff.casa","uri":"/","headers":{"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"],"Accept-Encoding":["gzip, deflate"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0"],"Connection":["close, Te"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"paste.naff.casa"}},"duration":0.001306182,"status":502,"err_id":"0cwcgu0m6","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
{"level":"error","ts":1705797628.922957,"logger":"http.log.error","msg":"dial tcp 192.168.1.213:8085: connect: connection refused","request":{"remote_ip":"84.17.42.17","remote_port":"50653","client_ip":"84.17.42.17","proto":"HTTP/1.1","method":"GET","host":"paste.naff.casa","uri":"/","headers":{"Te":["trailers"],"Accept-Language":["fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"],"Accept-Encoding":["gzip, deflate"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 Autopliuslt/7.8.0 EmbeddedBrowser (iPhone; CPU iPhone OS 17_1_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile DeviceUID:  VendorUID:  AppPkgID: lt.plius.auto"],"Connection":["close, Te"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"paste.naff.casa"}},"duration":0.001287102,"status":502,"err_id":"itiunthem","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
{"level":"error","ts":1705797630.187912,"logger":"http.log.error","msg":"dial tcp 192.168.1.213:8085: connect: connection refused","request":{"remote_ip":"104.129.56.138","remote_port":"44899","client_ip":"104.129.56.138","proto":"HTTP/1.1","method":"GET","host":"paste.naff.casa","uri":"/","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"],"Te":["trailers"],"Accept-Language":["en-US,en;q=0.9"],"Accept-Encoding":["gzip, deflate"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq"],"Connection":["close, Te"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"paste.naff.casa"}},"duration":0.00162047,"status":502,"err_id":"ig8twbs2x","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
{"level":"error","ts":1705797651.977236,"logger":"http.log.error","msg":"dial tcp 192.168.1.213:8085: connect: connection refused","request":{"remote_ip":"164.90.241.135","remote_port":"60981","client_ip":"164.90.241.135","proto":"HTTP/1.1","method":"GET","host":"paste.naff.casa","uri":"/","headers":{"Connection":["close, Te"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"],"Te":["trailers"],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"],"Accept-Encoding":["gzip, deflate"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 BingPreview/1.0b"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"paste.naff.casa"}},"duration":0.001412819,"status":502,"err_id":"xg9589ygn","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
{"level":"error","ts":1705797660.359617,"logger":"http.log.error","msg":"dial tcp 192.168.1.213:8085: connect: connection refused","request":{"remote_ip":"197.242.156.68","remote_port":"40629","client_ip":"197.242.156.68","proto":"HTTP/1.1","method":"GET","host":"paste.naff.casa","uri":"/","headers":{"Accept-Language":["zu-ZA,zu;q=0.9,en-US;q=0.8,en;q=0.7"],"Accept-Encoding":["gzip, deflate"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0"],"Connection":["close, Te"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"paste.naff.casa"}},"duration":0.001405387,"status":502,"err_id":"k3j6mcz3m","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}

This is my error log after I remove staging area:

AB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798182.0053222,"logger":"tls.obtain","msg":"will retry","error":"[radarr.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":3.740749255,"max_duration":2592000}
{"level":"error","ts":1705798182.4646058,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"www.naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798182.46471,"logger":"tls.obtain","msg":"will retry","error":"[www.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":4.203547766,"max_duration":2592000}
{"level":"error","ts":1705798182.9148679,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798182.9149697,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":4.653592067,"max_duration":2592000}
{"level":"error","ts":1705798183.369684,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"request.naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798183.3697836,"logger":"tls.obtain","msg":"will retry","error":"[request.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":5.109715375,"max_duration":2592000}
{"level":"error","ts":1705798183.805998,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"share.naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798183.8061008,"logger":"tls.obtain","msg":"will retry","error":"[share.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":5.548415887,"max_duration":2592000}
{"level":"error","ts":1705798184.2886047,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bw.naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798184.288799,"logger":"tls.obtain","msg":"will retry","error":"[bw.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":6.039383385,"max_duration":2592000}
{"level":"error","ts":1705798184.7426584,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jellyfin.naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798184.7427876,"logger":"tls.obtain","msg":"will retry","error":"[jellyfin.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":6.489067084,"max_duration":2592000}
{"level":"error","ts":1705798185.1893206,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"recipes.naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798185.1894777,"logger":"tls.obtain","msg":"will retry","error":"[recipes.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":6.925615342,"max_duration":2592000}
{"level":"error","ts":1705798185.6596313,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"fleet.naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798185.65973,"logger":"tls.obtain","msg":"will retry","error":"[fleet.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":7.400582871,"max_duration":2592000}
{"level":"error","ts":1705798186.130199,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cctv.naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)"}
{"level":"error","ts":1705798186.1303236,"logger":"tls.obtain","msg":"will retry","error":"[cctv.naff.casa] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 200: failed_creating_eab_account (code 2902)","attempt":1,"retrying_in":60,"elapsed":7.880060174,"max_duration":2592000}

3. Caddy version:

4. How I installed and ran Caddy:

docker-compose

a. System environment:

docker

b. Command:

docker-compose up -d

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

services:
        caddy:
                container_name: caddy
                image: caddy:latest
                restart: unless-stopped
                ports:
                        - "80:80"
                        - "443:443"
                volumes:
                        - /docker/caddy/Caddyfile:/etc/caddy/Caddyfile
                        - /docker/caddy/data:/data
                        - /docker/caddy/srv:/srv
                        - /docker/caddy/config:/config
                networks:
                        - t2_proxy
networks:
  t2_proxy:
    external: true

d. My complete Caddy config:

{
        # Global options block. Entirely optional, https is on by default
        # Optional email key for lets encrypt
        email lookatme33@protonmail.com
        # Optional staging lets encrypt for testing. Comment out for production.
#            acme_ca https://acme-staging-v02.api.letsencrypt.org/directory

#    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
recipes.naff.casa {
        reverse_proxy 192.168.1.157:8081
}
request.naff.casa {
        reverse_proxy 192.168.1.157:5055
}
share.naff.casa {
        reverse_proxy 192.168.1.157:6969/pwndrop
}
paste.naff.casa {
        reverse_proxy 192.168.1.213:8085
}
remote.naff.casa {
        reverse_proxy 192.168.1.213:6969
}
www.naff.casa {
        redir https://naff.casa{uri}
}
naff.casa
        reverse_proxy 192.168.1.213:3344
}
sonarr.naff.casa {
        reverse_proxy 192.168.1.157:8989
}
radarr.naff.casa {
        reverse_proxy 192.168.1.157:7878
}
bw.naff.casa {
        reverse_proxy 192.168.1.213:8711
}
cctv.naff.casa {
        reverse_proxy 192.168.1.159:8123
}
jellyfin.naff.casa {
        reverse_proxy 192.168.1.157:8096
}
fleet.naff.casa {
        reverse_proxy 192.168.1.213:8484
}
code.naff.casa {
        reverse_proxy 192.168.1.213:4443
}
prox.naff.casa {
        reverse_proxy 192.168.1.208:8006 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

5. Links to relevant resources:

2

For anyone with the same error who’s reading this. I changed nothing. I waited an hour and restarted caddy after clearing all data and certs.

Works like a dream now.

We are back.

3

This is invalid, the proxy only takes upstream addresses (host+port), no paths.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.