LE Certificates for internal Hosts

1. The problem I’m having:

Hi Folks, what I’m trying to achieve is that I can access my local hosts in my network via an lets encryt certificate secured connection. Aim is that I can access the hosts via https without any error :slight_smile:

I’m using DuckDNS and PiHole for local DNSsing

For test purposes I’m using https://proxmox.app which should point to https://10.0.10.4:8006/
For that reason I have set this DNS entry in my PiHole, pointing to the caddy server.
I explicitly don’t want to expose my Hosts to the internet, just leave them local with dns challenge.

Regards

2. Error messages and/or full log output:

{"level":"info","ts":1718134564.1075876,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1718134564.107637,"msg":"serving initial configuration"}
{"level":"info","ts":1718134564.1078165,"logger":"tls.obtain","msg":"acquiring lock","identifier":"proxmox.app"}
{"level":"info","ts":1718134564.1112092,"logger":"tls.obtain","msg":"lock acquired","identifier":"proxmox.app"}
{"level":"info","ts":1718134564.1113,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"proxmox.app"}
{"level":"info","ts":1718134564.1121829,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["proxmox.app"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"test@mail.de"}
{"level":"info","ts":1718134564.112228,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["proxmox.app"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"test@mail.de"}
{"level":"info","ts":1718134564.1122577,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/901338807","account_contact":["mailto:test@mail.de"]}
{"level":"info","ts":1718134564.1163316,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/data/caddy"}
{"level":"info","ts":1718134564.117662,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1718134569.3271134,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"proxmox.app","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1718134581.904866,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"proxmox.app","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.proxmox.app\" (usually OK if presenting also failed)"}
{"level":"error","ts":1718134582.1029658,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"proxmox.app","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[proxmox.app] solving challenges: presenting for challenge: adding temporary record for zone \"proxmox.app.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=app&token=028-2607321-6656313&txt=q-Oaz3G5NJkJ6xjgl5zim4qzhETWNxQSBSPT-ENzPVE&verbose=true], body: KO (order=https://acme-v02.api.letsencrypt.org/acme/order/901338807/277502175527) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1718134582.1038775,"logger":"tls.obtain","msg":"will retry","error":"[proxmox.app] Obtain: [proxmox.app] solving challenges: presenting for challenge: adding temporary record for zone \"proxmox.app.\": DuckDNS request failed, expected (OK) but got (KO), url: [https://www.duckdns.org/update?domains=app&token=028-2607321-6656313&txt=q-Oaz3G5NJkJ6xjgl5zim4qzhETWNxQSBSPT-ENzPVE&verbose=true], body: KO (order=https://acme-v02.api.letsencrypt.org/acme/order/901338807/277502175527) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":17.992618511,"max_duration":2592000}

3. Caddy version:

(see in Docker Compose)

4. How I installed and ran Caddy:

a. System environment:

Proxmox LXC / Docker Stack, Docker Compose

b. Command:

docker-compose up -d

c. Service/unit/compose file:

  caddy:
    image: serfriz/caddy-duckdns:latest
    container_name: caddy
    restart: always
    ports:
      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      - DOMAIN=mydnsname.duckdns.org  # Your domain.
      - EMAIL=mail@test.de    # The email address to use for ACME registration.
      - LOG_FILE=./caddy-data/access.log
      - DUCKDNS_TOKEN=mytoken
    networks:
      - user_bridge

d. My complete Caddy config:

proxmox.app {
    reverse_proxy 10.0.10.4:8006

    tls {
        dns duckdns {env.DUCKDNS_TOKEN}
    }
}

5. Links to relevant resources:

You still need to use a real domain to get a real certificate. You can’t get a certificate from Let’s Encrypt for a fake domain, because they need to perform validation that you control that domain. You can use your DuckDNS domain, because it’s a real public domain, but just configure the domain in DuckDNS to use your LAN IP instead of your public IP.

1 Like

Hi @Alexwillwissen with that failure above LE cannot validate DNS-01 again DuckDNS.

Also:
# PLEASE CHANGE YOUR tokens!
They are now Public. :scream:

If you’re talking about what’s in the logs, nope that’s just the ACME DNS nonce being written to the TXT record, not the DuckDNS token. We don’t write the token to the logs.

1 Like

Ok, so @francislavoie you are saying this one is not a problem.
Sorry for Alarming (and too loudly) :frowning:

I think proxmox.app is a real domain name, just very sparse.

https://dnsspy.io/scan/proxmox.app

And here