Reverse proxy in docker error SSL_ERROR_INTERNAL_ERROR_ALERT

paolo.iommarini · June 9, 2023, 3:46pm

1. The problem I’m having:

I’m trying to run nextcloud and caddy in docker

2. Error messages and/or full log output:

The browser gives me this error

SSL_ERROR_INTERNAL_ERROR_ALERT

The caddy log doesn’t show any error

2023-06-09 17:39:18 {"level":"info","ts":1686325158.9208288,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2023-06-09 17:39:18 {"level":"info","ts":1686325158.9238448,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
2023-06-09 17:39:18 {"level":"info","ts":1686325158.9252086,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2023-06-09 17:39:18 {"level":"info","ts":1686325158.9252524,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000296e70"}
2023-06-09 17:39:18 {"level":"info","ts":1686325158.9896302,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-09 17:39:19 {"level":"warn","ts":1686325159.036684,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.0385237,"msg":"define JAVA_HOME environment variable to use the Java trust"}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.0386,"msg":"warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.1756995,"msg":"certificate installed properly in linux trusts"}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.1767452,"logger":"http","msg":"enabling HTTP/3 listener","addr":":1201"}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.176927,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.1782753,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.1785045,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.178532,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.localhost"]}
2023-06-09 17:39:19 {"level":"warn","ts":1686325159.2129345,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [nextcloud.localhost]: no OCSP server specified in certificate","identifiers":["nextcloud.localhost"]}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.2262049,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.2268078,"msg":"serving initial configuration"}
2023-06-09 17:39:19 {"level":"info","ts":1686325159.336449,"logger":"tls","msg":"finished cleaning storage units"}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

docker.compoe

a. System environment:

Windows 11, docker using WSL 2

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

version: '3.9'

volumes:
  nextcloud:
  db:

services:
  db:
    container_name: db
    image: mariadb
    restart: unless-stopped
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=6obq6LKMAmop46
      - MYSQL_PASSWORD=sbb98whSTrWWmH
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  redis:
    container_name: redis
    image: redis
    restart: unless-stopped
    command: redis-server --requirepass Q5uJ3ba9HpdLaQ

  nextcloud:
    container_name: nextcloud
    image: nextcloud
    restart: unless-stopped
    ports:
      - 1200:80
    links:
      - db
      - redis
    volumes:
      - nextcloud:/var/www/html
      - ./data:/var/www/html/data
    environment:
      - MYSQL_PASSWORD=sbb98whSTrWWmH
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - REDIS_HOST_PASSWORD=Q5uJ3ba9HpdLaQ
      - OVERWRITEPROTOCOL=https
      - APACHE_DISABLE_REWRITE_IP=1
      - TRUSTED_PROXIES=caddy
    depends_on:
      - db
      - redis

  cron:
    container_name: cron
    image: nextcloud
    restart: unless-stopped
    volumes:
      - nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db

  caddy:
    container_name: caddy
    image: caddy
    restart: unless-stopped
    ports:
      - 1201:1201
    links:
      - nextcloud
    volumes:
      - ./Caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./Caddy/Data:/data
      - ./Caddy/Config:/config
    depends_on:
      - nextcloud

d. My complete Caddy config:

nextcloud.localhost:1201
reverse_proxy nextcloud:80

5. Links to relevant resources:

francislavoie · June 9, 2023, 4:15pm

Caddy will default to HTTPS when you give it a hostname unless you tell it not to. Prefix this with http:// to force it not to use HTTPS.

But if you actually want HTTPS, it’s more complicated. HTTPS requires trust. Since you used *.localhost as your domain, Caddy will use its internal CA to issue certs. So to establish trust you’ll need to install Caddy’s root CA cert on your host machine. We have instructions for that in the docs: Keep Caddy Running — Caddy Documentation

paolo.iommarini · June 10, 2023, 10:41am

Thanks for the quick reply!
Instead of installing the Caddy’s root CA on my host machine I created a self-signed certificate and used it in Caddy by updating the Caddyfile like this

:1201
tls /etc/caddy/certificate.pem /etc/caddy/privatekey.pem
reverse_proxy nextcloud:80

And the docker.compose like this

  caddy:
    container_name: caddy
    image: caddy:latest
    restart: unless-stopped
    ports:
      - 1201:1201
    links:
      - nextcloud
    volumes:
      - ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile
      - ${PWD}/caddy/certs/certificate.pem:/etc/caddy/certificate.pem      
      - ${PWD}/caddy/certs/privatekey.pem:/etc/caddy/privatekey.pem
      - ${PWD}/caddy/data:/data
      - ${PWD}/caddy/config:/config
    depends_on:
      - nextcloud

I get the browser warning but I can add an exception.

system · July 10, 2023, 10:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.