LXC and reverse proxy

Now:

Reverse Proxy Frontend LXD container:

root@haproxy01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/19 22:30:50.480	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/19 22:30:50.482	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/19 22:30:50.483	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/19 22:30:50.483	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/19 22:30:50 [INFO][cache:0xc0004abbd0] Started certificate maintenance routine
2020/03/19 22:30:50.485	INFO	tls	cleaned up storage units
2020/03/19 22:30:50.486	INFO	http	enabling automatic TLS certificate management	{"domains": ["domain.com"]}
2020/03/19 22:30:50.501	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/19 22:30:50.501	INFO	serving initial configuration

Backend LXD container wordpress:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/19 22:30:53.335	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/19 22:30:53.337	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/19 22:30:53 [INFO][cache:0xc00074b9a0] Started certificate maintenance routine
2020/03/19 22:30:53.338	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/19 22:30:53.338	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/19 22:30:53.353	INFO	tls	setting internal issuer for automation policy that has only internal subjects but no issuer configured	{"subjects": ["localhost"]}
2020/03/19 22:30:53.356	INFO	tls	cleaned up storage units
2020/03/19 22:30:53.469	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/19 22:30:53.470	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/19 22:30:53.470	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/19 22:30:53 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/19 22:30:53.472	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/19 22:30:53.472	INFO	serving initial configuration

And when I try in my firefox, I have :

The page isn't redirecting properly

    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

    This problem can sometimes be caused by disabling or refusing to accept cookies.

And in frontend revese_proxy log:

2020/03/19 22:33:52.482	INFO	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:51200", "host": "domain.com", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [19/Mar/2020:22:33:52 +0000] \"GET / HTTP/2.0\" 308 0", "latency": 0.002303113, "size": 0, "status": 308, "resp_headers": {"Server": ["Caddy", "Caddy"], "Date": ["Thu, 19 Mar 2020 22:33:52 GMT"], "Content-Length": ["0"], "Location": ["https://domain.com/"]}}

NO activity on backend.

Hello,
I updated to v2.0.0-beta.18 h1:N8CR8nO+n9Sk16CBx6ysVZWIZv0hgtU1J84st1bFWgI=
and add to backend caddyfile:

localhost
root * /var/www/
tls {
	on_demand
}
log {
	output file /var/log/caddy/domain.com.log
}
file_server

And I have always the same error in the backend container:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 02:05:44.655	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 02:05:44.657	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 02:05:44.658	INFO	tls	setting internal issuer for automation policy that has only internal subjects but no issuer configured	{"subjects": ["localhost"]}
2020/03/21 02:05:44 [INFO][cache:0xc0002a7cc0] Started certificate maintenance routine
2020/03/21 02:05:44.672	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 02:05:44.742	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 02:05:44.788	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 02:05:44.791	INFO	tls	cleaned up storage units
2020/03/21 02:05:44.791	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/21 02:05:44.791	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 02:05:44.791	INFO	serving initial configuration

And on the frontend container:

2020/03/21 02:06:44.236	INFO	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:52874", "host": "domain.com", "headers": {"Upgrade-Insecure-Requests": ["1"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"]}, "tls": {"resumed": true, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:02:06:44 +0000] \"GET / HTTP/2.0\" 308 0", "latency": 0.002299566, "size": 0, "status": 308, "resp_headers": {"Date": ["Sat, 21 Mar 2020 02:06:44 GMT"], "Content-Length": ["0"], "Server": ["Caddy", "Caddy"], "Location": ["https://domain.com/"]}

Sorry…

I changed in frontend reverse_proxy 80 by 443

And now:
on frontend logs:

2020/03/21 07:37:53.671	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53444", "host": "domain.com", "headers": {"Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:07:37:53 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.010296563, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

and on backend container:

2020/03/21 07:37:53 http: TLS handshake error from 10.244.32.196:41970: no certificate available for 'wordpress01'

Maybe I near of a solution.

Listen to :443 instead of localhost on your wordpress backend (first line of your Caddyfile)

with :443 instead of localhost, at each time of browser request my backend log:

2020/03/21 17:12:38 [INFO] Obtaining new certificate for wordpress01
2020/03/21 17:12:38 [INFO][wordpress01] Obtain certificate; acquiring lock...
2020/03/21 17:12:38 [INFO][wordpress01] Obtain: Lock acquired; proceeding...
2020/03/21 17:12:39 [INFO][wordpress01] Waiting on rate limiter...
2020/03/21 17:12:39 [INFO][wordpress01] Done waiting
2020/03/21 17:12:39 [INFO] [wordpress01] acme: Obtaining bundled SAN certificate given a CSR
2020/03/21 17:12:39 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "wordpress01": Domain name needs at least one dot, url:  (challenge=tls-alpn-01 remaining=[http-01])
2020/03/21 17:12:41 [INFO] [wordpress01] acme: Obtaining bundled SAN certificate given a CSR
2020/03/21 17:12:42 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "wordpress01": Domain name needs at least one dot, url:  (challenge=http-01 remaining=[])
2020/03/21 17:12:44 [INFO][wordpress01] Obtain: Releasing lock
2020/03/21 17:12:44 http: TLS handshake error from 10.244.32.196:42398: [wordpress01] Obtain: [wordpress01] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "wordpress01": Domain name needs at least one dot, url:

and frontend:

2020/03/21 17:13:05.959	ERROR	http.log.error.log0	remote error: tls: internal error	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53864", "host": "domain.com", "headers": {"Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "status": 502, "err_id": "4iqeqncyf", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:363)"}
2020/03/21 17:13:05.960	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53864", "host": "domain.com", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:17:13:05 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 4.556397078, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

You can’t use Let’s Encrypt to get a certificate for wordpress01, so use the local issuer instead:

tls internal {
   on_demand
}

This is documented here: Automatic HTTPS — Caddy Documentation and here: tls (Caddyfile directive) — Caddy Documentation

I already posted my backend config, as you can see:

localhost
root * /var/www/
tls {
	on_demand
}
log {
	output file /var/log/caddy/domain.com.log
}
file_server

Yes, and? :face_with_monocle:

(and I thought you were changed localhost to :443)

1 Like

Sorry Matt, but read post above. Obvious I’m not an expert, so I sent all I have, each time, and nothing work. I would like to help, but I don’t know how.

With the last backend config, I have:

localhost
root * /var/www/
tls {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server

and frontend config:

domain.com {
        reverse_proxy wordpress01:443
        log {
                output file /var/log/caddy/domain.com.log
        }
                {
                debug
        }
}

And logs frontend:

root@haproxy01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:27:42.024	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:27:42.047	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:27:42 [INFO][cache:0xc000694aa0] Started certificate maintenance routine
2020/03/21 18:27:42.047	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/21 18:27:42.047	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 18:27:42.048	INFO	http	enabling automatic TLS certificate management	{"domains": ["domain.com"]}
2020/03/21 18:27:42.062	INFO	tls	cleaned up storage units
2020/03/21 18:27:42.063	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:27:42.063	INFO	serving initial configuration
2020/03/21 18:27:48.316	ERROR	http.log.error.log0	remote error: tls: internal error	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53950", "host": "domain.com", "headers": {"Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "status": 502, "err_id": "2vtezdphd", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:363)"}
2020/03/21 18:27:48.316	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53950", "host": "domain.com", "headers": {"Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:18:27:48 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.003536149, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

and backend frontend:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:27:39.356	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:27:39.358	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:27:39.359	INFO	tls	setting internal issuer for automation policy that has only internal subjects but no issuer configured	{"subjects": ["localhost"]}
2020/03/21 18:27:39 [INFO][cache:0xc000243ef0] Started certificate maintenance routine
2020/03/21 18:27:39.373	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 18:27:39.373	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/21 18:27:39.441	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:27:39.441	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:27:39.443	INFO	tls	cleaned up storage units
2020/03/21 18:27:39.444	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:27:39.444	INFO	serving initial configuration
2020/03/21 18:27:48 http: TLS handshake error from 10.244.32.196:42474: no certificate available for 'wordpress01'

We’ve asked you multiple times to switch your backend to this:

:443
root * /var/www/
tls {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server
1 Like

You’re also still not using the config I suggested!

Your responses are not being productive, because if you don’t make any changes that we recommend, we cannot make progress. Please go back and try what we have suggested first. We are volunteering our time on a weekend to help you. Please put in some effort to pay attention to what we are recommending to make this work.

localhost
root * /var/www/
tls internal
log {
        output file /var/log/caddy/domain.com.log
}
file_server

logs after browser request:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:49:31.428	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:49:31.430	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:49:31 [INFO][cache:0xc0004b7f40] Started certificate maintenance routine
2020/03/21 18:49:31.446	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 18:49:31.523	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:49:31 define JAVA_HOME environment variable to use the Java trust
2020/03/21 18:49:31.524	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:49:31.526	INFO	tls	cleaned up storage units
2020/03/21 18:49:31.526	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/21 18:49:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/21 18:49:31.529	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:49:31.529	INFO	serving initial configuration
2020/03/21 18:49:31 [INFO][localhost] Renew certificate; acquiring lock...
2020/03/21 18:49:31 [INFO][localhost] Renew: Lock acquired; proceeding...
2020/03/21 18:49:31 [INFO][localhost] Renew: -11h12m26.531791496s remaining
2020/03/21 18:49:31 [INFO][localhost] Certificate renewed successfully
2020/03/21 18:49:31 [INFO][localhost] Renew: Releasing lock
2020/03/21 18:49:31 [INFO] Reloading managed certificate for [localhost]
2020/03/21 18:49:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/21 18:49:31 [INFO] Replaced certificate in cache for [localhost] (new expiration date: 2020-03-22 06:49:31)
2020/03/21 18:49:44 http: TLS handshake error from 10.244.32.196:42510: no certificate available for 'wordpress01'

with:

localhost
root * /var/www/
tls internal {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server

logs, after browser request:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:52:05.286	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:52:05.289	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:52:05 [INFO][cache:0xc000632870] Started certificate maintenance routine
2020/03/21 18:52:05.303	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 18:52:05.376	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:52:05.376	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:52:05.379	INFO	tls	cleaned up storage units
2020/03/21 18:52:05.379	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/21 18:52:05.379	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:52:05.379	INFO	serving initial configuration
2020/03/21 18:52:10 http: TLS handshake error from 10.244.32.196:42512: no certificate available for 'wordpress01'

I really don’t understand what we have to tell you to make you understand what we’re asking, we literally gave you the exact config you need to try but you keep using the wrong config.

This message is because your backend is only listening for connections to the localhost hostname, and only has certificates for localhost.

You need to change your site label to :443 instead of localhost (the first line in your backend Caddyfile) so that the backend will accept connections to any hostname. Then, the on_demand tls option will tell Caddy to generate a certificate for whatever hostname is requested.

This is getting very frustrating for us. It’s making us feel like we’re wasting our time. Please just use this config in your backend:

:443
root * /var/www/
tls internal {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server
1 Like

It might also be helpful to try the latest artifacts for bug fixes.

@francislavoie Don’t forget internal. (Unless I’m missing something, but he’ll probably need that if he’s not using localhost.)

1 Like

Oh geez, you’re right, my bad. Edited. I was copy-pasting his config and just changing localhost to :443

1 Like

I paste francis config suggestion. And build last devel version of caddy.

backend’s log:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 19:23:18.955	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 19:23:18.961	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 19:23:18 [INFO][cache:0xc0007dc5a0] Started certificate maintenance routine
2020/03/21 19:23:19.060	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 19:23:19.060	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 19:23:19.062	INFO	tls	cleaned up storage units
2020/03/21 19:23:19.063	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 19:23:19.063	INFO	serving initial configuration
2020/03/21 19:23:26 [WARNING] Stapling OCSP: no OCSP stapling for [wordpress01]: no OCSP server specified in certificate
2020/03/21 19:23:26 http: TLS handshake error from 10.244.32.196:42548: remote error: tls: bad certificate

frontend’s log:

root@haproxy01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 19:23:21.790	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 19:23:21.793	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 19:23:21 [INFO][cache:0xc00055ddb0] Started certificate maintenance routine
2020/03/21 19:23:21.793	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/21 19:23:21.793	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 19:23:21.795	INFO	tls	cleaned up storage units
2020/03/21 19:23:21.795	INFO	http	enabling automatic TLS certificate management	{"domains": ["domain.com"]}
2020/03/21 19:23:21.808	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 19:23:21.808	INFO	serving initial configuration
2020/03/21 19:23:26.197	ERROR	http.log.error.log0	x509: certificate signed by unknown authority	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54024", "host": "domain.com", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "status": 502, "err_id": "8n25s07z1", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:363)"}
2020/03/21 19:23:26.197	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54024", "host": "domain.com", "headers": {"Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:19:23:26 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.072733097, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

Okay great! Now we’re finally back to this:

You’ll need to set tls_trusted_ca_certs on your frontend to the root certificate from your backend, like this:

    reverse_proxy wordpress01:443 {
        transport http {
            tls_trusted_ca_certs /etc/ssl/caddy/ca/cert.pem
        }
    }

You’ll find the root certificate in your backend in the Caddy storage directory, pki/authorities/local/root.crt. Copy that to your frontend and set the tls_trusted_ca_certs path to that file.

1 Like

frontend and backend are not on same “host”, in separate containers.

So when I copy root.crt path of backend, frontend said no such file and directory.

Understood, you’ll need to copy the file to the other container.