Issues with internal domain, Bind9 and Caddy TLS for the internal domain

1. The problem I’m having:

I’m trying to setup internal DNS with fully working TLS for those domains.
In one of VMs on my network, I’ve set up bind9 which is zone for specific subdomain of my network: int.example.com.

Domain example.com itself is managed on Cloudflare, but I’d like int.example.com and all subdomains of it to be fully in internal network, with no exposure to outside world.
int.example.com is not present in Cloudflare in any way (as my public IP is not viable to be used there)

Current DNS chain in internal network is:
Client → Bind9>PiHole>Cloudflare

Exact issue I’m having is that ZeroSSL calls are failing in logs.

As I understand, such setup should still be somewhat supported? Will be glad for any responses, thank you in advance :slight_smile:

2. Error messages and/or full log output:

[
  {
    "level": "error",
    "ts": 1704837424.4721053,
    "logger": "tls.issuance.acme.acme_client",
    "msg": "cleaning up solver",
    "identifier": "test.int.example.com",
    "challenge_type": "dns-01",
    "error": "no memory of presenting a DNS record for \"_acme-challenge.test.int.example.com\" (usually OK if presenting also failed)"
  },
  {
    "level": "error",
    "ts": 1704837424.6758957,
    "logger": "tls.obtain",
    "msg": "could not get certificate from issuer",
    "identifier": "test.int.example.com",
    "issuer": "acme-v02.api.letsencrypt.org-directory",
    "error": "[test.int.example.com] solving challenges: presenting for challenge: adding temporary record for zone \"int.example.com.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-v02.api.letsencrypt.org/acme/order/x/x) (ca=https://acme-v02.api.letsencrypt.org/directory)"
  },
  {
    "level": "info",
    "ts": 1704837425.7460938,
    "logger": "tls.issuance.zerossl",
    "msg": "generated EAB credentials",
    "key_id": ""
  },
  {
    "level": "info",
    "ts": 1704837426.3400786,
    "logger": "tls.issuance.zerossl",
    "msg": "waiting on internal rate limiter",
    "identifiers": [
      "test.int.example.com"
    ],
    "ca": "https://acme.zerossl.com/v2/DV90",
    "account": "me@example.com"
  },
  {
    "level": "info",
    "ts": 1704837426.3401396,
    "logger": "tls.issuance.zerossl",
    "msg": "done waiting on internal rate limiter",
    "identifiers": [
      "test.int.example.com"
    ],
    "ca": "https://acme.zerossl.com/v2/DV90",
    "account": "me@example.com"
  },
  {
    "level": "info",
    "ts": 1704837426.844525,
    "logger": "tls.issuance.zerossl.acme_client",
    "msg": "trying to solve challenge",
    "identifier": "test.int.example.com",
    "challenge_type": "dns-01",
    "ca": "https://acme.zerossl.com/v2/DV90"
  },
  {
    "level": "error",
    "ts": 1704837427.573195,
    "logger": "tls.issuance.zerossl.acme_client",
    "msg": "cleaning up solver",
    "identifier": "test.int.example.com",
    "challenge_type": "dns-01",
    "error": "no memory of presenting a DNS record for \"_acme-challenge.test.int.example.com\" (usually OK if presenting also failed)"
  },
  {
    "level": "error",
    "ts": 1704837427.777359,
    "logger": "tls.obtain",
    "msg": "could not get certificate from issuer",
    "identifier": "test.int.example.com",
    "issuer": "acme.zerossl.com-v2-DV90",
    "error": "[test.int.example.com] solving challenges: presenting for challenge: adding temporary record for zone \"int.example.com.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/x) (ca=https://acme.zerossl.com/v2/DV90)"
  },
  {
    "level": "error",
    "ts": 1704837427.7773986,
    "logger": "tls.obtain",
    "msg": "will retry",
    "error": "[test.int.example.com] Obtain: [test.int.example.com] solving challenges: presenting for challenge: adding temporary record for zone \"int.example.com.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/x) (ca=https://acme.zerossl.com/v2/DV90)",
    "attempt": 1,
    "retrying_in": 60,
    "elapsed": 35.52883398,
    "max_duration": 2592000
  }
]

3. Caddy version:

Caddy version: 2.7.6
with Caddy-Docker-Proxy: 2.8.10
and @latest caddy-dns for Cloudflare

4. How I installed and ran Caddy:

a. System environment:

VM in proxmox, running Docker with built docker image based on docs.

b. Command:

docker compose up -d
# Container itself is using
caddy docker-proxy

c. Service/unit/compose file:

  caddy:
    container_name: caddy-proxy
    build:
      context: .
      dockerfile: Dockerfile
      args:
        CADDY_VERSION: 2.7.6
    ports:
      - 80:80/tcp
      - 80:80/udp
      - 443:443/tcp
      - 443:443/udp
      - 127.0.0.1:2019:2019
    environment:
      - ACME_AGREE=true
      - CADDY_INGRESS_NETWORKS=proxy-net
      - CADDY_DOCKER_CADDYFILE_PATH=/etc/caddy/Caddyfile
      - CLOUDFLARE_EMAIL=me@example.com
      - CLOUDFLARE_API_TOKEN #
    networks:
      proxy-net:
        ipv4_address: 172.20.0.2
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: '256M'
        reservations:
          cpus: '0.2'
          memory: '128M'
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./caddy/data:/data"
      - ./Caddyfile:/etc/caddy/Caddyfile
      - "./browse.html:/tmp/browse.html"
      - "./files:/mnt"
    restart:
      unless-stopped

networks:
  proxy-net:
    name: proxy-net
    driver: bridge
    ipam:
      driver: default
      config:
        -
          subnet: 172.20.0.0/24
          gateway: 172.20.0.1

Dockerfile

ARG CADDY_VERSION

FROM caddy:${CADDY_VERSION}-builder AS builder

RUN xcaddy build \
    --with github.com/lucaslorentz/caddy-docker-proxy/v2@v2.8.10 \
    --with github.com/caddy-dns/cloudflare@latest

FROM caddy:${CADDY_VERSION}-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

CMD ["caddy", "docker-proxy"]

d. My complete Caddy config:

{
        admin 0.0.0.0:2019

        email me@example.com
}

(common) {
        header /* {
                -Server
        }
}

(cert) {
        tls me@example.com {
                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
                resolvers 10.64.0.144 1.1.1.1
        }
}

test.int.example.com {
        import cert
        root * /mnt/test
        file_server {
                browse /tmp/browse.html
        }
}

This looks like a Cloudflare authentication error. Are you sure your Cloudflare API token is properly set? Did you follow the instructions in the Cloudflare plugin’s README for setting up your token?

You can remove this, it was only relevant for Caddy v1 and earlier.

Caddy doesn’t use UDP for port 80, only for port 443 (HTTP/3 is TLS-only)

1 Like

I did, though my main domain and it’s zone is example.com in log’s case, not int.example.com - maybe it’s causing issue?
I’ve created token with Zone-Zone-Read + Zone-DNS-Edit permissions, if I recall from documentation that’s what’s required.

After some tinkering with restarting Caddy and my internal DNS; also I’ve replaced token - then it worked for the test.int.kamisoi.pl, but next domains had issue registering.
Then I’ve changed Caddyfile a bit, and seems like removing resolvers line fixed issue on my end.

So it’s working now? This is resolved?

If not, I’m not clear what the problem is. Please share logs, etc.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.