1. Output of caddy version
:
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
a. System environment:
Ubuntu 20.04.5 LTS
b. Command:
caddy run
c. Service/unit/compose file:
-
d. My complete Caddy config:
localhost {
file_server
}
www.fhtagn.ch {
file_server
}
3. The problem I’m having:
I want to access some local web pages on my local machine from the internet. I try to do that using IPv6 as the router from my ISP only allow me to setup ipv6 port forwarding. It’s all new for me so it’s possible I missed some obvious things.
I have a domain name: fhtagn.ch and I setup a DNS zone to the IP of my PC:
www.fhtagn.ch AAAA 2a02:aa13:4680:f580:901d:7581:e887:4b05 TTL 1 h. 18.11.22 19:26:29
On my router (Sunrise Connect box 2, switzerland) I added this port forwarding rule:
source Destination Protocol source port dest port
All 2A02:AA13:4680:F580:901D:7581:E887:4B05/0 UDP/TCP 443:443 443:443
I also opened the 443 port on my PC with UFW
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
443 ALLOW IN Anywhere
8096 ALLOW IN Anywhere
443 (v6) ALLOW IN Anywhere (v6)
8096 (v6) ALLOW IN Anywhere (v6)
At this point I can access my index file on a web browser on https://localhost/
However I can not access it from another PC within my LAN (https://192.168.1.103/)
And I can not access it from outside on https://www.fhtagn.ch
4. Error messages and/or full log output:
caddy run
2022/11/18 19:28:55.862 INFO using adjacent Caddyfile
2022/11/18 19:28:55.864 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/11/18 19:28:55.864 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2022/11/18 19:28:55.864 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022/11/18 19:28:55.864 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000146f50"}
2022/11/18 19:28:55.864 INFO tls cleaning storage unit {"description": "FileStorage:/home/dod/.local/share/caddy"}
2022/11/18 19:28:55.865 INFO tls finished cleaning storage units
2022/11/18 19:28:55.877 INFO pki.ca.local root certificate is already trusted by system {"path": "storage:pki/authorities/local/root.crt"}
2022/11/18 19:28:55.877 INFO http enabling HTTP/3 listener {"addr": ":443"}
2022/11/18 19:28:55.877 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2022/11/18 19:28:55.877 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2022/11/18 19:28:55.877 INFO http enabling automatic TLS certificate management {"domains": ["kringer.fhtagn.ch", "www.fhtagn.ch", "localhost"]}
2022/11/18 19:28:55.878 WARN tls stapling OCSP {"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate", "identifiers": ["localhost"]}
2022/11/18 19:28:55.878 INFO autosaved config (load with --resume flag) {"file": "/home/dod/.config/caddy/autosave.json"}
2022/11/18 19:28:55.878 INFO serving initial configuration
2022/11/18 19:28:55.879 INFO tls.obtain acquiring lock {"identifier": "kringer.fhtagn.ch"}
2022/11/18 19:28:55.879 INFO tls.obtain acquiring lock {"identifier": "www.fhtagn.ch"}
2022/11/18 19:28:55.887 INFO tls.obtain lock acquired {"identifier": "www.fhtagn.ch"}
2022/11/18 19:28:55.888 INFO tls.obtain obtaining certificate {"identifier": "www.fhtagn.ch"}
2022/11/18 19:28:55.890 INFO http waiting on internal rate limiter {"identifiers": ["www.fhtagn.ch"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/11/18 19:28:55.890 INFO http done waiting on internal rate limiter {"identifiers": ["www.fhtagn.ch"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/11/18 19:28:55.895 INFO tls.obtain lock acquired {"identifier": "kringer.fhtagn.ch"}
2022/11/18 19:28:55.895 INFO tls.obtain obtaining certificate {"identifier": "kringer.fhtagn.ch"}
2022/11/18 19:28:55.898 INFO http waiting on internal rate limiter {"identifiers": ["kringer.fhtagn.ch"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/11/18 19:28:55.898 INFO http done waiting on internal rate limiter {"identifiers": ["kringer.fhtagn.ch"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/11/18 19:28:57.349 INFO http.acme_client trying to solve challenge {"identifier": "kringer.fhtagn.ch", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/11/18 19:28:57.349 INFO http.acme_client trying to solve challenge {"identifier": "www.fhtagn.ch", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/11/18 19:29:08.410 ERROR http.acme_client challenge failed {"identifier": "www.fhtagn.ch", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Fetching http://www.fhtagn.ch/.well-known/acme-challenge/0k0o0gSUyua4NKMs-knkwV5h7tyWEj9jX7fmVSUjeW8: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/11/18 19:29:08.410 ERROR http.acme_client validating authorization {"identifier": "www.fhtagn.ch", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Fetching http://www.fhtagn.ch/.well-known/acme-challenge/0k0o0gSUyua4NKMs-knkwV5h7tyWEj9jX7fmVSUjeW8: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/830373487/145301211957", "attempt": 1, "max_attempts": 3}
2022/11/18 19:29:08.410 ERROR http.acme_client challenge failed {"identifier": "kringer.fhtagn.ch", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Fetching http://kringer.fhtagn.ch/.well-known/acme-challenge/WoYoDz9pLHDiN9lL6PfUcHDWc1ZliGbh99gbrT3lrtU: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/11/18 19:29:08.410 ERROR http.acme_client validating authorization {"identifier": "kringer.fhtagn.ch", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Fetching http://kringer.fhtagn.ch/.well-known/acme-challenge/WoYoDz9pLHDiN9lL6PfUcHDWc1ZliGbh99gbrT3lrtU: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/830373487/145301212047", "attempt": 1, "max_attempts": 3}
2022/11/18 19:29:09.788 INFO http.acme_client trying to solve challenge {"identifier": "www.fhtagn.ch", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/11/18 19:29:09.800 INFO http.acme_client trying to solve challenge {"identifier": "kringer.fhtagn.ch", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/11/18 19:29:20.411 ERROR http.acme_client challenge failed {"identifier": "www.fhtagn.ch", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/11/18 19:29:20.411 ERROR http.acme_client validating authorization {"identifier": "www.fhtagn.ch", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/830373487/145301293757", "attempt": 2, "max_attempts": 3}
2022/11/18 19:29:20.411 ERROR tls.obtain could not get certificate from issuer {"identifier": "www.fhtagn.ch", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)"}
2022/11/18 19:29:20.413 INFO http waiting on internal rate limiter {"identifiers": ["www.fhtagn.ch"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/11/18 19:29:20.413 INFO http done waiting on internal rate limiter {"identifiers": ["www.fhtagn.ch"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/11/18 19:29:20.828 ERROR http.acme_client challenge failed {"identifier": "kringer.fhtagn.ch", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/11/18 19:29:20.828 ERROR http.acme_client validating authorization {"identifier": "kringer.fhtagn.ch", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/830373487/145301293807", "attempt": 2, "max_attempts": 3}
2022/11/18 19:29:20.828 ERROR tls.obtain could not get certificate from issuer {"identifier": "kringer.fhtagn.ch", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)"}
2022/11/18 19:29:20.829 INFO http waiting on internal rate limiter {"identifiers": ["kringer.fhtagn.ch"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/11/18 19:29:20.829 INFO http done waiting on internal rate limiter {"identifiers": ["kringer.fhtagn.ch"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/11/18 19:29:23.768 INFO http.acme_client trying to solve challenge {"identifier": "www.fhtagn.ch", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2022/11/18 19:29:25.249 INFO http.acme_client trying to solve challenge {"identifier": "kringer.fhtagn.ch", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
5. What I already tried:
Some of the errors above are mentioning firewall problem, I guess it must be from my router. I’m not sure how I should investigate this. I already forwarded the port 443.
It’s not easy to find documentation about an IPV6 setup. As I understand it, as each machine within my LAN have its unique IPV6 address, the traditional IPV4 WAN → LAN IP forwarding should not be mandatory. But for security reason I guess my router dose not allow incoming traffic by default. I’m not sure if I have to open something more than the port redirection I put in place.
Also, I can not access the file server from another machine in my LAN. Is there a config I’m missing to allow that ?