1. Caddy version (caddy version
):
2.4.0
2. How I run Caddy:
a. System environment:
Docker
b. Command:
docker run --detach --publish 80:80 --publish 443:443 --name "caddy" --volume "$PWD/Caddyfile:/etc/caddy/Caddyfile" --volume "caddy_data:/data" --volume "$PWD/certs:/certs" caddy
c. Service/unit/compose file:
N/A
d. My complete Caddyfile or JSON config:
{
debug
local_certs
}
(InternalAccess) {
@InternalNetwork {
remote_ip 192.168.0.0/24
}
}
(Headers) {
header {
-Server
}
}
(Compression) {
encode zstd gzip
}
(Handle404) {
@404 {
status 404
}
handle_response @404 {
respond 404
}
}
(AccessLog) {
log
}
(DefaultResponse) {
respond 404
}
:443 {
import AccessLog
import Headers
import Compression
tls /certs/default.crt /certs/default.key
import DefaultResponse
}
guacamole.local {
import AccessLog
import Headers
import Compression
rewrite * /guacamole{path}
reverse_proxy 192.168.0.104:8080 {
import Handle404
}
}
vaultwarden.local {
import AccessLog
import Headers
import Compression
import InternalAccess
handle @InternalNetwork {
reverse_proxy /notifications/hub 192.168.0.105:3012 {
import Handle404
}
reverse_proxy 192.168.0.105:80 {
header_up X-Real-IP {remote_host}
import Handle404
}
}
import DefaultResponse
}
3. The problem I’m having:
When I access these domains in the web browser, the certificate of the catch-all block is always displayed.
guacamole.local -> self-signed default cert [non ok]
vaultwarden.local -> self-signed default cert [non ok]
test.local -> self-signed default cert [ok]
bahamas.local -> self-signed default cert [ok]
The intended behavior would be
guacamole.local -> Caddy generated cert [ok]
vaultwarden.local -> Caddy generated cert [ok]
test.local -> self-signed default cert [ok]
bahamas.local -> self-signed default cert [ok]
Please, what am I doing wrong?
4. Error messages and/or full log output:
{"level":"info","ts":1621615739.3131924,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1621615739.3155637,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1621615739.316909,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1621615739.3184674,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000276850"}
{"level":"warn","ts":1621615739.3390055,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [local]: no OCSP server specified in certificate"}
{"level":"info","ts":1621615739.3393815,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1621615739.6958838,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
2021/05/21 16:48:59 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
2021/05/21 16:48:59 define JAVA_HOME environment variable to use the Java trust
2021/05/21 16:48:59 certificate installed properly in linux trusts
{"level":"debug","ts":1621615739.8077984,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"debug","ts":1621615739.807836,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"info","ts":1621615739.8078413,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["guacamole.local","vaultwarden.local"]}
{"level":"info","ts":1621615739.808032,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1621615739.808045,"msg":"serving initial configuration"}
{"level":"info","ts":1621615739.808302,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1621615739.8083317,"logger":"tls.obtain","msg":"acquiring lock","identifier":"guacamole.local"}
{"level":"info","ts":1621615739.8085334,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1621615739.8090577,"logger":"tls.obtain","msg":"acquiring lock","identifier":"vaultwarden.local"}
{"level":"info","ts":1621615739.8148382,"logger":"tls.obtain","msg":"lock acquired","identifier":"guacamole.local"}
{"level":"info","ts":1621615739.8201706,"logger":"tls.obtain","msg":"lock acquired","identifier":"vaultwarden.local"}
{"level":"info","ts":1621615739.8201902,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"guacamole.local"}
{"level":"info","ts":1621615739.8205101,"logger":"tls.obtain","msg":"releasing lock","identifier":"guacamole.local"}
{"level":"warn","ts":1621615739.821255,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [guacamole.local]: no OCSP server specified in certificate"}
{"level":"info","ts":1621615739.8220675,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"vaultwarden.local"}
{"level":"info","ts":1621615739.8221374,"logger":"tls.obtain","msg":"releasing lock","identifier":"vaultwarden.local"}
{"level":"warn","ts":1621615739.8226361,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [vaultwarden.local]: no OCSP server specified in certificate"}
5. What I already tried:
Remove tls
directive or force tls internal
in catch-all block
guacamole.local -> Caddy generated cert [ok]
vaultwarden.local -> Caddy generated cert [ok]
test.local -> ERR_SSL_PROTOCOL_ERROR [non ok]
bahamas.local -> ERR_SSL_PROTOCOL_ERROR [non ok]
{"level":"debug","ts":1621617702.6297212,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.7:53967: no certificate available for 'test.local'"}
{"level":"debug","ts":1621617702.6317542,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.7:53968: no certificate available for 'test.local'"}
{"level":"debug","ts":1621617703.1940742,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.7:53970: no certificate available for 'test.local'"}
6. Links to relevant resources:
N/A