Trouble setting up Caddy with PiVPN+PiHole + Jellyfin

Khally00 · July 3, 2023, 4:24pm

1. The problem I’m having:

Hello,

I’m incredibly new to this subject, and I’m stuck on using Caddy for Jellyfin. I’m using privateipgivenbyvpn to replace private ips because I’m having issues posting with private ips.

Firstly, I set-up PiVPN+PiHole (Wireguard) which my media server (which has Jellyfin server installed) is connected to. This means anything that is connected to my PiVPN can access the media server by using the Jellyfin’s private ip address (which was assigned by PiVPN, which is privateipgivenbyvpn).

Everything works fine, but I wanted to use Caddy so I can enable HTTPS and use a custom domain name. Partly to learn more about this and so I don’t have to enter the private ip address whenever I access the Jellyfin server.

I’m unable to connect to jellyfin-k.duckdns.org, but connecting to privateipgivenbyvpn:8096 after running Caddy still allows me to access the Jellyfin server. I have checked:

1.) That the custom URL (jellyfin-k.duckdns.org) is associated with my public IP address.
2.) Forwarded the ports on my NETGEAR Router which were 80, 443, 2019 using the TCP protocol.
3.) Created outbound rules on Windows firewall for 80, 443, 2019 on my Jellyfin Server

2. Error messages and/or full log output:

There doesn’t seem to be any error messages running Caddy.

3. Caddy version:

v2.6.4

4. How I installed and ran Caddy:

Installed caddy.exe file and moved it to C:/Tools/Caddy
Created Caddyfile in C:/Tools/Caddy
Ran through Powershell in admin mode

a. System environment:

Windows 10

b. Command:

 caddy run --config Caddyfile

d. My complete Caddy config:

jellyfin-k.duckdns.org { 
       reverse_proxy privateipgivenbyvpn:8096 
tls {
dns duckdns TOKEN
     }
}

5. Links to relevant resources:

francislavoie · July 4, 2023, 3:03am

That domain doesn’t have a DNS A record. Are you sure you have that domain set up with DuckDNS?

Don’t forward port 2019. That’s a bad idea. Caddy’s port 2019 should never be publicly exposed, otherwise you’re at risk of letting anyone change your Caddy server’s config and do very bad things.

Please completely fill out the help topic template, as per the forum rules. What’s in Caddy’s logs?

Khally00 · July 4, 2023, 8:51am

Hey,

Thanks for responding. To answer your questions:

That domain doesn’t have a DNS A record. Are you sure you have that domain set up with DuckDNS?

I used jellyfin-k.duckdns.org for the sake of simplification, but for the time being I’m now going to use it as a domain with DuckDNS. I’m not sure how to check if it has a DNS A record but it should have one now.

Don’t forward port 2019. That’s a bad idea. Caddy’s port 2019 should never be publicly exposed, otherwise you’re at risk of letting anyone change your Caddy server’s config and do very bad things.

Thank you for this. I followed the guide presented above but I’ll revert port forwarding 2019.

Please completely fill out the help topic template, as per the forum rules. What’s in Caddy’s logs?

I don’t know where to access Caddy’s logs. I’ve updated my Caddyfile to this:

jellyfin-k.duckdns.org 
{
  reverse_proxy privateipgivenbyvpn:8096 
  tls {
   dns duckdns (TOKEN)
  }
  log {
    output file C:\Tools\Caddy\logs\jellyfin-k.duckdns.org.log {
    roll_size 10MiB
    roll_keep 10
    roll_keep_for 336h
  }
}

But I don’t seem to get any log files. Do you mean the text given in Powershell after running “caddy run --config Caddyfile”?

francislavoie · July 4, 2023, 4:23pm

Yes, that’s Caddy’s log output.

Khally00 · July 7, 2023, 3:16pm

Ooooh I didn’t know that. Then in that case yes there’s definitely errors here.

2023/07/07 14:10:45.164 ←[34mINFO←[0m   using provided configuration    {"config_file": "Caddyfile", "config_adapter": ""}
2023/07/07 14:10:45.164 ←[33mWARN←[0m   Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 1}
2023/07/07 14:10:45.177 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/07/07 14:10:45.178 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00020ff80"}
2023/07/07 14:10:45.178 ←[34mINFO←[0m   http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/07/07 14:10:45.178 ←[34mINFO←[0m   http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/07/07 14:10:45.179 ←[34mINFO←[0m   tls     cleaning storage unit   {"description": "FileStorage:C:\\Users\\user\\AppData\\Roaming\\Caddy"}
2023/07/07 14:10:45.179 ←[34mINFO←[0m   tls     finished cleaning storage units
2023/07/07 14:10:45.179 ←[34mINFO←[0m   http    enabling HTTP/3 listener        {"addr": ":443"}
2023/07/07 14:10:45.179 ←[34mINFO←[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/07/07 14:10:45.179 ←[34mINFO←[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/07/07 14:10:45.180 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["jellyfin-k.duckdns.org"]}
2023/07/07 14:10:45.181 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\user\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/07/07 14:10:45.182 ←[34mINFO←[0m   serving initial configuration
2023/07/07 14:10:45.187 ←[34mINFO←[0m   tls.obtain      acquiring lock  {"identifier": "jellyfin-k.duckdns.org"}
2023/07/07 14:10:45.194 ←[34mINFO←[0m   [INFO][FileStorage:C:\Users\user\AppData\Roaming\Caddy] Lock for 'issue_cert_jellyfin-k.duckdns.org' is stale (created: 2023-07-07 14:39:21.5874625 +0100 BST, last update: 2023-07-07 15:03:29.6600409 +0100 BST); removing then retrying: C:\Users\user\AppData\Roaming\Caddy\locks\issue_cert_jellyfin-k.duckdns.org.lock
2023/07/07 14:10:45.197 ←[34mINFO←[0m   tls.obtain      lock acquired   {"identifier": "jellyfin-k.duckdns.org"}
2023/07/07 14:10:45.197 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "jellyfin-k.duckdns.org"}
2023/07/07 14:10:45.211 ←[34mINFO←[0m   http    waiting on internal rate limiter        {"identifiers": ["jellyfin-k.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/07/07 14:10:45.211 ←[34mINFO←[0m   http    done waiting on internal rate limiter   {"identifiers": ["jellyfin-k.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/07/07 14:10:46.193 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/07/07 14:13:26.319 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:13:26.476 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme-v02.api.letsencrypt.org/acme/order/1189994857/193419756077) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2023/07/07 14:13:26.491 ←[34mINFO←[0m   http    waiting on internal rate limiter        {"identifiers": ["jellyfin-k.duckdns.org"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/07/07 14:13:26.492 ←[34mINFO←[0m   http    done waiting on internal rate limiter   {"identifiers": ["jellyfin-k.duckdns.org"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/07/07 14:13:27.078 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/07/07 14:16:07.230 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:16:08.099 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/g8D62rkqtyLST4n6fSZ94Q) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/07/07 14:16:08.099 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[jellyfin-k.duckdns.org] Obtain: [jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/g8D62rkqtyLST4n6fSZ94Q) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 322.9025064, "max_duration": 2592000}
2023/07/07 14:17:08.112 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "jellyfin-k.duckdns.org"}
2023/07/07 14:17:09.139 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/07/07 14:19:49.258 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:19:49.416 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/109530464/9631747144) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2023/07/07 14:19:49.824 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/07/07 14:22:29.970 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:22:30.635 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/B0KobW174mwfW8pkdJWcgQ) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/07/07 14:22:30.635 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[jellyfin-k.duckdns.org] Obtain: [jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/B0KobW174mwfW8pkdJWcgQ) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 705.4386799, "max_duration": 2592000}
2023/07/07 14:24:30.647 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "jellyfin-k.duckdns.org"}
2023/07/07 14:24:31.124 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/07/07 14:27:11.249 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:27:11.410 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/109530464/9631829214) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2023/07/07 14:27:11.897 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/07/07 14:29:52.058 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:29:52.385 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/VPXNFRstxBIbH4i5ERFo9w) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/07/07 14:29:52.385 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[jellyfin-k.duckdns.org] Obtain: [jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/VPXNFRstxBIbH4i5ERFo9w) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 3, "retrying_in": 120, "elapsed": 1147.188406, "max_duration": 2592000}
2023/07/07 14:31:52.394 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "jellyfin-k.duckdns.org"}
2023/07/07 14:31:52.872 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/07/07 14:34:33.032 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:34:33.192 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/109530464/9631905764) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2023/07/07 14:34:33.791 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/07/07 14:37:13.909 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:37:14.258 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/Y4NqQPgSNc1d1s44z2Ki2w) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/07/07 14:37:14.258 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[jellyfin-k.duckdns.org] Obtain: [jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/Y4NqQPgSNc1d1s44z2Ki2w) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 4, "retrying_in": 300, "elapsed": 1589.0615354, "max_duration": 2592000}
2023/07/07 14:42:14.272 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "jellyfin-k.duckdns.org"}
2023/07/07 14:42:15.101 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/07/07 14:44:55.230 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:44:55.389 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/109530464/9632040024) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2023/07/07 14:44:55.854 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/07/07 14:47:36.020 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 14:47:36.235 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/j1_B3JBj3PkYbYPOI4xPfg) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/07/07 14:47:36.235 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[jellyfin-k.duckdns.org] Obtain: [jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/j1_B3JBj3PkYbYPOI4xPfg) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 5, "retrying_in": 600, "elapsed": 2211.0384729, "max_duration": 2592000}
2023/07/07 14:57:36.236 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "jellyfin-k.duckdns.org"}
2023/07/07 14:57:37.047 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2023/07/07 15:00:17.194 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 15:00:17.359 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/109530464/9632241304) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2023/07/07 15:00:18.837 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/07/07 15:02:59.001 ←[31mERROR←[0m  http.acme_client        cleaning up solver      {"identifier": "jellyfin-k.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.jellyfin-k.duckdns.org\" (usually OK if presenting also failed)"}
2023/07/07 15:02:59.245 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "jellyfin-k.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/j5g0RLQuv-_FulSmjl6ZWg) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/07/07 15:02:59.245 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[jellyfin-k.duckdns.org] Obtain: [jellyfin-k.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.jellyfin-k.duckdns.org\": could not find the start of authority for _acme-challenge.jellyfin-k.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/j5g0RLQuv-_FulSmjl6ZWg) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 6, "retrying_in": 1200, "elapsed": 3134.0484605, "max_duration": 2592000}

francislavoie · July 8, 2023, 6:26pm

Crazy. Windows is blocking Caddy from making DNS queries (using port 53). You might need to make some adjustments to your Windows Firewall to allow Caddy to reach the internet.

Khally00 · July 12, 2023, 2:32pm

Hello,

After some troubleshooting, I’ve finally gotten it to make DNS queries. The issue (I think) was with my Wireguard client. It wasn’t allowing untunnelled traffic so I simply unchecked it. I also allowed Caddy through Windows Firewall. So that’s done, but I still have issues accessing the jellyfin server.

When I ping jellyfin-k.duckdns.org, I get a reply from my public ip address and when I connect to it through a web browser I get no reply. So I’m a bit confused on that front, since the tutorial I followed shows accessing that URL redirects to the jellyfin server.

Edit: Okay, pinging jellyfin-k.duckdns.org gives a public ip address because I set it up with duck dns. So my problem is that even with Caddy turned on, I can’t access the Jellyfin server.

francislavoie · July 12, 2023, 7:48pm

Try connecting from your phone on cellular networks instead of on Wifi. If it works that way, then the problem is that your router doesn’t support NAT hairpinning, so it doesn’t know how to route packets that have your WAN IP as the destination back into your network, and it drops it instead.

Khally00 · July 13, 2023, 3:38pm

Hi,

So, I tried doing some troubleshooting. Here are some of the things I did:

1.) Connected from my phone on cellular networks, no response
2.) Connected from my phone on cellular networks whilst connected to my PiVPN, no response
3.) Connected without VPN whilst connected to home network, no response
4.) Connected with VPN whilst connected to home network no response

I switched my Superhub 5 (Virgin Media’s Modem) from router mode to modem mode. So instead of my home network having essentially two routers, which is a Superhub 5 and NETGEAR R7000, it’s just a modem and router.

I set up Caddy again, and for some reason connecting to jellyfin-k.duckdns.org gives me access to my router (From anywhere, even cellular networks) and not my media server. Putting in jellyfin-k.duckdns.org:8096 gives me access to the jellyfin server, even though it’s on a different private address.

I’m sure that the NETGEAR R7000 supports NAT hairpinning, as it is listed on NETGEAR’s own website: Which NETGEAR routers support NAT loopback? | Answer | NETGEAR Support
However, I’m not sure whether or not my modem supports NAT hairpinning, but I don’t know if it’s even relevant in this case.

I’m going to take a break from troubleshooting this for a bit but if there’s any other suggestions feel free to post. Thanks

francislavoie · July 13, 2023, 5:44pm

Your router should be configured to port forward requests on 80 and 443 to your server.

It sounds like this is a router/network config problem, not a problem with Caddy.

system · August 12, 2023, 5:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.