1. Caddy version (caddy version
):
v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=
2. How I run Caddy:
a. System environment:
Ubuntu LTS 20.04.1
systemd 245.4-4ubuntu3.2
Docker 19.03.8
Using go:1.14-alpine to build Caddy through xcaddy
b. Command:
caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --resume
c. Service/unit/compose file:
Dockerfile
FROM golang:1.14-alpine
RUN apk add --no-cache --virtual .build-deps gcc git musl-dev && \
go get -u github.com/caddyserver/xcaddy/cmd/xcaddy && \
xcaddy build --with github.com/caddy-dns/cloudflare --output /caddy && \
apk del .build-deps
FROM caddy
RUN apk add --no-cache nss-tools
COPY --from=0 /caddy /usr/bin
CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile", "--resume"]
docker-compose.yml
version: "3.6"
services:
backend:
build: ../backend
networks:
- proxy
ports:
- "1234:1234"
proxy:
build: ./caddy
networks:
- proxy
ports:
- "80:80"
- "443:443"
volumes:
- ./caddy:/etc/caddy:ro
- proxy-data:/data
networks:
proxy:
volumes:
proxy-data:
d. My complete Caddyfile or JSON config:
{
debug
local_certs
on_demand_tls {
ask http://backend:1234/check_domain
}
}
www.example.com {
redir https://example.com{uri} permanent
}
example.com {
log {
output file /var/log/app.log
format logfmt
}
handle /api/* {
uri strip_prefix /api
reverse_proxy http://backend:1234
}
handle {
root * /app
try_files {path} /index.html
file_server
}
encode zstd gzip
}
:443 {
log {
output file /var/log/custom.log
format logfmt
}
root * /custom
try_files {path} /index.html
file_server
encode zstd gzip
}
3. The problem I’m having:
This is supposed to be host two servers, one of them under example.com
and the other under custom domains set up by users of the first. I’m trying to use on-demand TLS in the second, and any domain pointing to this server should fall in the :443
block. However, it is not possible, outputs that no certificate is available but never requests one.
4. Error messages and/or full log output:
proxy_1 | {"level":"info","ts":1604078135.4672227,"msg":"no autosave file exists","autosave_file":"/config/caddy/autosave.json"}
proxy_1 | {"level":"info","ts":1604078135.4714518,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
proxy_1 | {"level":"info","ts":1604078135.487003,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
proxy_1 | {"level":"warn","ts":1604078135.48726,"logger":"caddy.logging.encoders.logfmt","msg":"the logfmt encoder is DEPRECATED and will soon be removed from the standard modules","recommendation":"switch to a log format that isn't broken","more_info":"https://github.com/caddyserver/caddy/issues/3575"}
proxy_1 | {"level":"warn","ts":1604078135.4873042,"logger":"caddy.logging.encoders.logfmt","msg":"the logfmt encoder is DEPRECATED and will soon be removed from the standard modules","recommendation":"switch to a log format that isn't broken","more_info":"https://github.com/caddyserver/caddy/issues/3575"}
proxy_1 | {"level":"info","ts":1604078135.48764,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002e4230"}
proxy_1 | {"level":"info","ts":1604078135.5105627,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
proxy_1 | {"level":"info","ts":1604078135.5106187,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
proxy_1 | {"level":"warn","ts":1604078135.7291086,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
proxy_1 | 2020/10/30 17:15:35 not NSS security databases found
proxy_1 | 2020/10/30 17:15:35 define JAVA_HOME environment variable to use the Java trust
proxy_1 | 2020/10/30 17:15:35 certificate installed properly in linux trusts
proxy_1 | {"level":"debug","ts":1604078135.821572,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
proxy_1 | {"level":"debug","ts":1604078135.8244698,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
proxy_1 | {"level":"info","ts":1604078135.8288057,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.example.com","example.com"]}
proxy_1 | {"level":"warn","ts":1604078135.8332183,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [www.example.com]: no OCSP server specified in certificate"}
proxy_1 | {"level":"info","ts":1604078135.8352067,"logger":"tls","msg":"cleaned up storage units"}
proxy_1 | {"level":"warn","ts":1604078135.8375397,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [example.com]: no OCSP server specified in certificate"}
proxy_1 | {"level":"info","ts":1604078135.837763,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
proxy_1 | {"level":"info","ts":1604078135.8378644,"msg":"serving initial configuration"}
proxy_1 | {"level":"debug","ts":1604078141.3996532,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.96.1:33040: no certificate available for 'test.example.com'"}
proxy_1 | {"level":"debug","ts":1604078143.0091722,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.96.1:33044: no certificate available for 'test.example.com'"}
5. What I already tried:
- Reading the entire documentation
- Reading every topic that matches “dynamic domain”.
- Using
*
as server name - Moving dynamic server config to the root of the Caddyfile
- Completely removing all containers, volumes and related resources and starting from scratch.