Let's Encrypt portforwarding

DenBeke · November 24, 2016, 5:46pm

I’m trying to configure portforwarding with automated LE.

How should my Caddyfile then look like?
I have the following config:

https://www.domain.com:8443
http://www.domain.com:8080
http://domain.com:8080 {
    redir https://domain.com:8080/...
}

https://domain.com:8443 {
    # ...
}

If I do so I get this error:

2016/11/24 18:38:51 [www.domain.com] failed to get certificate: acme: Error 400 - urn:acme:error:connection - Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge
Error Detail:
	Validation for www.domain.com:443
	Resolved to:
		x.x.x.x
	Used: x.x.x.x

matt · November 24, 2016, 9:48pm

You’ll need to configure your system to forward port 443 to whatever port Caddy is serving TLS on. I think that should work but I haven’t tried it.

DenBeke · November 24, 2016, 10:12pm

Yes, that’s what I did, so the system forwards port 443 to 8443. But how does this affects the automated LE?

DenBeke · November 24, 2016, 10:18pm

Or should I also allow external connections to port 8443 to my server, @matt ?

matt · November 24, 2016, 11:35pm

I don’t get it. Can’t you open port 443?

Whitestrake · November 25, 2016, 4:57am

LetsEncrypt is not going to try to connect to your server on port 8443, so it is unnecessary to leave it open at the edge.

The following is required whenever a Caddy server at x.x.x.x requests a cert for use on www.domain.com:

www.domain.com resolves to x.x.x.x
x.x.x.x accepts connections on ports 80 and 443
Caddy is able to serve the ACME well-known token to a request for www.domain.com at x.x.x.x

I would look into possible issues between your network edge and the Caddy server, perhaps a problem in your port forwarding config.

DenBeke · November 25, 2016, 8:20am

Port 80 and 443 are open on the machine and forward to 8080 and 8443:

rdr pass inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr pass inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443

If I run with existing websites (i.e. sites which don’t need to get new certs), I can access them both trough http and https on port 80 and 443 respectively.
If I then add a new domain (which resolves to the same machine) I got this error:

2016/11/24 18:38:51 [www.domain.com] failed to get certificate: acme: Error 400 - urn:acme:error:connection - Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge
Error Detail:
	Validation for www.domain.com:443
	Resolved to:
		x.x.x.x
	Used: x.x.x.x

Whitestrake · November 25, 2016, 8:52am

Out of curiosity, are you able to ping outbound1.letsencrypt.org and outbound2.letsencrypt.org from your server?

DenBeke · November 25, 2016, 9:01am

I can ping them but I can’t curl them.

I think I’ll end op using Docker on my macos server to run Caddy with PHP.
The Docker image works perfectly…

DenBeke · November 25, 2016, 9:57pm

Update: I’m now running Caddy in a Docker container… All problems solved (a couple of new problems introduced… but those are also already solved)

system · February 23, 2017, 9:57pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.