Reverse Proxy Issues: systemctl start caddy has errors while sudo caddy start works just fine

1. Caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I installed, and run Caddy:


sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list

sudo apt update

sudo apt install caddy

a. System environment:

DietPi v8.13.2, aarch64, Rock 5B 8GB ram, systemd

b. Command:


systemctl start caddy

c. Service/unit/compose file:


● caddy.service - Caddy

Loaded: loaded (/lib/systemd/system/caddy.service; enabled; vendor preset: enabled)

Drop-In: /etc/systemd/system/caddy.service.d

└─dietpi-services_edit.conf

Active: active (running) since Wed 2023-01-25 21:45:50 CST; 12s ago

Docs: https://caddyserver.com/docs/

Main PID: 9204 (caddy)

Tasks: 13 (limit: 8904)

Memory: 12.1M

CPU: 587ms

CGroup: /system.slice/caddy.service

└─9204 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

Jan 25 21:45:51 DietPi caddy[9204]: {"level":"error","ts":1674704751.2097552,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"music....","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}

Jan 25 21:45:51 DietPi caddy[9204]: {"level":"info","ts":1674704751.2132967,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["music...."],"ca":"https://acme.zerossl.com/v2/DV90","account":"@outlook.com"}

Jan 25 21:45:51 DietPi caddy[9204]: {"level":"info","ts":1674704751.2135754,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["music...."],"ca":"https://acme.zerossl.com/v2/DV90","account":"@outlook.com"}

Jan 25 21:45:51 DietPi caddy[9204]: {"level":"info","ts":1674704751.464759,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"fin....","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}

Jan 25 21:45:52 DietPi caddy[9204]: {"level":"info","ts":1674704752.9275746,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"music....","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}

Jan 25 21:46:02 DietPi caddy[9204]: {"level":"error","ts":1674704762.143722,"logger":"http.acme_client","msg":"challenge failed","identifier":"fin....","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"104.246.161.18: Fetching http://fin..../.well-known/acme-challenge/Yk2bw4fHdkAfKk_Dfo83_6B5eQIqTDrEMZK5wUBpnIw: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}

Jan 25 21:46:02 DietPi caddy[9204]: {"level":"error","ts":1674704762.1442165,"logger":"http.acme_client","msg":"validating authorization","identifier":"fin....","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"104.246.161.18: Fetching http://fin..../.well-known/acme-challenge/Yk2bw4fHdkAfKk_Dfo83_6B5eQIqTDrEMZK5wUBpnIw: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/933905217/161039939797","attempt":1,"max_attempts":3}

Jan 25 21:46:03 DietPi caddy[9204]: {"level":"error","ts":1674704763.2676702,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"fin....","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}

Jan 25 21:46:03 DietPi caddy[9204]: {"level":"info","ts":1674704763.2712905,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["fin...."],"ca":"https://acme.zerossl.com/v2/DV90","account":"@outlook.com"}

Jan 25 21:46:03 DietPi caddy[9204]: {"level":"info","ts":1674704763.2716198,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["fin...."],"ca":"https://acme.zerossl.com/v2/DV90","account":"@outlook.com"}

d. My complete Caddy config:


{

http_port 8000

https_port 4443

# TLS Options

email ...@outlook.com

}

music.... {

reverse_proxy localhost:4533

}

fin.... {

reverse_proxy localhost:8097

}

3. The problem I’m having:

I’m trying to set up reverse proxy with https certificates to access self-hosted jellyfin and navidrome instances over the internet. I would like caddy to automatically run and allow access to my self-hosted instances c/w reverse proxy.

When starting caddy with sudo caddy start or caddy start as root I’m able to access my self-hosted jellyfin and navidrome instances successfully.

When starting caddy with systemctl start caddy or systemctl restart caddy I’m unable to access self-hosted jellyfin and navidrome instances over the internet.

4. Error messages and/or full log output:


Jan 25 22:12:20 DietPi systemd[1]: Started Caddy.

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.4175725,"logger":"tls.obtain","msg":"acquiring lock","identifier":"fin...."}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.417566,"logger":"tls.obtain","msg":"acquiring lock","identifier":"music...."}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.421654,"msg":"serving initial configuration"}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.4324992,"logger":"tls.obtain","msg":"lock acquired","identifier":"fin...."}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.432842,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"fin...."}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"debug","ts":1674706340.4329774,"logger":"events","msg":"event","name":"cert_obtaining","id":"347bb210-3335-475b-af84-18af5fbd6834","origin":"tls","data":{"identifier":"fin...."}}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"debug","ts":1674706340.433766,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.434251,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["fin...."],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"@outlook.com"}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.434274,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["fin...."],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"@outlook.com"}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.43568,"logger":"tls.obtain","msg":"lock acquired","identifier":"music...."}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.4360452,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"music...."}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"debug","ts":1674706340.43621,"logger":"events","msg":"event","name":"cert_obtaining","id":"7e2b9ad8-fb9c-4191-a2ec-bf33bbedebe3","origin":"tls","data":{"identifier":"music...."}}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"debug","ts":1674706340.437144,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.4376643,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["music...."],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"@outlook.com"}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"info","ts":1674706340.4377048,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["music...."],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"@outlook.com"}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"debug","ts":1674706340.8364606,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["659"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:20 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"debug","ts":1674706340.9173808,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 26 Jan 2023 04:12:20 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1DFAtcfKtG2R5k-3HAT8e7za4tJWKCW9enIPgwuRMmyvhAg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:20 DietPi caddy[10475]: {"level":"debug","ts":1674706340.9174416,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 26 Jan 2023 04:12:20 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["C878O03e1aKfiJbOw42LbugKx61PVf1Dya3Knn25kgdJVo0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.0299933,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["213"],"Content-Type":["application/problem+json"],"Date":["Thu, 26 Jan 2023 04:12:20 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1AADGjQ9Tw6IyU75oqGesiaGvVgiaXH_8_GfbI1vpO1FENQ"],"Server":["nginx"]},"status_code":429}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"error","ts":1674706341.031146,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"fin....","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.0316668,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"info","ts":1674706341.0336,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["fin..."],"ca":"https://acme.zerossl.com/v2/DV90","account":"@outlook.com"}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"info","ts":1674706341.03409,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["fin...."],"ca":"https://acme.zerossl.com/v2/DV90","account":"@outlook.com"}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.153209,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:20 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/933905217/161043729277"],"Replay-Nonce":["1DFAiqnDi_ga1Kb2xYAe-rnquMICYCwJmPDJr2sk8bzStIc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.2528968,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:21 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1DFAGJM9t_-K7VzDloKMvGG1OuWw38Cnq99XP_67rz8Wkp4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"info","ts":1674706341.2553856,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"music....","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.2585592,"logger":"http.acme_client","msg":"waiting for solver before continuing","identifier":"music....","challenge_type":"http-01"}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.2754157,"logger":"http.acme_client","msg":"done waiting for solver","identifier":"music....","challenge_type":"http-01"}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.3640244,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/198284221207/qaK02w","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["187"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:21 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/198284221207/qaK02w"],"Replay-Nonce":["C878BuB5r_ATJmJ2jJLYuHB7BjPA3RoBG_uDrwMMAQYa6a8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.3659306,"logger":"http.acme_client","msg":"challenge accepted","identifier":"music....","challenge_type":"http-01"}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.4994946,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:21 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}

Jan 25 22:12:21 DietPi caddy[10475]: {"level":"debug","ts":1674706341.7135167,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:21 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1DFAYGtAAyXDWUuXt2QVWVSSP9dkBRlIgjAA1uIVxSGM2hw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:22 DietPi caddy[10475]: {"level":"debug","ts":1674706342.048545,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:21 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1AAD60Yc9kBIT-5liVy9ee72NufPcdMI7IOHwr9cHZSqSs4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:22 DietPi caddy[10475]: {"level":"debug","ts":1674706342.3824167,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:22 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1DFAfqRq18d7R1cLd71Wh74-vtXo9ZkkzWA5gx10-ou1fCY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:22 DietPi caddy[10475]: {"level":"debug","ts":1674706342.7226925,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:22 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1DFAXmymH8rCA7Hk_DVzfnkDSsCW16iQz0tz2nFYxZxbEDY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:23 DietPi caddy[10475]: {"level":"debug","ts":1674706343.0766695,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:22 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["371CvGeXkuXSFIEvlwU7g1w3g_YqmSd2B71UC-W0nnYFLH4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:23 DietPi caddy[10475]: {"level":"debug","ts":1674706343.4167323,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:23 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["371Caw1LaHDWPLtlFjwcyJLQ1FGDy4rHuZlCZJPTixmEnYk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Jan 25 22:12:23 DietPi caddy[10475]: {"level":"debug","ts":1674706343.7511003,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/198284221207","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; arm64)"]},"response_headers":{"Boulder-Requester":["933905217"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Thu, 26 Jan 2023 04:12:23 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1AAD4ciAuSq8F7kxZxAepkcOnIevxsKuRMMPoNy4aKPObZ4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

Please see caddy journalctl -u caddy --no-pager - Pastes.io for full log.

5. What I already tried:

I’ve tried slinging a bunch of things at the wall but nothing seems to stick :slight_smile:

Uninstalled with apt remove caddy and re-installed via static binary and got same result.

Tried altering my port forwards in my router interface but realised that is not the issue as it does properly forward when sudo caddy start is utilized.

Copied pki/authorities/local/root.crt to /usr/local/share/ca-certificates/ and updated CA store with sudo update-ca-certificates.

Deleted contents of /usr/local/share/ca-certificates/ and updated CA store with sudo update-ca-certificates --fresh followed by reinstalling caddy with apt install caddy.

6. Links to relevant resources:

Full log: caddy journalctl -u caddy --no-pager - Pastes.io

Any particular reason why you changed both ports?
Port :80 and :443 need to be open for the HTTP/TLS-ALPN challenges.
See automatic-https#http-challenge and automatic-https#tls-alpn-challenge.

sudo caddy start (root) and systemctl start caddy (caddy) use different users and different directories to store your certificates.

Your root user seems to have on older, still valid certificate in its directory, while systemctl start caddy fails to obtain a new certificate.

You need to open the above-mentioned ports :80 and :443 for Caddy to be able to obtain your certificates.

That is, at least, the most straight forward way.
You could also opt for the DNS challenge, though the initial setup is much more involved.

2 Likes

Thank you for your help! After commenting out http_port 8000 and https_port 4443 my config works.

The reason I went with with :8000 and :4443 is that I was following an old guide I found a while back and figured using non-standard ports would make things more secure through obscurity.

Are there security concerns with the default ports?

No, quite the opposite. It’s not more secure in any way at all. Port scanners will trivially find things.

No.