Lxc with certbot behind caddy

rototom · August 18, 2021, 1:46pm

1. Caddy version (`caddy version`):

2. How I run Caddy:

a. System environment:

proxmox

b. Command:

systemctl start caddy

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

hvgh.de {
	reverse_proxy bbb
}

3. The problem I’m having:

I run caddy on the proxmox host. On this host I have an lxc container (hostname bbb) with ubuntu_18.04 on which I try to install bigbluebutton. The bbb install tries to use certbot for a certificate, I get the following error:

4. Error messages and/or full log output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hvgh.de
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. hvgh.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://hvgh.de/.well-known/acme-challenge/llWQ4CgibS8GnNWDplcq5gJDAEt23U_6b2O59rFFCbM: Redirect loop detected

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: hvgh.de
   Type:   connection
   Detail: Fetching
   https://hvgh.de/.well-known/acme-challenge/llWQ4CgibS8GnNWDplcq5gJDAEt23U_6b2O59rFFCbM:
   Redirect loop detected

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

5. What I already tried:

6. Links to relevant resources:

francislavoie · August 18, 2021, 4:06pm

Why are you using certbot if you’re using Caddy?

Caddy’s headlining feature is Automatic HTTPS, which includes fetching certificates from ACME issuers automatically. What’s happening here is Caddy is intercepting /.well-known/acme-challenge requests because that’s how Caddy can solve ACME challenges.

You don’t need to run certbot, since Caddy will secure the connection to the client. Just proxy to your upstream service over HTTP.

rototom · August 18, 2021, 4:18pm

Yes, I know I don’t need certbot in this case. Problem is, that the bbb configuration script simply does this.

francislavoie · August 18, 2021, 4:21pm

You’ll need to find a way to turn that off. This isn’t really an issue with Caddy, but with that software.

system · September 17, 2021, 1:47pm

This topic was automatically closed after 30 days. New replies are no longer allowed.