1. Caddy version (caddy version
):
Docker - 2.4.5-alpine built with the Cloudflare DNS module using xcaddy
See Dockerfile below
I don’t know how to get it to print the version at startup, but I can provide that if someone lets me know how.
2. How I run Caddy:
I am trying to host sclark.xyz and www.sclark.xyz on my internal network at home. However, I want them to have real certificates and I don’t want to have to forward any ports to do so.
a. System environment:
Ubuntu 20.04.3 LTS
Docker version 20.10.8, build 3967b7d
docker-compose version 1.27.4, build 40524192
b. Command:
sudo docker-compose up
c. Service/unit/compose file:
#./docker-compose.yml
version: "3.8"
services:
caddyserver:
container_name: "caddyserver"
build:
context: "./caddy"
dockerfile: "Dockerfile"
args:
caddybuilderversion: "2.4.5-builder-alpine"
caddyversion: "2.4.5-alpine"
restart: "unless-stopped"
ports:
- target: 80
published: 80
protocol: "tcp"
mode: "host"
- target: 443
published: 443
protocol: tcp
mode: "host"
environment:
TZ: "America/Chicago"
volumes:
- "/home/sam/xyz/sclark/caddy/config/Caddyfile:/etc/caddy/Caddyfile"
- "/home/sam/xyz/sclark/caddy/data:/data"
- "/home/sam/xyz/sclark/www:/var/www"
- "Certfiles:/root/.caddy"
volumes:
Certfiles:
# ./caddy/Dockerfile
ARG caddybuilderversion
ARG caddyversion
FROM caddy:${caddybuilderversion} AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare
FROM caddy:${caddyversion}
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
d. My complete Caddyfile or JSON config:
# ./caddy/config/Caddyfile
{
debug # per the instructions
email personal-email@example.com # Redacted my email address
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
(encoding) {
encode zstd gzip
}
(dnschallenge) {
tls personal-email@example.com { # Redacted my email address
dns cloudflare {Redacted API key}
}
}
(common) {
import encoding
import dnschallenge
}
http://sclark.xyz, https://sclark.xyz {
redir https://www.sclark.xyz{uri}
}
www.sclark.xyz {
import common
root * /var/www
file_server
}
3. The problem I’m having:
Caddy is not able to start with the above configuration and I don’t know why.
I used to have caddy working and had used it for six months or so. I really thought I got the hang of it. I moved and the server has been turned off since May. Just tried to turn it back on the other day and it hasn’t worked.
I have a bunch of services and manage them with the docker-compose.yml. I go through and update the version and run docker-compose up -d
every once in a while to keep them updated. This is a stripped down version to demonstrate the problem.
4. Error messages and/or full log output:
Creating network "sclark_default" with the default driver
Creating caddyserver ... done
Attaching to caddyserver
caddyserver | {"level":"info","ts":1631240253.378472,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddyserver | {"level":"info","ts":1631240253.3801055,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
caddyserver | {"level":"info","ts":1631240253.3803442,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00037b110"}
caddyserver | {"level":"info","ts":1631240253.3803976,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
caddyserver | {"level":"info","ts":1631240253.380441,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv1","https_port":443}
caddyserver | {"level":"info","ts":1631240253.3804607,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
caddyserver | {"level":"warn","ts":1631240253.3804817,"logger":"http","msg":"user server is listening on same interface as automatic HTTP->HTTPS redirects; user-configured routes might override these redirects","server_name":"srv0","interface":"tcp/:80"}
caddyserver | {"level":"info","ts":1631240253.380939,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.sclark.xyz","sclark.xyz"]}
caddyserver | {"level":"info","ts":1631240253.38198,"logger":"tls","msg":"cleaned up storage units"}
caddyserver | {"level":"info","ts":1631240253.389078,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
caddyserver | {"level":"info","ts":1631240253.3890939,"msg":"serving initial configuration"}
caddyserver | {"level":"info","ts":1631240253.3893764,"logger":"tls.obtain","msg":"acquiring lock","identifier":"sclark.xyz"}
caddyserver | {"level":"info","ts":1631240253.3895674,"logger":"tls.obtain","msg":"lock acquired","identifier":"sclark.xyz"}
caddyserver | {"level":"info","ts":1631240253.3899245,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["sclark.xyz"]}
caddyserver | {"level":"info","ts":1631240253.3899317,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["sclark.xyz"]}
caddyserver | {"level":"info","ts":1631240253.7842014,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"sclark.xyz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddyserver | {"level":"error","ts":1631240254.4169948,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"sclark.xyz","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for sclark.xyz"}
caddyserver | {"level":"error","ts":1631240254.4170365,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"sclark.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for sclark.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/16429146/499875248","attempt":1,"max_attempts":3}
caddyserver | {"level":"info","ts":1631240255.5188823,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"sclark.xyz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddyserver | {"level":"error","ts":1631240257.0420775,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"sclark.xyz","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for sclark.xyz"}
caddyserver | {"level":"error","ts":1631240257.0421429,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"sclark.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for sclark.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/16429146/499875358","attempt":2,"max_attempts":3}
caddyserver | {"level":"error","ts":1631240258.2028787,"logger":"tls.obtain","msg":"will retry","error":"[sclark.xyz] Obtain: [sclark.xyz] solving challenges: sclark.xyz: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/16429146/499875458) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":4.813302395,"max_duration":2592000}
Those last logs just kinda loop
# ...
caddyserver | {"level":"info","ts":1631240318.495699,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"sclark.xyz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddyserver | {"level":"error","ts":1631240319.434231,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"sclark.xyz","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for sclark.xyz"}
caddyserver | {"level":"error","ts":1631240319.4342926,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"sclark.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for sclark.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/16429146/499879568","attempt":1,"max_attempts":3}
caddyserver | {"level":"info","ts":1631240320.5380478,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"sclark.xyz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddyserver | {"level":"error","ts":1631240320.882537,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"sclark.xyz","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:dns","error":"No valid IP addresses found for sclark.xyz"}
caddyserver | {"level":"error","ts":1631240320.8825984,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"sclark.xyz","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - No valid IP addresses found for sclark.xyz","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/16429146/499879668","attempt":2,"max_attempts":3}
caddyserver | {"level":"error","ts":1631240322.05715,"logger":"tls.obtain","msg":"will retry","error":"[sclark.xyz] Obtain: [sclark.xyz] solving challenges: sclark.xyz: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/16429146/499879858) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":68.667573384,"max_duration":2592000}
5. What I already tried:
Well, stripping things down. Like cutting out the other services I used to run (Gitea, Bookstack, Jellyfin, Wireguard, and another static site on blog.
). Updating versions of Caddy and the OS packages. I recreated my API key with Cloudflare to make sure it didn’t expire. I already got blocked from the prod Let’s Encrypt endpoint so I switched to stage for the time being.
Since it says “No valid IP addresses found for sclark.xyz” I tried adding the resolvers
subdirective to the tls
directive I have but I get another error in that case:
To be clear, I mean that making it looks like
(dnschallenge) {
tls personal-email@example.com { # Redacted my email address
dns cloudflare {Redacted API key}
resolvers 1.1.1.1
}
}
yields this error
caddyserver | run: adapting config using caddyfile: parsing caddyfile tokens for 'tls': /etc/caddy/Caddyfile:13 - Error during parsing: unknown subdirective: resolvers
Which just doesn’t make any sense to me since it seems like a valid subdirective according to the docs and is recommended on the cloudflare dns module GitHub page for another issue.
I don’t really know what else to try and it’s been like this for two days.
6. Links to relevant resources:
The last weird thing I can think of is that this documentation page doesn’t tell me enough to use it. It doesn’t look like a directive I can use in a Caddyfile and doesn’t match what is provided in the README on GitHub for that module.