1. Caddy version (caddy version
):
Latest docker version (while testing/experimenting).
2. How I run Caddy:
a. System environment:
Fedora 35, podman 3.4.4
b. Command:
letsencrypt-instance:
podman run -d -p [eth0-ip]:80:80 -p [eth0-ip]:443:443 --name caddy_outside -v $PWD/caddy_outside/Caddyfile:/etc/caddy/Caddyfile:U,Z -v $PWD/caddy_data:/data:U,z caddy
wireguard-instance:
podman run -d -p [wg-ip]:80:80 -p [wg-ip]:443:443 --name caddy_inside -v $PWD/caddy_inside/Caddyfile:/etc/caddy/Caddyfile:U,Z -v $PWD/caddy_data:/data:U,z caddy
c. Service/unit/compose file:
None
d. My complete Caddyfile or JSON config:
letsencrypt-instance:
{
admin off
email my-email@example.com
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
log
debug
}
example.com {
respond 403
}
www.example.com {
respond 403
}
cloud.example.com {
respond 403
}
www.example.com {
respond 403
}
wireguard-instance:
{
admin off
email my-email@example.com
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
auto_https off
log
debug
}
(httpredirect) {
@http {
protocol http
}
redir @http https://{host}{uri}
}
example.com {
import httpredirect
respond "Inside"
}
www.example.com {
import httpredirect
respond "www.Inside"
}
cloud.example.com {
import httpredirect
respond "Inside.cloud"
}
www.cloud.example.com {
import httpredirect
respond "www.Inside.cloud"
}
3. The problem I’m having:
I want to use Caddy as a reverse proxy with automatic certificate provisioning with Let’s Encrypt. I’m using two instances of Caddy (containers), one for provisioning and managing certificates, one to do the actual reverse proxying on the wireguard interface. I’m using the wireguard interface so I don’t have to expose any service directly to the internet.
With auto-https enabled on both instances, it seems to work but can run into issues with the wireguard-instance trying to provision certificates (which obviously doesn’t work). My idea was to disable auto-https on the wireguard-instance but I can’t figure out how to use the certificates provisioned by the letsencrypt-instance with the wireguard-instance.
My ideal solution would be to just deactivate the auto-provisioning on the wireguard-instance and leave the rest of the auto-https functionality active. I couldn’t find a way to do that with the Caddyfile config. A skip-provisioning
option would be great as a parameter for auto_https
.
Any help or hints how to get the this working are greatly appreciated.
4. Error messages and/or full log output:
{"level":"info","ts":1644911332.881876,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1644911332.8861623,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"warn","ts":1644911332.8870971,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1644911332.8879244,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00045e000"}
{"level":"info","ts":1644911332.8884325,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"debug","ts":1644911332.8887951,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"info","ts":1644911332.8891673,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1644911332.8893547,"msg":"serving initial configuration"}
{"level":"info","ts":1644911332.890386,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1644911351.941252,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"www.example.com"}
{"level":"debug","ts":1644911351.9413471,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.example.com"}
{"level":"debug","ts":1644911351.9413526,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1644911351.9413567,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1644911351.941366,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"www.example.com","remote":"[IP]:52130","identifier":"www.example.com","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1644911351.9414945,"logger":"http.stdlib","msg":"http: TLS handshake error from [ip]]:52130: no certificate available for 'www.example.com'"}
5. What I already tried:
auto_https
on both instances lead to issues with the wireguard-instance trying to provision certificates.
load /data/caddy
in the wiregaurd-instance didn’t find any certificates.