I am running Caddy on a Scaleway instance and use Caddy primarily as reverse proxy. On my Scaleway instance, I want to configure the firewall (security group) to block all inbound traffic except for required ports. However, it looks like I am missing some ports because whenever I block inbound traffic, I do not get new certificates for new sites I add and I also do not get my certificates renewed.
Here are the rules I have set up:
ACCEPT 80/TCP for all IPs
ACCEPT 443/TCP for all IPs
The log files then give me these errors:
caddy | Activating privacy features... 2019/06/15 17:27:19 [INFO][FileStorage:/etc/caddycerts] Started certificate maintenance routine
caddy | 2019/06/15 17:27:39 get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:55790->127.0.0.11:53: i/o timeout
caddy | exit status 1
caddy | Activating privacy features... 2019/06/15 17:27:42 [INFO][FileStorage:/etc/caddycerts] Started certificate maintenance routine
caddy | 2019/06/15 17:28:02 get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:39280->127.0.0.11:53: i/o timeout
caddy | exit status 1
caddy | Activating privacy features... Activating privacy features... 2019/06/15 17:28:03 [INFO][FileStorage:/etc/caddycerts] Started certificate maintenance routine
caddy | 2019/06/15 17:28:24 get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:43320->127.0.0.11:53: i/o timeout
caddy | exit status 1
caddy | Activating privacy features... 2019/06/15 17:28:25 [INFO][FileStorage:/etc/caddycerts] Started certificate maintenance routine
caddy | 2019/06/15 17:28:45 get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:48832->127.0.0.11:53: i/o timeout
caddy | exit status 1
It looks like the letsencrypt is trying different (random?) ports. Any idea on how I can configure the security group correctly so that I can block most ports by default? If I allow all incoming ports, I do not have any certificate issues.
My setup: caddy is running as docker container on version 0.11.5 with Cloudflare as DNS provider:
caddy:
container_name: caddy
build:
context: github.com/abiosoft/caddy-docker.git
args:
- plugins=git,filebrowser,cors,realip,expires,cache,cloudflare
ports:
- 80:80/tcp
- 443:443/tcp
environment:
- "CADDYPATH=/etc/caddycerts"
- "ACME_AGREE=true"
- "ENABLE_TELEMETRY=false"
- "CLOUDFLARE_EMAIL=my_email"
- "CLOUDFLARE_API_KEY=my_api_key"
volumes:
- ${PWD}/caddy/Caddyfile:/etc/Caddyfile
- ${HOME}/.caddy:/etc/caddycerts
restart: unless-stopped
My Caddyfile:
subdomain.myserver.com {
proxy / ip:8080
tls {
dns cloudflare
}
}