Reverseproxy failes for local domain

Kristoffer_Fagerlund · July 24, 2024, 9:29pm

1. The problem I’m having:

I got immich, the photo app running on 10.1.20.15:2283 , working fine.
I got a public domain immich.domain.com resolveing to cloudflaretunnel with auth rules etc. and it all working just fine.
Except I dont want traffic to go via the CF tunnel when on the same LAN.
so I add a static dns entry to a caddy proxy pointing to the immich server.
but I get internal ssl error in browsers

2. Error messages and/or full log output:h systemd:

$ journalctl -u caddy --no-pager | less +G`

Please DO NOT USE WEB BROWSERS. Use curl -vL instead.
Please ENABLE DEBUG MODE FIRST by adding “debug” to the global options of your Caddyfile. See Global options (Caddyfile) — Caddy Documentation for an example.
→

~$ curl -vL immich.domain.com
*   Trying 10.1.20.5:80...
* Connected to immich.domain.com (10.1.20.5) port 80 (#0)
> GET / HTTP/1.1
> Host: immich.domain.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://immich.domain.com/
< Server: Caddy
< Date: Wed, 24 Jul 2024 21:26:56 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://immich.domain.com/'
*   Trying 10.1.20.5:443...
* Connected to immich.domain.com (10.1.20.5) port 443 (#1)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 1
curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error

3. Caddy version:

→
/etc/caddy$ caddy version
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

manual install instruction from the official website

a. System environment:

debian lxc

b. Command:

caddy start

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

5. Links to relevant resources:

francislavoie · July 24, 2024, 9:33pm

Please completely fill out the help topic template. What’s your config? What’s in your Caddy logs?

Don’t use caddy start. If you reboot your machine, Caddy won’t start with the system. Always use systemd commands. See Keep Caddy Running — Caddy Documentation You might need to do caddy stop this one time if you started Caddy with caddy start at some point.

Kristoffer_Fagerlund · July 24, 2024, 9:36pm

I just rebooted:

~$ systemctl status caddy

caddy.service - Caddy
Loaded: loaded (/lib/systemd/system/caddy.service; enabled; preset: enabled)
Active: active (running) since Wed 2024-07-24 21:37:22 UTC; 7s ago
Docs: Welcome — Caddy Documentation
Main PID: 137 (caddy)
Tasks: 9 (limit: 154345)
Memory: 11.7M
CPU: 103ms
CGroup: /system.slice/caddy.service
`-137 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

Warning: some journal files were not opened due to insufficient permissions.

Kristoffer_Fagerlund · July 24, 2024, 9:39pm

I think its releasted to Caddyes auto https /cert function since:

* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 1
curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error

Kristoffer_Fagerlund · July 24, 2024, 9:45pm

I want to test using

"automatic_https": {
			"disable": true / false,

where in the caddy file do I add it? i tried under the subdomain, but it didnt work

francislavoie · July 24, 2024, 9:48pm

In global options Global options (Caddyfile) — Caddy Documentation

See the structure of a Caddyfile: Caddyfile Concepts — Caddy Documentation

I don’t think that’s what you need though.

Please post your config and Caddy logs to start.

Kristoffer_Fagerlund · July 24, 2024, 10:07pm

$ cat Caddyfile
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.


immich.domain.com {
        reverse_proxy 10.1.20.15:2283 {
                transport http {
                        tls
                        tls_insecure_skip_verify
                }
        }
}
im.domain.com {
        handle {
                reverse_proxy 10.1.20.15:2283
        }
        "automatic_https": {
                        "disable": true / false,
                        }
}
##:80 {
# Set this path to your site's directory.
##      root * /usr/share/caddy

# Enable the static file server.
##      file_server

# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080

# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000
##}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

journalctl -xeu caddy.service

Jul 24 21:57:41 Caddy caddy[137]: {"level":"info","ts":1721858261.2461195,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"im.domain.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jul 24 21:57:42 Caddy caddy[137]: {"level":"error","ts":1721858262.2368302,"logger":"http.acme_client","msg":"challenge failed","identifier":"im.domain.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem:>
Jul 24 21:57:42 Caddy caddy[137]: {"level":"error","ts":1721858262.236876,"logger":"http.acme_client","msg":"validating authorization","identifier":"im.domain.com","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up>
Jul 24 21:57:43 Caddy caddy[137]: {"level":"info","ts":1721858263.602246,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"im.domain.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jul 24 21:57:44 Caddy caddy[137]: {"level":"error","ts":1721858264.173067,"logger":"http.acme_client","msg":"challenge failed","identifier":"im.domain.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS probl>
Jul 24 21:57:44 Caddy caddy[137]: {"level":"error","ts":1721858264.1731,"logger":"http.acme_client","msg":"validating authorization","identifier":"im.domain.com","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A>
Jul 24 21:57:44 Caddy caddy[137]: {"level":"error","ts":1721858264.1731217,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"im.domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:d>
Jul 24 21:57:44 Caddy caddy[137]: {"level":"error","ts":1721858264.173178,"logger":"tls.obtain","msg":"will retry","error":"[im.domain.com] Obtain: [im.domain.com] solving challenge: im.domain.com: [im.domain.com] authorization failed: HTTP 400 urn:ietf:params:acme:er>
Jul 24 21:57:44 Caddy caddy[137]: {"level":"info","ts":1721858264.8117154,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"immich.domain.com"}
Jul 24 21:57:44 Caddy caddy[137]: {"level":"info","ts":1721858264.812435,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/156913493","account_contact":[]}
Jul 24 21:57:45 Caddy caddy[137]: {"level":"info","ts":1721858265.334644,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"immich.domain.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jul 24 21:57:46 Caddy caddy[137]: {"level":"error","ts":1721858266.7274933,"logger":"http.acme_client","msg":"challenge failed","identifier":"immich.domain.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":>
Jul 24 21:57:46 Caddy caddy[137]: {"level":"error","ts":1721858266.7275271,"logger":"http.acme_client","msg":"validating authorization","identifier":"immich.domain.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::68>
Jul 24 21:57:48 Caddy caddy[137]: {"level":"info","ts":1721858268.0866168,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"immich.domain.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jul 24 21:57:49 Caddy caddy[137]: {"level":"error","ts":1721858269.0788798,"logger":"http.acme_client","msg":"challenge failed","identifier":"immich.domain.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","deta>
Jul 24 21:57:49 Caddy caddy[137]: {"level":"error","ts":1721858269.0789309,"logger":"http.acme_client","msg":"validating authorization","identifier":"immich.domain.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate A>
Jul 24 21:57:49 Caddy caddy[137]: {"level":"error","ts":1721858269.078956,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"immich.domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:erro>
Jul 24 21:57:49 Caddy caddy[137]: {"level":"error","ts":1721858269.078995,"logger":"tls.obtain","msg":"will retry","error":"[immich.domain.com] Obtain: [immich.domain.com] solving challenge: immich.domain.com: [immich.domain.com] authorization failed: HTTP 403 urn:iet>
lines 97-180/180 (END)

With the interesting part of the auto cert


ba: Invalid response from https://immich.domain.com/.well-known/acme-challenge/m1ZmPMWWk1_wEB04RGZErkI2bXaH9FVXRreWFcNiN9I: 403","instance":"","subproblems":[]}}

this is the complete right part of journal output , aka right arrow →

"2606:4700:3033::6815:45ba: Invalid response from https://immich.domain.com/.well-known/acme-challenge/m1ZmPMWWk1_wEB04RGZErkI2bXaH9FVXRreWFcNiN9I: 403","instance":"","subproblems":[]}}
15:45ba: Invalid response from https://immich.domain.com/.well-known/acme-challenge/m1ZmPMWWk1_wEB04RGZErkI2bXaH9FVXRreWFcNiN9I: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/156913493/17991925353","attempt":1,"m>

il":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
LPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/156913493/17991925923","attempt":2,"max_attempts":3}
r:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
f:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":6,"retrying_in":600,"elapsed":1226.515353572,"max_duration":2592000}
lines 97-180/180 (END)

francislavoie · July 24, 2024, 10:47pm

Your logs are truncated (i.e. > at the end of lines), we don’t see the full logs. Please use the command at Keep Caddy Running — Caddy Documentation to read your logs without truncation.

That’s not valid Caddyfile config. You probably look at the JSON config docs. Don’t look there when configuring with a Caddyfile, read the Caddyfile docs, as I linked to you. Read them.

That said, I’m still not quite sure what you’re trying to achieve.

You said immich was working. With what config? If it was working, don’t change the config.

Why are you trying to turn off HTTPS? I don’t understand.

Kristoffer_Fagerlund · July 24, 2024, 11:18pm

since caddy and the app server is on the local lan. and the public domain resolves to clouflare och not to caddy, so acme can get the info from caddy.

the auto cert issue will be broken here, unless perhaps I point the cloudflare to caddy just for acme, since acme will be using public dns.

clients on the lan when here locally will use the local dns with the static entry to caddy.

Kristoffer_Fagerlund · July 25, 2024, 1:29pm

So as you can see the ACME req fails, sincethe public domain doesnt resolve to the caddy proxy.

Im using thos lopcally only with a static entry in the local dns server.

francislavoie · July 25, 2024, 2:50pm

So you’re saying you want to use your public domain, but don’t want to make it publicly accessible?

Then you should use the ACME DNS challenge to get a certificate, you should use the GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare plugin. See How to use DNS provider modules in Caddy 2. This would let you get a certificate without your server being open to the outside world, and your LAN clients will trust connections to your server without additional setup on each device (which you’d have to do if you used tls internal to have Caddy issue certs using its internal CA).

system · August 24, 2024, 2:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.