1. Output of caddy version
:
root@FriendlyWrt:~# caddy version
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
Via /etc/rc.local
: /usr/bin/caddy start --resume --config /srv/Caddyfile
a. System environment:
root@FriendlyWrt:~# cat /etc/rc.local | grep caddy
/usr/bin/caddy start --resume --config /srv/Caddyfile
root@FriendlyWrt:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='22.03.2'
DISTRIB_REVISION='r19803-9a599fee93'
DISTRIB_TARGET='rockchip/armv8'
DISTRIB_ARCH='aarch64_generic'
DISTRIB_DESCRIPTION='OpenWrt 22.03.2 r19803-9a599fee93'
DISTRIB_TAINTS='busybox'
b. Command:
Just the rc.local one with the occasional validate/reload/...
c. Service/unit/compose file:
rc.local
d. My complete Caddy config:
# Globals
{
log {
level info
output file /var/log/caddy.log {
roll_size 10mb
roll_keep 10
roll_keep_for 720h
}
}
#trusted_proxies 192.168.222.0/24
storage file_system /var/lib/caddy/.local/share/caddy
auto_https disable_certs
}
# Rest is mostly unrelated, except:
# Basic ping-pong
echo.birb.it {
respond "hello"
}
video.birb.it:80 {
reverse_proxy * localhost:8096
}
grocy.birb.it:80 {
root * /sdcard/srv/grocy/public
import php
file_server
trusted_proxies 192.168.222.0/24
}
3. The problem I’m having:
I used storage file_system
to link my local caddy to the reosurces of my remote one via SSHFS.
First, for comparison:
root@FriendlyWrt:/mnt/vps/var/lib/caddy/.local/share/caddy# ls -l
drwx------ 1 www 992 4096 Nov 20 13:25 acme
drwx------ 1 www 992 4096 Nov 20 13:26 certificates
drwx------ 1 www 992 4096 Dec 13 17:29 locks
drwx------ 1 www 992 4096 Dec 13 17:11 ocsp
/mnt/vps
is my mountpoint. Now, the “real” version as my main server sees it:
root@birb:/var/lib/caddy/.local/share/caddy# ls -l
total 24
drwx------ 6 caddy caddy 4096 Dec 13 13:29 .
drwx------ 3 caddy caddy 4096 Nov 20 09:24 ..
drwx------ 5 caddy caddy 4096 Nov 20 09:25 acme
drwx------ 3 caddy caddy 4096 Nov 20 09:26 certificates
drwx------ 2 caddy caddy 4096 Dec 13 13:29 locks
drwx------ 2 caddy caddy 4096 Dec 13 13:11 ocsp
On my VPS, caddy
can read/write the directories, which is to be expected. However, on my local server, the UID is interpreted as the user www
- which seems to be more of a funny coincidence than anything, but this also means that technically my home router should not be able to read the files. However - it doesn’t read them at all, because it never changed!
4. Error messages and/or full log output:
root@FriendlyWrt:/var/log# tail -f caddy.log
2022/12/13 21:05:45.573 info admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/12/13 21:05:45.574 info http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2022/12/13 21:05:45.574 warn http skipping automated certificate management for server because it is disabled {"server_name": "srv0"}
2022/12/13 21:05:45.574 info http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022/12/13 21:05:45.574 warn http server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv1", "http_port": 80}
2022/12/13 21:05:45.574 info tls.cache.maintenance started background certificate maintenance {"cache": "0x4000736230"}
2022/12/13 21:05:45.576 info http enabling HTTP/3 listener {"addr": ":443"}
2022/12/13 21:05:45.576 info tls cleaning storage unit {"description": "FileStorage:/var/lib/caddy/.local/share/caddy"}
2022/12/13 21:05:45.576 info tls finished cleaning storage units
2022/12/13 21:05:45.576 info http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2022/12/13 21:05:45.576 info http.log server running {"name": "srv1", "protocols": ["h1", "h2", "h3"]}
2022/12/13 21:05:45.577 info autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2022/12/13 21:05:45.577 info serving initial configuration
The paths are off and not what I configured. So, I did this:
root@FriendlyWrt:/var/log# caddy environ
caddy.HomeDir=/root
caddy.AppDataDir=/root/.local/share/caddy
caddy.AppConfigDir=/root/.config/caddy
caddy.ConfigAutosavePath=/root/.config/caddy/autosave.json
caddy.Version=v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
runtime.GOOS=linux
runtime.GOARCH=arm64
runtime.Compiler=gc
runtime.NumCPU=8
runtime.GOMAXPROCS=8
runtime.Version=go1.19.4
os.Getwd=/var/log
SHELL=/bin/bash
ENV=/etc/shinit
PWD=/var/log
LOGNAME=root
HOME=/root
SSH_PUBKEYINFO=ingwie
SSH_CONNECTION=192.168.2.212 1629 192.168.2.1 22
TERM=xterm-256color
USER=root
SHLVL=1
COMPOSER_ALLOW_SUPERUSER=1
PS1=\[\e]0;\u@\h: \w\a\]\u@\h:\w\$
SSH_CLIENT=192.168.2.212 1629 22
PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin
SSH_TTY=/dev/pts/3
_=/usr/bin/caddy
OLDPWD=/root
Note: caddy.AppDataDir=/root/.local/share/caddy
This should’ve changed. I also verified with caddy run --environ ...
- and the value still was the same!
5. What I already tried:
I looked at the docs and simply used what was written there - and Caddy did not reject it during start.
Did I overlook something?
6. Links to relevant resources:
- global/storage docs: Global options (Caddyfile) — Caddy Documentation
Edit 1
I noticed I had not prefixed the storage with /mnt/vps
. Derp… That said, after changing it, not a whole lot changed; in fact, nothing of note did.
Logs:
2022/12/13 21:12:34.271 info admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/12/13 21:12:34.271 warn http server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv1", "http_port": 80}
2022/12/13 21:12:34.271 info http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2022/12/13 21:12:34.271 warn http skipping automated certificate management for server because it is disabled {"server_name": "srv0"}
2022/12/13 21:12:34.271 info http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022/12/13 21:12:34.272 info tls.cache.maintenance started background certificate maintenance {"cache": "0x4000287030"}
2022/12/13 21:12:34.274 info http enabling HTTP/3 listener {"addr": ":443"}
2022/12/13 21:12:34.274 info tls cleaning storage unit {"description": "FileStorage:/mnt/vps/var/lib/caddy/.local/share/caddy"}
2022/12/13 21:12:34.274 info http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2022/12/13 21:12:34.274 info http.log server running {"name": "srv1", "protocols": ["h1", "h2", "h3"]}
2022/12/13 21:12:34.275 info autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2022/12/13 21:12:34.275 info serving initial configuration
2022/12/13 21:12:35.269 info tls finished cleaning storage units
curl from the router itself:
root@FriendlyWrt:~# curl -v https://echo.birb.it
* ssl_handshake returned - mbedTLS: (-0x7780) SSL - A fatal alert message was received from our peer
curl: (35) ssl_handshake returned - mbedTLS: (-0x7780) SSL - A fatal alert message was received from our peer
root@FriendlyWrt:~# curl -v https://grocy.birb.it
* ssl_handshake returned - mbedTLS: (-0x7780) SSL - A fatal alert message was received from our peer
curl: (35) ssl_handshake returned - mbedTLS: (-0x7780) SSL - A fatal alert message was received from our peer
And, the environment flags:
root@FriendlyWrt:~# caddy run --environ --config /srv/Caddyfile
caddy.HomeDir=/root
caddy.AppDataDir=/root/.local/share/caddy
caddy.AppConfigDir=/root/.config/caddy
caddy.ConfigAutosavePath=/root/.config/caddy/autosave.json
caddy.Version=v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
runtime.GOOS=linux
runtime.GOARCH=arm64
runtime.Compiler=gc
runtime.NumCPU=8
runtime.GOMAXPROCS=8
runtime.Version=go1.19.4
os.Getwd=/root
So much for fixing that “typo”…
Edit 2
I attempted to just copy over the entire directory and chown
it to my root user. Then commenting out the storage
option and using a full stop/start instead of reload - without --resume
- to try and see if that did anything. And… it did not. The same errors still occur.
I am quite lost at this point… All I want to do is have the same certificates for my local and remote access. I will be spending a long time away from home, and accessing those services is going to be important. So I really want to just get this working…