No certificate available on public address but works with local address

1. Output of caddy version:

i dont know how to print caddy version because it is running in a container

2. How I run Caddy:

I am runing caddy inside a container.
with docker compose up -d
following this distribution
api platform distribution

a. System environment:

I’ m runing api platform in a server with public access on the domain www.electricityupcfib.es
Server is reachable, requests do connect and domain also works.

To access the server i need to be inside a network wich i access with a vpn

b. Command:

docker compose up -d

c. Service/unit/compose file:

version: "3.4"

services:
  php:
    build:
      context: ./api
      target: app_php
    depends_on:
      - database
    restart: unless-stopped
    volumes:
      - php_socket:/var/run/php
    healthcheck:
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 30s
    environment:
      DATABASE_URL: postgresql://${POSTGRES_USER:-app}:${POSTGRES_PASSWORD:-!ChangeMe!}@database:5432/${POSTGRES_DB:-app}?serverVersion=${POSTGRES_VERSION:-14}
      TRUSTED_PROXIES: ${TRUSTED_PROXIES:-127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}
      TRUSTED_HOSTS: ^${SERVER_NAME:-example\.com|localhost}|caddy$$
      MERCURE_URL: ${CADDY_MERCURE_URL:-http://caddy/.well-known/mercure}
      MERCURE_PUBLIC_URL: https://${SERVER_NAME:-localhost}/.well-known/mercure
      MERCURE_JWT_SECRET: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!}

  pwa:
    build:
      context: ./pwa
      target: prod
    environment:
      NEXT_PUBLIC_ENTRYPOINT: http://caddy

  caddy:
    build:
      context: api/
      target: app_caddy
    depends_on:
      - php
      - pwa
    environment:
      PWA_UPSTREAM: pwa:3000
      SERVER_NAME: ${SERVER_NAME:-localhost}, caddy:80
      MERCURE_PUBLISHER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!}
      MERCURE_SUBSCRIBER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!}
    restart: unless-stopped
    volumes:
      - php_socket:/var/run/php
      - caddy_data:/data
      - caddy_config:/config
    ports:
      # HTTP
      - target: 80
        published: ${HTTP_PORT:-80}
        protocol: tcp
      # HTTPS
      - target: 443
        published: ${HTTPS_PORT:-443}
        protocol: tcp
      # HTTP/3
      - target: 443
        published: ${HTTP3_PORT:-443}
        protocol: udp

###> doctrine/doctrine-bundle ###
  database:
    image: postgres:${POSTGRES_VERSION:-14}-alpine
    environment:
      - POSTGRES_DB=${POSTGRES_DB:-app}
      # You should definitely change the password in production
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-!ChangeMe!}
      - POSTGRES_USER=${POSTGRES_USER:-app}
    volumes:
      - db_data:/var/lib/postgresql/data
      # you may use a bind-mounted host directory instead, so that it is harder to accidentally remove the volume and lose all your data!
      # - ./api/docker/db/data:/var/lib/postgresql/data
###< doctrine/doctrine-bundle ###

# Mercure is installed as a Caddy module, prevent the Flex recipe from installing another service
###> symfony/mercure-bundle ###
###< symfony/mercure-bundle ###

volumes:
  php_socket:
  caddy_data:
  caddy_config:
###> doctrine/doctrine-bundle ###
  db_data:
###< doctrine/doctrine-bundle ###
###> symfony/mercure-bundle ###
###< symfony/mercure-bundle ###

d. My complete Caddy config:

{
    # Debug
    {$DEBUG}
}

{$SERVER_NAME}

log

# Matches requests for HTML documents, for static files and for Next.js files,
# except for known API paths and paths with extensions handled by API Platform
@pwa expression `(
        header({'Accept': '*text/html*'})
        && !path(
            '/docs*', '/graphql*', '/bundles*', '/contexts*', '/_profiler*', '/_wdt*',
            '*.json*', '*.html', '*.csv', '*.yml', '*.yaml', '*.xml'
        )
    )
    || path('/favicon.ico', '/manifest.json', '/robots.txt', '/_next*', '/sitemap*')`

route {
    root * /srv/app/public
    mercure {
        # Transport to use (default to Bolt)
        transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
        # Publisher JWT key
        publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
        # Subscriber JWT key
        subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
        # Allow anonymous subscribers (double-check that it's what you want)
        anonymous
        # Enable the subscription API (double-check that it's what you want)
        subscriptions
        # Extra directives
        {$MERCURE_EXTRA_DIRECTIVES}
    }
    vulcain

    # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
    header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`
    # Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
    header ?Permissions-Policy "browsing-topics=()"

    # Comment the following line if you don't want Next.js to catch requests for HTML documents.
    # In this case, they will be handled by the PHP app.
    reverse_proxy @pwa http://{$PWA_UPSTREAM}

    php_fastcgi unix//var/run/php/php-fpm.sock
    encode zstd gzip
    file_server
}

3. The problem I’m having:

When executing curl requests to my api (they go through caddy) they end up with ssl errors
this is an example from postman after requesting
what i execute:

FROM the own SERVER, using diferent requests

request 1
curl "https://localhost"
#output: curl: (60) SSL certificate problem: unable to get local issuer certificate

request 2
curl "https://localhost" - kv
#output: works

request 3
curl "https://www.electricityupcfib.es" - kv
#output: curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

FROM A REMOTE CLIENT

request 4
curl "https://www.electricityupcfib.es" - kv
#output: curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error


4. Error messages and/or full log output:

Request 1
client response

client executes: 

curl "https://localhost"

client outputs:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

server caddy logs:

{"level":"debug","ts":1668425018.5966942,"logger":"events","msg":"event","name":"tls_get_certificate","id":"4146cfb0-3c2c-4939-994e-1a02236e6455","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"localhost","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1668425018.5976794,"logger":"tls.handshake","msg":"choosing certificate","identifier":"localhost","num_choices":1}
{"level":"debug","ts":1668425018.5979774,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"localhost","subjects":["localhost"],"managed":true,"issuer_key":"local","hash":"9092d28f63bd288e00db0b9230c140bb18f1c6640cc3a7a2d7af7f1b4714edbe"}
{"level":"debug","ts":1668425018.5981896,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"172.24.0.1","remote_port":"57952","subjects":["localhost"],"managed":true,"expiration":1668447577,"hash":"9092d28f63bd288e00db0b9230c140bb18f1c6640cc3a7a2d7af7f1b4714edbe"}
{"level":"debug","ts":1668425018.6017683,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.24.0.1:57952: local error: tls: bad record MAC"}

Request 2
client response

client executes;
curl 'https://localhost' -vk

client outputs:

*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: [NONE]
*  start date: Nov 14 05:39:36 2022 GMT
*  expire date: Nov 14 17:39:36 2022 GMT
*  issuer: CN=Caddy Local Authority - ECC Intermediate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x561257e53350)
> GET / HTTP/2
> Host: localhost
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 401 
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-cache, private
< content-type: application/json
< date: Mon, 14 Nov 2022 11:28:54 GMT
< link: <https://localhost/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
< permissions-policy: browsing-topics=()
< server: Caddy
< status: 401 Unauthorized
< x-debug-token: 730052
< x-debug-token-link: https://localhost/_profiler/730052
< x-robots-tag: noindex
< content-length: 35
< 
* Connection #0 to host localhost left intact
{"message":"No API token provided"}a

server caddy logs:

{"level":"debug","ts":1668425334.8059258,"logger":"events","msg":"event","name":"tls_get_certificate","id":"c2ec6da9-2f8f-40e8-a84e-5a1413a06458","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"localhost","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1668425334.8060942,"logger":"tls.handshake","msg":"choosing certificate","identifier":"localhost","num_choices":1}
{"level":"debug","ts":1668425334.806141,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"localhost","subjects":["localhost"],"managed":true,"issuer_key":"local","hash":"9092d28f63bd288e00db0b9230c140bb18f1c6640cc3a7a2d7af7f1b4714edbe"}
{"level":"debug","ts":1668425334.8061554,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"172.24.0.1","remote_port":"41132","subjects":["localhost"],"managed":true,"expiration":1668447577,"hash":"9092d28f63bd288e00db0b9230c140bb18f1c6640cc3a7a2d7af7f1b4714edbe"}
{"level":"debug","ts":1668425334.8166463,"logger":"http.handlers.rewrite","msg":"rewrote request","request":{"remote_ip":"172.24.0.1","remote_port":"41132","proto":"HTTP/2.0","method":"GET","host":"localhost","uri":"/","headers":{"User-Agent":["curl/7.68.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"localhost"}},"method":"GET","uri":"/index.php"}
{"level":"debug","ts":1668425334.8170853,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"/var/run/php/php-fpm.sock","total_upstreams":1}
{"level":"debug","ts":1668425334.8177314,"logger":"http.reverse_proxy.transport.fastcgi","msg":"roundtrip","request":{"remote_ip":"172.24.0.1","remote_port":"41132","proto":"HTTP/2.0","method":"GET","host":"localhost","uri":"/index.php","headers":{"Accept":["*/*"],"X-Forwarded-For":["172.24.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["localhost"],"User-Agent":["curl/7.68.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"localhost"}},"env":{"SERVER_PROTOCOL":"HTTP/2.0","SCRIPT_NAME":"/index.php","QUERY_STRING":"","REQUEST_SCHEME":"https","SERVER_NAME":"localhost","SCRIPT_FILENAME":"/srv/app/public/index.php","SERVER_PORT":"443","HTTPS":"on","GATEWAY_INTERFACE":"CGI/1.1","PATH_INFO":"","HTTP_X_FORWARDED_PROTO":"https","SSL_PROTOCOL":"TLSv1.3","HTTP_ACCEPT":"*/*","REMOTE_IDENT":"","REMOTE_ADDR":"172.24.0.1","DOCUMENT_URI":"/index.php","HTTP_X_FORWARDED_FOR":"172.24.0.1","HTTP_USER_AGENT":"curl/7.68.0","AUTH_TYPE":"","REQUEST_METHOD":"GET","REQUEST_URI":"/","SERVER_SOFTWARE":"Caddy/v2.6.2","DOCUMENT_ROOT":"/srv/app/public","HTTP_HOST":"localhost","REMOTE_HOST":"172.24.0.1","REMOTE_USER":"","SSL_CIPHER":"TLS_CHACHA20_POLY1305_SHA256","HTTP_X_FORWARDED_HOST":"localhost","CONTENT_TYPE":"","REMOTE_PORT":"41132","CONTENT_LENGTH":""},"dial":"/var/run/php/php-fpm.sock","env":{"CONTENT_TYPE":"","REMOTE_PORT":"41132","SSL_CIPHER":"TLS_CHACHA20_POLY1305_SHA256","HTTP_X_FORWARDED_HOST":"localhost","CONTENT_LENGTH":"","SERVER_PROTOCOL":"HTTP/2.0","SCRIPT_NAME":"/index.php","GATEWAY_INTERFACE":"CGI/1.1","PATH_INFO":"","QUERY_STRING":"","REQUEST_SCHEME":"https","SERVER_NAME":"localhost","SCRIPT_FILENAME":"/srv/app/public/index.php","SERVER_PORT":"443","HTTPS":"on","HTTP_X_FORWARDED_PROTO":"https","REMOTE_IDENT":"","REMOTE_ADDR":"172.24.0.1","SSL_PROTOCOL":"TLSv1.3","HTTP_ACCEPT":"*/*","AUTH_TYPE":"","REQUEST_METHOD":"GET","DOCUMENT_URI":"/index.php","HTTP_X_FORWARDED_FOR":"172.24.0.1","HTTP_USER_AGENT":"curl/7.68.0","SERVER_SOFTWARE":"Caddy/v2.6.2","DOCUMENT_ROOT":"/srv/app/public","REQUEST_URI":"/","REMOTE_HOST":"172.24.0.1","REMOTE_USER":"","HTTP_HOST":"localhost"},"request":{"remote_ip":"172.24.0.1","remote_port":"41132","proto":"HTTP/2.0","method":"GET","host":"localhost","uri":"/index.php","headers":{"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["localhost"],"User-Agent":["curl/7.68.0"],"Accept":["*/*"],"X-Forwarded-For":["172.24.0.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"localhost"}}}
{"level":"debug","ts":1668425334.8815846,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"unix//var/run/php/php-fpm.sock","duration":0.064152163,"request":{"remote_ip":"172.24.0.1","remote_port":"41132","proto":"HTTP/2.0","method":"GET","host":"localhost","uri":"/index.php","headers":{"User-Agent":["curl/7.68.0"],"Accept":["*/*"],"X-Forwarded-For":["172.24.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["localhost"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"localhost"}},"headers":{"Content-Type":["application/json"],"X-Debug-Token":["730052"],"X-Debug-Token-Link":["https://localhost/_profiler/730052"],"Status":["401 Unauthorized"],"Cache-Control":["no-cache, private"],"Date":["Mon, 14 Nov 2022 11:28:54 GMT"],"Link":["<https://localhost/docs.jsonld>; rel=\"http://www.w3.org/ns/hydra/core#apiDocumentation\""],"X-Robots-Tag":["noindex"]},"status":401}
{"level":"error","ts":1668425334.8824522,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.24.0.1","remote_port":"41132","proto":"HTTP/2.0","method":"GET","host":"localhost","uri":"/","headers":{"User-Agent":["curl/7.68.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"localhost"}},"user_id":"","duration":0.066674038,"size":35,"status":401,"resp_headers":{"Date":["Mon, 14 Nov 2022 11:28:54 GMT"],"Link":["<https://localhost/docs.jsonld>; rel=\"http://www.w3.org/ns/hydra/core#apiDocumentation\""],"X-Debug-Token-Link":["https://localhost/_profiler/730052"],"Permissions-Policy":["browsing-topics=()"],"Server":["Caddy"],"Status":["401 Unauthorized"],"Cache-Control":["no-cache, private"],"X-Debug-Token":["730052"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Robots-Tag":["noindex"],"Content-Type":["application/json"]}}

Request 3
client response

client executes;

curl 'https://www.electricityupcfib.es' -vk

client outputs:

*   Trying 10.4.41.43:443...
* TCP_NODELAY set
* Connected to www.electricityupcfib.es (10.4.41.43) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

server caddy logs:

{"level":"debug","ts":1668425680.2538621,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f9bb6129-6aa5-4000-80d3-6213e958b8e6","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"www.electricityupcfib.es","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1668425680.253994,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"www.electricityupcfib.es"}
{"level":"debug","ts":1668425680.2540083,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.electricityupcfib.es"}
{"level":"debug","ts":1668425680.2540174,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.es"}
{"level":"debug","ts":1668425680.2540257,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1668425680.254036,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"10.4.41.43","remote_port":"54304","sni":"www.electricityupcfib.es"}
{"level":"debug","ts":1668425680.254047,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.4.41.43","remote_port":"54304","server_name":"www.electricityupcfib.es","remote":"10.4.41.43:54304","identifier":"www.electricityupcfib.es","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1668425680.2541656,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.4.41.43:54304: no certificate available for 'www.electricityupcfib.es'"}

Request 4
client response

client executes;

curl -vk "https://www.electricityupcfib.es"

client outputs:

*   Trying 10.4.41.43:443...
* TCP_NODELAY set
* Connected to www.electricityupcfib.es (10.4.41.43) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

server caddy logs:

{"level":"debug","ts":1668425778.1251702,"logger":"events","msg":"event","name":"tls_get_certificate","id":"70bf31a6-d1c8-4b67-9e7c-6827fca6fc96","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"www.electricityupcfib.es","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1668425778.1263995,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"www.electricityupcfib.es"}
{"level":"debug","ts":1668425778.126621,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.electricityupcfib.es"}
{"level":"debug","ts":1668425778.1268315,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.es"}
{"level":"debug","ts":1668425778.1270013,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1668425778.1272526,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"10.4.41.43","remote_port":"55598","sni":"www.electricityupcfib.es"}
{"level":"debug","ts":1668425778.1273553,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.4.41.43","remote_port":"55598","server_name":"www.electricityupcfib.es","remote":"10.4.41.43:55598","identifier":"www.electricityupcfib.es","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1668425778.1281602,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.4.41.43:55598: no certificate available for 'www.electricityupcfib.es'"}

5. What I already tried:

So far I have been searching for a solution to my problem but i have only found articles related to my error (some even referring to the exact same error) like here

6. Links to relevant resources:

https://caddy.community/t/why-does-caddy-work-on-localhost-and-internal-ip-but-not-public-ip/15260

https://caddy.community/t/local-ip-address-creates-ssl-error/11314/10

Hello, as i investigated more, I found out thanks to Let’s Debug that I cant get certificates to my domain electricityupcfib.es
I have tried hardcoding ${SERVER_NAME} to my domain (i’ve tested many of them).
nslookup works well.

Since the IP my domain points is a private ip i am wondering how can i make it so certificates generate internally.

In my mad search i have builded a google cloud VM instance (which is under a public address) pointed by the domain google.electricityfibupc.es
and basically builded the project. Everything works flawlessly within localhost scope but when it comes to outcoming requests it doesnt work.

i tried using lets debug to this new domain (link to test here)
and it says 308 permanent redirect.

I think i have already read all the posts regarding caddy certificates.
Please take in mind that i control almost 0 about caddyfiles.

I’m wondering if any one could just tell me how can i do it to make caddy work with this caddyfile.
This if for a university project so i literally care 0 about security. It doesn’t care if i just bypass ssl and go all http. Please help

Did you set this environment variable in your .env file?

By default, the site in your config will just be localhost, caddy:80.

When you use localhost, Caddy will use its own internal CA to sign certificates, but clients won’t know how to trust certs signed by that CA unless you install the root CA cert to your system/browser’s trust stores.

When you use the -k flag of curl, you’re ignoring certificate verification checks, so you get around the problem of certificate trust, so the request makes it through.

If you didn’t put your real domain in SERVER_NAME, then Caddy has no way to know that it was supposed to try to automate issuance for a certificate for your domain, so it won’t be able to solve TLS handshakes for that domain.

If your server isn’t publicly reachable, then the ACME HTTP and TLS-ALPN challenges will not work, since they rely on ACME issuers being able to connect to your server to prove that you have control of that domain.

You could use the ACME DNS challenge, but that’s more complicated – it involves building Caddy with a plugin to connect to your DNS provider’s API to set a TXT record to prove control of the domain.

You can modify your Dockerfile for Caddy to add more plugins (I think you’re already using Mercure for example).

Hello Francis!
Very thank you for your answers!
yes, I have set the env variable but not in the .env just by doing it in the console like VARIABLE=VALUE

The problem with all this is that even for local host i think it is not creating the certificate.
Anyways, do you know how i can find the certificate to import it to my postman (considering it is in a docker)?

Anyways, I still don’t understand why when i tested this in a public ip (as explained in my reply to my post) it still doesnt work

It definitely does. It’s just inside the container’s /data volume. Your logs will confirm that there does exist a certificate.

It’s in the /data volume of your Caddy container.

But do you really need HTTPS when testing locally? If not, just use http://locahost as your site address while testing, so that a certificate isn’t required.

You’ll need to clarify. Not enough detail there. What do you mean by “doesn’t work”? That’s meaningless on its own.

Hello, thank you again for your time.

The problem here is that whst i’m trying to do is actually deploy the api so that it is accessible to all the devices in that private network (it is a uni project).

I need to make it accessiible from outside of the localhost.

Regarding the server inside the private network,
It doesnt really care for me if i use https or http, so if you know how can i make this work by not redirecting please tell me.

I have already tried that by usint the global ootion auto_https = disable_redirects or adding http// before the domain name in Caddyfile. It then made made the service reachable with http but caddy was returning 200 status with blank response.

About the public server, the error is similar or the same one than for the private.
It complains about the A and the AAA registry. I have tested the domain in lets debug and it says 308 permanent redirect (the link to it is in the reply)
The project (source code, docker-compose.yml, caddyfile…) is the same as in the private server since i just cloned de repo.
I’m adding logs in a reply to this comment

You can definitely use http:// as your site address (not http://localhost) in that case. This will make Caddy accept requests from all Host values on the request.

The site address acts as a Host header matcher and in the case of TLS, setup for automating certificates.

As I’ve said before though, you could set up the DNS challenge to get a publicly trusted certificate for your private network server. You need to use a real domain name which you can give a private IP for the A record.

Yeah, I need to see the logs. I can’t say with any kind of certainty what the issue is without clear evidence.

Hello again Francis,

Just for extra info. This is my IONOS domain provider dashboard with all the registries.
note that the public ip is google.electricityupcfib.es
image

For the public server (google.electricityupcfib.es):

logs after docker up -d in Caddy
with command
docker logs -f --tail 20 caddyd

root@instance-1:/home/backend-electricity# docker logs -f --tail 20 caddyd 
{"level":"warn","ts":1668695023.070286,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1668695023.0845332,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1668695023.0851068,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1668695023.0853355,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1668695023.0855124,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
{"level":"info","ts":1668695023.0852344,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004f6b60"}
{"level":"info","ts":1668695023.1465633,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1668695023.147215,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"warn","ts":1668695023.231063,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1668695023.2376647,"msg":"Warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
{"level":"info","ts":1668695023.2377017,"msg":"define JAVA_HOME environment variable to use the Java trust"}
{"level":"info","ts":1668695023.3842707,"msg":"certificate installed properly in linux trusts"}
{"level":"info","ts":1668695023.3845782,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1668695023.3847363,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1668695023.3848681,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1668695023.3849454,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
{"level":"info","ts":1668695023.3849542,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["localhost"]}
{"level":"warn","ts":1668695023.3855305,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [localhost]: no OCSP server specified in certificate","identifiers":["localhost"]}
{"level":"info","ts":1668695023.385803,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1668695023.3858314,"msg":"serving initial configuration"}

then executing test with lets debug link to test

this logs appear

{"level":"error","ts":1668695155.2172382,"logger":"http","msg":"looking up info for HTTP challenge","host":"google.electricityupcfib.es","error":"no information found to solve challenge for identifier: google.electricityupcfib.es"}
{"level":"error","ts":1668695155.2173703,"logger":"http","msg":"looking up info for HTTP challenge","host":"google.electricityupcfib.es","error":"no information found to solve challenge for identifier: google.electricityupcfib.es"}
{"level":"info","ts":1668695155.2174542,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.104.24.29","remote_port":"48538","proto":"HTTP/1.1","method":"GET","host":"google.electricityupcfib.es","uri":"/.well-known/acme-challenge/letsdebug-test","headers":{"User-Agent":["Mozilla/5.0 (compatible; Let's Debug emulating Let's Encrypt validation server; +https://letsdebug.net)"],"Accept":["*/*"],"Accept-Encoding":["gzip"],"Connection":["close"]}},"user_id":"","duration":0.003423217,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://google.electricityupcfib.es/.well-known/acme-challenge/letsdebug-test"],"Content-Type":[]}}
{"level":"info","ts":1668695155.538932,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.104.24.29","remote_port":"48544","proto":"HTTP/1.1","method":"GET","host":"google.electricityupcfib.es","uri":"/","headers":{"Accept-Encoding":["gzip"],"Connection":["close"],"User-Agent":["Go-http-client/1.1"]}},"user_id":"","duration":0.00005549,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://google.electricityupcfib.es/"]}}
{"level":"error","ts":1668695155.8040242,"logger":"http","msg":"looking up info for HTTP challenge","host":"google.electricityupcfib.es","error":"no information found to solve challenge for identifier: google.electricityupcfib.es"}
{"level":"error","ts":1668695155.8041313,"logger":"http","msg":"looking up info for HTTP challenge","host":"google.electricityupcfib.es","error":"no information found to solve challenge for identifier: google.electricityupcfib.es"}
{"level":"info","ts":1668695155.8042057,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"3.137.155.130","remote_port":"48816","proto":"HTTP/1.1","method":"GET","host":"google.electricityupcfib.es","uri":"/.well-known/acme-challenge/wvCIUXt1-r41UUMx1T3Mm0MGY3Q6hgCEnxYwfznlv-g","headers":{"User-Agent":["Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"],"Accept":["*/*"],"Accept-Encoding":["gzip"],"Connection":["close"]}},"user_id":"","duration":0.000293668,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://google.electricityupcfib.es/.well-known/acme-challenge/wvCIUXt1-r41UUMx1T3Mm0MGY3Q6hgCEnxYwfznlv-g"],"Content-Type":[]}}
{"level":"error","ts":1668695156.2060533,"logger":"http","msg":"looking up info for HTTP challenge","host":"google.electricityupcfib.es","error":"no information found to solve challenge for identifier: google.electricityupcfib.es"}
{"level":"error","ts":1668695156.2061408,"logger":"http","msg":"looking up info for HTTP challenge","host":"google.electricityupcfib.es","error":"no information found to solve challenge for identifier: google.electricityupcfib.es"}
{"level":"info","ts":1668695156.2062385,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"23.178.112.107","remote_port":"13350","proto":"HTTP/1.1","method":"GET","host":"google.electricityupcfib.es","uri":"/.well-known/acme-challenge/wvCIUXt1-r41UUMx1T3Mm0MGY3Q6hgCEnxYwfznlv-g","headers":{"Accept-Encoding":["gzip"],"Connection":["close"],"User-Agent":["Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"],"Accept":["*/*"]}},"user_id":"","duration":0.000248624,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://google.electricityupcfib.es/.well-known/acme-challenge/wvCIUXt1-r41UUMx1T3Mm0MGY3Q6hgCEnxYwfznlv-g"],"Content-Type":[]}}

when i do this request in postman
http://google.electricityupcfib.es
theese logs appear

{"level":"info","ts":1668695332.7129219,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"54.86.50.139","remote_port":"45987","proto":"HTTP/1.1","method":"GET","host":"google.electricityupcfib.es","uri":"/","headers":{"Accept-Encoding":["gzip, deflate, br"],"Connection":["keep-alive"],"Accept":["*/*"],"Postman-Token":["9669e1d6-44fa-4a30-a587-1d1717976d4c"],"User-Agent":["PostmanRuntime/7.29.2"],"Cache-Control":["no-cache"],"Content-Length":["0"]}},"user_id":"","duration":0.000057324,"size":0,"status":308,"resp_headers":{"Location":["https://google.electricityupcfib.es/"],"Content-Type":[],"Server":["Caddy"],"Connection":["close"]}}

{"level":"info","ts":1668695353.504205,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"194.180.48.125","remote_port":"34226","proto":"HTTP/1.1","method":"GET","host":"34.175.209.226","uri":"/explore","headers":{"Connection":["close"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36"],"Accept-Charset":["utf-8"],"Accept-Encoding":["gzip"]}},"user_id":"","duration":0.000047675,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://34.175.209.226/explore"],"Content-Type":[]}}
{"level":"info","ts":1668695413.2037003,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"62.233.50.163","remote_port":"61443","proto":"HTTP/1.0","method":"GET","host":"","uri":"/","headers":{"User-Agent":["masscan/1.3 (https://github.com/robertdavidgraham/masscan)"],"Accept":["*/*"]}},"user_id":"","duration":0.000057265,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https:///"],"Content-Type":[]}}
{"level":"info","ts":1668695416.7859757,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"159.89.152.193","remote_port":"36520","proto":"HTTP/1.1","method":"HEAD","host":"google.electricityupcfib.es","uri":"/","headers":{"Accept":["*/*"],"Accept-Language":["*"],"Content-Length":["0"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15"]}},"user_id":"","duration":0.000054885,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://google.electricityupcfib.es/"],"Content-Type":[]}}

when I use https
https://google.electricityupcfib.es

{"level":"debug","ts":1668696854.6730585,"logger":"events","msg":"event","name":"tls_get_certificate","id":"fd146574-815e-4a65-8976-d6c550cc9088","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"ServerName":"google.electricityupcfib.es","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"Conn":{}}}}
{"level":"debug","ts":1668696854.6731625,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"google.electricityupcfib.es"}
{"level":"debug","ts":1668696854.673194,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.electricityupcfib.es"}
{"level":"debug","ts":1668696854.6732008,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.es"}
{"level":"debug","ts":1668696854.6732059,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1668696854.6732118,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"54.86.50.139","remote_port":"58810","sni":"google.electricityupcfib.es"}
{"level":"debug","ts":1668696854.6732197,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"54.86.50.139","remote_port":"58810","server_name":"google.electricityupcfib.es","remote":"54.86.50.139:58810","identifier":"google.electricityupcfib.es","cipher_suites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1668696854.6734114,"logger":"http.stdlib","msg":"http: TLS handshake error from 54.86.50.139:58810: no certificate available for 'google.electricityupcfib.es'"}

I don’t understand why the 308 permanent redirect
Also, this is my Caddyfile

{
    # Debug
    {$DEBUG}
    debug
}

{$SERVER_NAME}

log

# Matches requests for HTML documents, for static files and for Next.js files,
# except for known API paths and paths with extensions handled by API Platform
@pwa expression `(
        header({'Accept': '*text/html*'})
        && !path(
            '/docs*', '/graphql*', '/bundles*', '/contexts*', '/_profiler*', '/_wdt*',
            '*.json*', '*.html', '*.csv', '*.yml', '*.yaml', '*.xml'
        )
    )
    || path('/favicon.ico', '/manifest.json', '/robots.txt', '/_next*', '/sitemap*')`

route {
    root * /srv/app/public
    mercure {
        # Transport to use (default to Bolt)
        transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
        # Publisher JWT key
        publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
        # Subscriber JWT key
        subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
        # Allow anonymous subscribers (double-check that it's what you want)
        anonymous
        # Enable the subscription API (double-check that it's what you want)
        subscriptions
        # Extra directives
        {$MERCURE_EXTRA_DIRECTIVES}
    }
    vulcain

    # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
    header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`
    # Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
    header ?Permissions-Policy "browsing-topics=()"

    # Comment the following line if you don't want Next.js to catch requests for HTML documents.
    # In this case, they will be handled by the PHP app.
    reverse_proxy @pwa http://{$PWA_UPSTREAM}

    php_fastcgi unix//var/run/php/php-fpm.sock
    encode zstd gzip
    file_server
}

if you could please explicity tell me where to put the use http here it would be perfect since i know 0 about Caddyfiles. I tried messing arround with the http but i think i dont know where to place it.

Thank you for your time!

Hello again, after changing the Caddyfile
(i commented $servername and added just http://)

{
    # Debug
    {$DEBUG}
    debug
}

#{$SERVER_NAME}
http://
log

# Matches requests for HTML documents, for static files and for Next.js files,
# except for known API paths and paths with extensions handled by API Platform
@pwa expression `(
        header({'Accept': '*text/html*'})
        && !path(
            '/docs*', '/graphql*', '/bundles*', '/contexts*', '/_profiler*', '/_wdt*',
            '*.json*', '*.html', '*.csv', '*.yml', '*.yaml', '*.xml'
        )
    )
    || path('/favicon.ico', '/manifest.json', '/robots.txt', '/_next*', '/sitemap*')`

route {
    root * /srv/app/public
    mercure {
        # Transport to use (default to Bolt)
        transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
        # Publisher JWT key
        publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
        # Subscriber JWT key
        subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
        # Allow anonymous subscribers (double-check that it's what you want)
        anonymous
        # Enable the subscription API (double-check that it's what you want)
        subscriptions
        # Extra directives
        {$MERCURE_EXTRA_DIRECTIVES}
    }
    vulcain

    # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
    header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`
    # Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
    header ?Permissions-Policy "browsing-topics=()"

    # Comment the following line if you don't want Next.js to catch requests for HTML documents.
    # In this case, they will be handled by the PHP app.
    reverse_proxy @pwa http://{$PWA_UPSTREAM}

    php_fastcgi unix//var/run/php/php-fpm.sock
    encode zstd gzip
    file_server
}
{"level":"debug","ts":1668697676.440121,"logger":"http.handlers.rewrite","msg":"rewrote request","request":{"remote_ip":"54.86.50.139","remote_port":"50278","proto":"HTTP/1.1","method":"GET","host":"34.175.209.226","uri":"/","headers":{"Postman-Token":["e8c8a673-4d62-497d-b071-2394a3894c14"],"Content-Length":["0"],"User-Agent":["PostmanRuntime/7.29.2"],"Accept":["*/*"],"Cache-Control":["no-cache"],"Accept-Encoding":["gzip, deflate, br"],"Connection":["keep-alive"]}},"method":"GET","uri":"/index.php"}
{"level":"debug","ts":1668697676.4401834,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"/var/run/php/php-fpm.sock","total_upstreams":1}
{"level":"debug","ts":1668697676.4403121,"logger":"http.reverse_proxy.transport.fastcgi","msg":"roundtrip","request":{"remote_ip":"54.86.50.139","remote_port":"50278","proto":"HTTP/1.1","method":"GET","host":"34.175.209.226","uri":"/index.php","headers":{"Accept":["*/*"],"Cache-Control":["no-cache"],"Accept-Encoding":["gzip, deflate, br"],"Postman-Token":["e8c8a673-4d62-497d-b071-2394a3894c14"],"X-Forwarded-Host":["34.175.209.226"],"X-Forwarded-For":["54.86.50.139"],"User-Agent":["PostmanRuntime/7.29.2"],"Content-Length":["0"],"X-Forwarded-Proto":["http"]}},"env":{"HTTP_CONTENT_LENGTH":"0","REQUEST_URI":"/","REQUEST_METHOD":"GET","REQUEST_SCHEME":"http","HTTP_HOST":"34.175.209.226","HTTP_CACHE_CONTROL":"no-cache","HTTP_ACCEPT_ENCODING":"gzip, deflate, br","HTTP_X_FORWARDED_PROTO":"http","CONTENT_TYPE":"","PATH_INFO":"","SERVER_PROTOCOL":"HTTP/1.1","SERVER_SOFTWARE":"Caddy/v2.6.2","DOCUMENT_ROOT":"/srv/app/public","HTTP_POSTMAN_TOKEN":"e8c8a673-4d62-497d-b071-2394a3894c14","HTTP_USER_AGENT":"PostmanRuntime/7.29.2","REMOTE_IDENT":"","REMOTE_USER":"","SERVER_PORT":"80","HTTP_ACCEPT":"*/*","HTTP_X_FORWARDED_HOST":"34.175.209.226","GATEWAY_INTERFACE":"CGI/1.1","QUERY_STRING":"","REMOTE_HOST":"54.86.50.139","SERVER_NAME":"34.175.209.226","HTTP_X_FORWARDED_FOR":"54.86.50.139","CONTENT_LENGTH":"0","REMOTE_PORT":"50278","AUTH_TYPE":"","DOCUMENT_URI":"/index.php","SCRIPT_FILENAME":"/srv/app/public/index.php","SCRIPT_NAME":"/index.php","REMOTE_ADDR":"54.86.50.139"},"dial":"/var/run/php/php-fpm.sock","env":{"SERVER_PORT":"80","HTTP_ACCEPT":"*/*","HTTP_X_FORWARDED_HOST":"34.175.209.226","GATEWAY_INTERFACE":"CGI/1.1","REMOTE_USER":"","REMOTE_HOST":"54.86.50.139","SERVER_NAME":"34.175.209.226","HTTP_X_FORWARDED_FOR":"54.86.50.139","CONTENT_LENGTH":"0","QUERY_STRING":"","AUTH_TYPE":"","REMOTE_PORT":"50278","SCRIPT_FILENAME":"/srv/app/public/index.php","SCRIPT_NAME":"/index.php","REMOTE_ADDR":"54.86.50.139","DOCUMENT_URI":"/index.php","HTTP_CONTENT_LENGTH":"0","REQUEST_URI":"/","REQUEST_SCHEME":"http","HTTP_HOST":"34.175.209.226","HTTP_CACHE_CONTROL":"no-cache","HTTP_ACCEPT_ENCODING":"gzip, deflate, br","HTTP_X_FORWARDED_PROTO":"http","CONTENT_TYPE":"","REQUEST_METHOD":"GET","SERVER_PROTOCOL":"HTTP/1.1","SERVER_SOFTWARE":"Caddy/v2.6.2","DOCUMENT_ROOT":"/srv/app/public","HTTP_POSTMAN_TOKEN":"e8c8a673-4d62-497d-b071-2394a3894c14","HTTP_USER_AGENT":"PostmanRuntime/7.29.2","REMOTE_IDENT":"","PATH_INFO":""},"request":{"remote_ip":"54.86.50.139","remote_port":"50278","proto":"HTTP/1.1","method":"GET","host":"34.175.209.226","uri":"/index.php","headers":{"Accept":["*/*"],"Cache-Control":["no-cache"],"Accept-Encoding":["gzip, deflate, br"],"Postman-Token":["e8c8a673-4d62-497d-b071-2394a3894c14"],"X-Forwarded-For":["54.86.50.139"],"User-Agent":["PostmanRuntime/7.29.2"],"Content-Length":["0"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["34.175.209.226"]}}}
{"level":"debug","ts":1668697676.4975893,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"unix//var/run/php/php-fpm.sock","duration":0.057339018,"request":{"remote_ip":"54.86.50.139","remote_port":"50278","proto":"HTTP/1.1","method":"GET","host":"34.175.209.226","uri":"/index.php","headers":{"X-Forwarded-For":["54.86.50.139"],"User-Agent":["PostmanRuntime/7.29.2"],"Content-Length":["0"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["34.175.209.226"],"Accept":["*/*"],"Cache-Control":["no-cache"],"Accept-Encoding":["gzip, deflate, br"],"Postman-Token":["e8c8a673-4d62-497d-b071-2394a3894c14"]}},"headers":{"X-Previous-Debug-Token":["c70221"],"X-Debug-Exception":["Untrusted%20Host%20%2234.175.209.226%22."],"Cache-Control":["no-cache, private"],"X-Debug-Token":["dcf424"],"Date":["Thu, 17 Nov 2022 15:07:56 GMT"],"X-Debug-Token-Link":["/_profiler/dcf424"],"X-Robots-Tag":["noindex"],"Link":["</docs.jsonld>; rel=\"http://www.w3.org/ns/hydra/core#apiDocumentation\""],"Status":["400 Bad Request"],"Content-Type":["text/html; charset=UTF-8"],"X-Debug-Exception-File":["%2Fsrv%2Fapp%2Fvendor%2Fsymfony%2Fhttp-kernel%2FHttpKernel.php:78"]},"status":400}
{"level":"error","ts":1668697676.6943085,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"54.86.50.139","remote_port":"50278","proto":"HTTP/1.1","method":"GET","host":"34.175.209.226","uri":"/","headers":{"Postman-Token":["e8c8a673-4d62-497d-b071-2394a3894c14"],"Content-Length":["0"],"User-Agent":["PostmanRuntime/7.29.2"],"Accept":["*/*"],"Cache-Control":["no-cache"],"Accept-Encoding":["gzip, deflate, br"],"Connection":["keep-alive"]}},"user_id":"","duration":0.254352776,"size":222535,"status":400,"resp_headers":{"Date":["Thu, 17 Nov 2022 15:07:56 GMT"],"X-Debug-Exception":["Untrusted%20Host%20%2234.175.209.226%22."],"Cache-Control":["no-cache, private"],"Permissions-Policy":["browsing-topics=()"],"Server":["Caddy"],"Link":["</docs.jsonld>; rel=\"http://www.w3.org/ns/hydra/core#apiDocumentation\""],"Status":["400 Bad Request"],"Content-Type":["text/html; charset=UTF-8"],"X-Debug-Exception-File":["%2Fsrv%2Fapp%2Fvendor%2Fsymfony%2Fhttp-kernel%2FHttpKernel.php:78"],"X-Debug-Token":["dcf424"],"X-Previous-Debug-Token":["c70221"],"X-Debug-Token-Link":["/_profiler/dcf424"],"X-Robots-Tag":["noindex"]}}

this is the visual image of the response:

i suspect that here is happening something weird. Symfony (the api) is reciving requests from its public ip instead of localhost.

How can i make caddy to do the make requests as if host was localhost instead of the public ip?

This makes me think you didn’t configure SERVER_NAME correctly with your domain name. Caddy is only trying to serve localhost, not your domain.

You made a request to that IP. Your app isn’t trusting requests from that IP. That seems to be working as intended.

I eventually found the solution.
i had to hardcore the server_name in the Caddyfile replacing the ${SERVER_NAME}

then i also had to execute the containers like this.

SERVER_NAME=“place hostname here” APP_SECRET=‘your secret’ POSTGRES_PASSWORD=‘your secret’ CADDY_MERCURE_JWT_SECRET=‘your secret’ DEBUG=debug docker compose up -d

You can significantly simplify that by using a .env file in the same location as your docker-compose.yml. That way you don’t need to “remember” the values for those environment variables or have them appear in your command history.

Yes, thank you for your help. Anyways still don’t know why is the Caddyfile not having the proper value since i have to hardcode it.

Thank you very much for your help