No right permission - Obtaining certificate: failed storage check: mkdir /data/caddy: permission denied - storage is probably misconfigured

jules07 · December 25, 2024, 11:24am

1. The problem I’m having:

Hello,

As you see on the log, my docker container doesn’t have the permission to mkdir a folder and it prevents SSL certificates to be stored.

Have you any ideas how to fix that ?

2. Error messages and/or full log output:

{"level":"info","ts":1735121641.6572814,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1735121641.659726,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1735121641.659755,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1735121641.661925,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1735121641.66241,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00014ce80"}
{"level":"info","ts":1735121641.6624188,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1735121641.662467,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1735121641.6629717,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1735121641.663072,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 4882 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1735121641.6632955,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735121641.6633546,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735121641.6633637,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["forgejo.domain.xx","woodpecker.domain.xx"]}
{"level":"error","ts":1735121641.663557,"msg":"unable to create folder for config autosave","dir":"/config/caddy","error":"mkdir /config/caddy: permission denied"}
{"level":"info","ts":1735121641.663567,"msg":"serving initial configuration"}
{"level":"warn","ts":1735121641.6636097,"logger":"tls","msg":"unable to get instance ID; storage clean stamps will be incomplete","error":"mkdir /data/caddy: permission denied"}
{"level":"error","ts":1735121641.6637259,"logger":"tls","msg":"job failed","error":"forgejo.domain.xx: obtaining certificate: failed storage check: mkdir /data/caddy: permission denied - storage is probably misconfigured"}
{"level":"error","ts":1735121641.6638243,"logger":"tls","msg":"job failed","error":"woodpecker.domain.xx: obtaining certificate: failed storage check: mkdir /data/caddy: permission denied - storage is probably misconfigured"}
{"level":"error","ts":1735121641.6639693,"logger":"tls","msg":"could not clean default/global storage","error":"unable to acquire storage_clean lock: creating lock file: open /data/caddy/locks/storage_clean.lock: no such file or directory"}
{"level":"info","ts":1735121641.6639922,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1735122067.691868,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1735122067.6923325,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":1735122067.6924407,"logger":"http","msg":"servers shutting down with eternal grace period"}
{"level":"info","ts":1735122067.6942093,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
{"level":"info","ts":1735122067.694322,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"info","ts":1735122068.8185153,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1735122068.821913,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1735122068.8220124,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1735122068.823959,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1735122068.8245878,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000613c80"}
{"level":"info","ts":1735122068.8247955,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1735122068.8250608,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1735122068.8256736,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"warn","ts":1735122068.8257554,"logger":"tls","msg":"unable to get instance ID; storage clean stamps will be incomplete","error":"mkdir /data/caddy: permission denied"}
{"level":"info","ts":1735122068.8260992,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 4882 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"error","ts":1735122068.8261945,"logger":"tls","msg":"could not clean default/global storage","error":"unable to acquire storage_clean lock: creating lock file: open /data/caddy/locks/storage_clean.lock: no such file or directory"}
{"level":"info","ts":1735122068.8262556,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1735122068.8265166,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735122068.826773,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1735122068.8269134,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["woodpecker.domain.xx","forgejo.domain.xx"]}
{"level":"error","ts":1735122068.8272073,"msg":"unable to create folder for config autosave","dir":"/config/caddy","error":"mkdir /config/caddy: permission denied"}
{"level":"info","ts":1735122068.8272905,"msg":"serving initial configuration"}
{"level":"error","ts":1735122068.8276126,"logger":"tls","msg":"job failed","error":"woodpecker.domain.xx: obtaining certificate: failed storage check: mkdir /data/caddy: permission denied - storage is probably misconfigured"}
{"level":"error","ts":1735122068.8276336,"logger":"tls","msg":"job failed","error":"forgejo.domain.xx: obtaining certificate: failed storage check: mkdir /data/caddy: permission denied - storage is probably misconfigured"}

3. Caddy version:

CADDY_VERSION=v2.8.4

"Id": "sha256:faa9a2c5676288c88ffa3ae9812dd7eb5ddeed8c06245b3f8fa181e9dfcf6601",
"RepoTags": [
    "caddy:latest"
],
"RepoDigests": [
    "caddy@sha256:d17c155b627f4ae14cef9cb4143b63c529a8497966b62febcde79f4ecc3857f7"
],

4. How I installed and ran Caddy:

a. System environment:

OS version

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm

Docker version

Client:
 Version:           20.10.24+dfsg1
 API version:       1.41
 Go version:        go1.19.8
 Git commit:        297e128
 Built:             Sat Oct 12 15:19:49 2024
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.24+dfsg1
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.19.8
  Git commit:       5d6db84
  Built:            Sat Oct 12 15:19:49 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.20~ds1
  GitCommit:        1.6.20~ds1-1+b1
 runc:
  Version:          1.1.5+ds1
  GitCommit:        1.1.5+ds1-1+deb12u1
 docker-init:
  Version:          0.19.0
  GitCommit:

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

FROM caddy:builder AS builder
RUN xcaddy build --with github.com/caddy-dns/infomaniak

FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

version: "3.9"
services:
  caddy-proxy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: caddy-proxy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./caddy-data:/data
      - ./caddy-config:/config
    networks:
      - caddy-net

d. My complete Caddy config:

forgejo.domain.xx {
    reverse_proxy forgejo-server:3000
    tls {
        dns infomaniak token
    }
}

woodpecker.domain.xx {
    reverse_proxy woodpecker-server:8000
    tls {
        dns infomaniak token
    }
}