1. The problem I’m having:
I’m trying to run a Docker instance of vaultwarden on a Hertzner server together with caddy (also through Docker) to manage HTTPS.
I have setup a domain name with sub-domain on OVH and created a redirection (A entry): vault.spdgzlz.ovh
pointing to 94.130.168.115
(IP of the Hertzner server).
Both docker containers are running on the server:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ad8e056c5352 caddy:2 "caddy run --config …" 2 hours ago Up 2 hours 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 443/udp, 2019/tcp caddy
8039840fdad9 vaultwarden/server:latest "/start.sh" 2 hours ago Up 2 hours (healthy) 127.0.0.1:3012->3012/tcp, 127.0.0.1:8080->80/tcp vaultwarden
2. Error messages and/or full log output:
After having been through the setup process I’m unable to access vaultwarden’s login page and get a ERR_TOO_MANY_REDIRECTS
error.
Also here’s the output of curl -v vault.spdgzlz.ovh
:
* Trying 94.130.168.115:80...
* Connected to vault.spdgzlz.ovh (94.130.168.115) port 80 (#0)
> GET / HTTP/1.1
> Host: vault.spdgzlz.ovh
> User-Agent: curl/7.86.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://vault.spdgzlz.ovh/
< Server: Caddy
< Date: Wed, 22 Mar 2023 17:18:37 GMT
< Content-Length: 0
<
* Closing connection 0
3. Caddy version:
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
a. System environment:
Both vaultwarden and caddy are running in docker containers. The server is running Ubuntu 22.04.2 LTS on Hertzner cloud.
b. Command:
sudo docker run -d --name vaultwarden -v /srv/vaultwarden:/data -e WEBSOCKET_ENABLED=true -p 127.0.0.1:8080:80 -p 127.0.0.1:3012:3012 --restart on-failure vaultwarden/server:latest
sudo docker run -d -p 80:80 -p 443:443 --name caddy -v /etc/Caddyfile:/etc/caddy/Caddyfile -v /etc/caddy:/root/.local/share/caddy --restart on-failure caddy:2
d. My complete Caddy config:
vault.spdgzlz.ovh {
encode gzip
# The negotiation endpoint is also proxied to Rocket
reverse_proxy /notifications/hub/negotiate 0.0.0.0:80
# Notifications redirected to the websockets server
reverse_proxy /notifications/hub 0.0.0.0:3012
# Send all other traffic to the regular Vaultwarden endpoint
reverse_proxy 0.0.0.0:80
}
e. Caddy logs
{"level":"info","ts":1679497296.4633143,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1679497296.4667418,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1679497296.468553,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1679497296.4698992,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1679497296.4701233,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1679497296.469991,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00035f2d0"}
{"level":"info","ts":1679497296.47118,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1679497296.4712176,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1679497296.471649,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1679497296.4720025,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1679497296.4724207,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1679497296.4728177,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1679497296.472991,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["vault.spdgzlz.ovh"]}
{"level":"info","ts":1679497296.4740372,"logger":"tls.obtain","msg":"acquiring lock","identifier":"vault.spdgzlz.ovh"}
{"level":"info","ts":1679497296.4747412,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1679497296.4749641,"msg":"serving initial configuration"}
{"level":"info","ts":1679497296.4764059,"logger":"tls.obtain","msg":"lock acquired","identifier":"vault.spdgzlz.ovh"}
{"level":"info","ts":1679497296.4771523,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"vault.spdgzlz.ovh"}
{"level":"info","ts":1679497297.3143046,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["vault.spdgzlz.ovh"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1679497297.3143587,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["vault.spdgzlz.ovh"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1679497297.6557417,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"vault.spdgzlz.ovh","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1679497298.2448506,"logger":"tls","msg":"served key authentication certificate","server_name":"vault.spdgzlz.ovh","challenge":"tls-alpn-01","remote":"3.14.146.74:40540","distributed":false}
{"level":"info","ts":1679497298.3088036,"logger":"tls","msg":"served key authentication certificate","server_name":"vault.spdgzlz.ovh","challenge":"tls-alpn-01","remote":"34.214.208.130:14818","distributed":false}
{"level":"info","ts":1679497298.6522026,"logger":"tls","msg":"served key authentication certificate","server_name":"vault.spdgzlz.ovh","challenge":"tls-alpn-01","remote":"23.178.112.103:45846","distributed":false}
{"level":"info","ts":1679497299.0487876,"logger":"http.acme_client","msg":"authorization finalized","identifier":"vault.spdgzlz.ovh","authz_status":"valid"}
{"level":"info","ts":1679497299.0488214,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/1021861857/171630481907"}
{"level":"info","ts":1679497299.7781713,"logger":"http.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/032baec67408c44962fb6f3af7add10e188f"}
{"level":"info","ts":1679497299.7797542,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"vault.spdgzlz.ovh"}
{"level":"info","ts":1679497299.7802706,"logger":"tls.obtain","msg":"releasing lock","identifier":"vault.spdgzlz.ovh"}
5. Links to relevant resources:
I mostly followed the instructions of this guide How to Self-Host the vaultwarden Password Manager | Linode
Thanks a lot for your help! I’ve been helpless for the past few days trying to understand what’s going on.