Multiple domain/URL listings for the same IP/port

aussiebyrd · March 28, 2024, 6:54am

1. The problem I’m having:

I’m trying to point two different domains to the same server/service:

Caddyfile part:

#Calibre comics server
comics.byrd.id.au {
	reverse_proxy 192.168.20.2:8084
}
comics.byrd.au {
	reverse_proxy 192.168.20.2:8084
}

I recently shifted DNS to Cloudflare for the byrd.au domains. All my existing subdomains for byrd.au are working fine.

The original domain (comics.byrd.id.au) still works fine (and has been working fine for some time. This domain is not behind Cloudflare (yet).

2. Error messages and/or full log output:

Trying to access comics.byrd.au I get a “SSL Handshake failed - Error code 525” (via Cloudflare).

Caddy error:

Mar 28 16:46:06 aerie-server caddy[2231]: {"level":"error","ts":1711608366.212431,"logger":"http.acme_client","msg":"challenge failed","identifier":"comics.byrd.au","challenge_type":"tls-alpn-01","problem":{"ty>
Mar 28 16:46:06 aerie-server caddy[2231]: {"level":"error","ts":1711608366.2125094,"logger":"http.acme_client","msg":"validating authorization","identifier":"comics.byrd.au","problem":{"type":"urn:ietf:params:a>
Mar 28 16:46:07 aerie-server caddy[2231]: {"level":"info","ts":1711608367.7519946,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"comics.byrd.au","challenge_type":"http-01","ca":"htt>
Mar 28 16:46:39 aerie-server caddy[2231]: {"level":"error","ts":1711608399.3129358,"logger":"http.acme_client","msg":"challenge failed","identifier":"comics.byrd.au","challenge_type":"http-01","problem":{"type">
Mar 28 16:46:39 aerie-server caddy[2231]: {"level":"error","ts":1711608399.3130224,"logger":"http.acme_client","msg":"validating authorization","identifier":"comics.byrd.au","problem":{"type":"urn:ietf:params:a>
Mar 28 16:46:39 aerie-server caddy[2231]: {"level":"error","ts":1711608399.3130732,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"comics.byrd.au","issuer":"acme-v02.api.letsen>
Mar 28 16:46:39 aerie-server caddy[2231]: {"level":"info","ts":1711608399.3141387,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["comics.byrd.au"],"ca":"https://acme.zerossl.com/v2/DV90>
Mar 28 16:46:39 aerie-server caddy[2231]: {"level":"info","ts":1711608399.31418,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["comics.byrd.au"],"ca":"https://acme.zerossl.com/v2/D>
Mar 28 16:46:41 aerie-server caddy[2231]: {"level":"info","ts":1711608401.682929,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"comics.byrd.au","challenge_type":"http-01","ca":"http>
Mar 28 16:50:10 aerie-server systemd[1]: /etc/systemd/system/caddy.service:1: Assignment outside of section. Ignoring.

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

a. System environment:

Ubuntu MATE 22.04.04 LTS
x64
systemd

b. Command:

systemctl start caddy

(runs automatically)

c. Service/unit/compose file:

 caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

PASTE OVER THIS, BETWEEN THE ``` LINES.
# Set this path to your site's directory.
#root * /usr/share/caddy

# Enable the static file server.
#file_server

#Reverse proxys:

#Calibre book server
books.byrd.id.au {
	reverse_proxy 192.168.20.2:8083
}

#Calibre comics server
comics.byrd.id.au {
	reverse_proxy 192.168.20.2:8084
}
comics.byrd.au {
	reverse_proxy 192.168.20.2:8084
}

#Photoprism
photoprism.byrd.id.au {
	reverse_proxy 192.168.20.2:2342
}

#Ghost blog
migratory.byrd.au {
	reverse_proxy 192.168.20.2:2368
}

#Whoogle
whoogle.byrd.au {
	reverse_proxy 192.168.20.2:5001
}

#Stirling PDF
pdf.byrd.au {
	reverse_proxy 192.168.20.2:8070
}

#Memos notes
memos.byrd.au {
	reverse_proxy 192.168.20.2:5230
}

francislavoie · March 28, 2024, 6:01pm

Your logs are truncated, so we can’t see the full message (notice the > at the end of lines).

Please read the docs for how to see your full logs Keep Caddy Running — Caddy Documentation

Clearly there’s somekind of issue with issuing certificates, but it’s unclear without the full logs.

You probably need to turn off Cloudflare proxying, use DNS-only mode instead.

aussiebyrd · March 29, 2024, 11:28am

Thanks @francislavoie, good catch… below are the full lines of the error for the relevant domain:

Mar 29 16:47:50 aerie-server caddy[2231]: {"level":"info","ts":1711694870.0355449,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"comics.byrd.au","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Mar 29 16:48:22 aerie-server caddy[2231]: {"level":"error","ts":1711694902.400218,"logger":"http.acme_client","msg":"challenge failed","identifier":"comics.byrd.au","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:34a5: Invalid response from http://comics.byrd.au/.well-known/acme-challe>
Mar 29 16:48:22 aerie-server caddy[2231]: {"level":"error","ts":1711694902.400244,"logger":"http.acme_client","msg":"validating authorization","identifier":"comics.byrd.au","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:34a5: Invalid response from http://comics.byrd.au/.well-known/acme-challenge/Fq0F5o-JSUY8mrZ>
Mar 29 16:48:22 aerie-server caddy[2231]: {"level":"error","ts":1711694902.400269,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"comics.byrd.au","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3033::6815:34a5: Invalid response from http://comics.byrd.au/.well->
Mar 29 16:48:24 aerie-server caddy[2231]: {"level":"info","ts":1711694904.7617326,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"comics.byrd.au","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}

I don’t think this is an issue with Cloudflare proxying, as all of my other byrd.au subdomains are working fine.

I did wonder if it was some kind of conflict between comics.byrd.id.au and comics.byrd.au in the Caddyfile both pointing to the same internal IP and port (i.e. same service), as I’m not sure if this is supported.

francislavoie · March 29, 2024, 8:27pm

Your logs are still truncated. Please use the command at the link I gave above to see the full logs.

Are you certain your DNS is correct for those domains? Are you sure there’s no other proxy enabled? “Invalid response” sounds like something other than Caddy intercepted the request and wrote a bad response. That’s why I think you should check your CloudFlare config and make sure it’s set to DNS only mode.

aussiebyrd · March 30, 2024, 6:37am

Arg… Sorry about that. That’s what I get for doing things in a hurry. Will try again when I get home.

I did try turning off the CloudFlare proxy, but as I suspected, it made no difference.

aussiebyrd · April 11, 2024, 10:45am

Finally got my full logs… but those errors are no longer there… so perhaps it was just a delay-based issue with Cloudflare?

Anyway… all seems to be working fine now.