Unable to serve container through subdomain

1. Caddy version (caddy version):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

I run caddy using the caddy start and caddy stop commands

a. System environment:

Ubuntu Server 21.10

caddy environ:

caddy.HomeDir=/home/sdvaletone
caddy.AppDataDir=/home/sdvaletone/.local/share/caddy
caddy.AppConfigDir=/home/sdvaletone/.config/caddy
caddy.ConfigAutosavePath=/home/sdvaletone/.config/caddy/autosave.json
caddy.Version=v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=
runtime.GOOS=linux
runtime.GOARCH=amd64
runtime.Compiler=gc
runtime.NumCPU=4
runtime.GOMAXPROCS=4
runtime.Version=go1.17.2
os.Getwd=/etc/caddy

SHELL=/bin/bash
PWD=/etc/caddy
LOGNAME=sdvaletone
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/sdvaletone
LANG=en_US.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:.tar=01;31:.tgz=01;31:.arc=01;31:.arj=01;31:.taz=01;31:.lha=01;31:.lz4=01;31:.lzh=01;31:.lzma=01;31:.tlz=01;31:.txz=01;31:.tzo=01;31:.t7z=01;31:.zip=01;31:.z=01;31:.dz=01;31:.gz=01;31:.lrz=01;31:.lz=01;31:.lzo=01;31:.xz=01;31:.zst=01;31:.tzst=01;31:.bz2=01;31:.bz=01;31:.tbz=01;31:.tbz2=01;31:.tz=01;31:.deb=01;31:.rpm=01;31:.jar=01;31:.war=01;31:.ear=01;31:.sar=01;31:.rar=01;31:.alz=01;31:.ace=01;31:.zoo=01;31:.cpio=01;31:.7z=01;31:.rz=01;31:.cab=01;31:.wim=01;31:.swm=01;31:.dwm=01;31:.esd=01;31:.jpg=01;35:.jpeg=01;35:.mjpg=01;35:.mjpeg=01;35:.gif=01;35:.bmp=01;35:.pbm=01;35:.pgm=01;35:.ppm=01;35:.tga=01;35:.xbm=01;35:.xpm=01;35:.tif=01;35:.tiff=01;35:.png=01;35:.svg=01;35:.svgz=01;35:.mng=01;35:.pcx=01;35:.mov=01;35:.mpg=01;35:.mpeg=01;35:.m2v=01;35:.mkv=01;35:.webm=01;35:.webp=01;35:.ogm=01;35:.mp4=01;35:.m4v=01;35:.mp4v=01;35:.vob=01;35:.qt=01;35:.nuv=01;35:.wmv=01;35:.asf=01;35:.rm=01;35:.rmvb=01;35:.flc=01;35:.avi=01;35:.fli=01;35:.flv=01;35:.gl=01;35:.dl=01;35:.xcf=01;35:.xwd=01;35:.yuv=01;35:.cgm=01;35:.emf=01;35:.ogv=01;35:.ogx=01;35:.aac=00;36:.au=00;36:.flac=00;36:.m4a=00;36:.mid=00;36:.midi=00;36:.mka=00;36:.mp3=00;36:.mpc=00;36:.ogg=00;36:.ra=00;36:.wav=00;36:.oga=00;36:.opus=00;36:.spx=00;36:.xspf=00;36:
SSH_CONNECTION=192.168.1.198 57620 192.168.1.44 22
LESSCLOSE=/usr/bin/lesspipe %s %s
XDG_SESSION_CLASS=user
TERM=xterm-256color
LESSOPEN=| /usr/bin/lesspipe %s
USER=sdvaletone
SHLVL=1
XDG_SESSION_ID=76
XDG_RUNTIME_DIR=/run/user/1000
SSH_CLIENT=192.168.1.198 57620 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
SSH_TTY=/dev/pts/0
OLDPWD=/home/sdvaletone
_=/usr/bin/caddy

b. Command:

sudo caddy start

d. My complete Caddyfile or JSON config:

{
        storage file_system /mnt/HDD_Data/Caddy_configs/caddy
}

kavita.nervhq.space {
        reverse_proxy :5000
}

3. The problem I’m having:

I am trying to serve a docker container of Kavita through a subdomain of nervhq.space which is currently serving jellyfin through a bare metal installation on my raspberry pi.

Currently i also have a ubuntu server that i have configured to share the same cert path with the instance that is running on the Raspberry pi.

When trying to get Caddy to serve the kavita docker container to the kavita.nervhq.space domain i am met with a certificate error as shown below.

I have been able to access the docker container at 192.168.1.44:5000 so i know that the docker configurations are good but I cannot get the ubuntu server to serve the container to the domain.

4. Error messages and/or full log output:

sdvaletone@lclcommand:/etc/caddy$ sudo caddy start
2021/11/25 00:46:56.316 INFO    using adjacent Caddyfile
2021/11/25 00:46:56.320 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/11/25 00:46:56.320 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2021/11/25 00:46:56.320 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/11/25 00:46:56.320 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0003e6c40"}
2021/11/25 00:46:56.322 INFO    http    enabling automatic TLS certificate management   {"domains": ["kavita.nervhq.space"]}
2021/11/25 00:46:56.322 INFO    tls     cleaning storage unit   {"description": "FileStorage:/mnt/HDD_Data/Caddy_configs/caddy"}
2021/11/25 00:46:56.322 INFO    tls     finished cleaning storage units
2021/11/25 00:46:56.322 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2021/11/25 00:46:56.322 INFO    serving initial configuration
Successfully started Caddy (pid=72750) - Caddy is running in the background
2021/11/25 00:46:56.324 INFO    tls.obtain      acquiring lock  {"identifier": "kavita.nervhq.space"}
2021/11/25 00:46:56.327 INFO    tls.obtain      lock acquired   {"identifier": "kavita.nervhq.space"}
sdvaletone@lclcommand:/etc/caddy$ 2021/11/25 00:46:56.329       INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["kavita.nervhq.space"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2021/11/25 00:46:56.329 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["kavita.nervhq.space"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2021/11/25 00:46:57.003 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "kavita.nervhq.space", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2021/11/25 00:47:02.609 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "kavita.nervhq.space", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:tls", "title": "", "detail": "remote error: tls: internal error", "instance": "", "subproblems": []}}
2021/11/25 00:47:02.609 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "kavita.nervhq.space", "problem": {"type": "urn:ietf:params:acme:error:tls", "title": "", "detail": "remote error: tls: internal error", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/289192440/42270754800", "attempt": 1, "max_attempts": 3}
2021/11/25 00:47:03.885 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "kavita.nervhq.space", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2021/11/25 00:47:05.012 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "kavita.nervhq.space", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:tls", "title": "", "detail": "Fetching https://kavita.nervhq.space/.well-known/acme-challenge/RmsTpSCI0ApuxuWpqNjBlxAL9HxefIJtBi_sK52_fyo: remote error: tls: internal error", "instance": "", "subproblems": []}}
2021/11/25 00:47:05.012 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "kavita.nervhq.space", "problem": {"type": "urn:ietf:params:acme:error:tls", "title": "", "detail": "Fetching https://kavita.nerv
hq.space/.well-known/acme-challenge/RmsTpSCI0ApuxuWpqNjBlxAL9HxefIJtBi_sK52_fyo: remote error: tls: internal error", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/289192440/42270784000", "attempt": 2, "max_attempts": 3}
2021/11/25 00:47:06.391 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "kavita.nervhq.space", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[kavita.nervhq.space] solving challenges: kavita.nervhq.space: no solvers available for remaining challenges (configured=[tls-alpn-01 http-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/289192440/42270795550) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2021/11/25 00:47:06.393 WARN    tls.issuance.zerossl    missing email address for ZeroSSL; it is strongly recommended to set one for next time
2021/11/25 00:47:06.797 INFO    tls.issuance.zerossl    generated EAB credentials       {"key_id": "c_3rDsSkrNWdHG4CfQIb2g"}
2021/11/25 00:47:07.800 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["kavita.nervhq.space"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2021/11/25 00:47:07.800 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["kavita.nervhq.space"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2021/11/25 00:47:09.004 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "kavita.nervhq.space", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}"""



### 5. What I already tried:

I have tried forcing the caddyfile to serve http but am still met with:

Secure Connection Failed

An error occurred during a connection to kavita.nervhq.space. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Using nslookup i can see that the domain and subdomain are pointing to my correct public IP address

Port forwarding has been checked on the ubuntu device and all is green there.

Using letsdebug.net i am met with:

[ANotWorking](https://letsdebug.net/kavita.nervhq.space/790562#ANotWorking-Error)

ERROR

kavita.nervhq.space has an A (IPv4) record (23.252.215.195) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get "https://kavita.nervhq.space/.well-known/acme-challenge/letsdebug-test": remote error: tls: internal error

Trace:
@0ms: Making a request to http://kavita.nervhq.space/.well-known/acme-challenge/letsdebug-test (using initial IP 23.252.215.195)
@0ms: Dialing 23.252.215.195
@125ms: Server response: HTTP 308 Permanent Redirect
@125ms: Received redirect to https://kavita.nervhq.space/.well-known/acme-challenge/letsdebug-test
@125ms: Dialing 23.252.215.195
@246ms: Experienced error: remote error: tls: internal error

6. Links to relevant resources:

N/A for now

I’m a bit confused. So you have two separate machines in this situation? I assume ports 80 and 443 are forwarded to your existing Pi for Jellyfin?

To solve the ACME challenges, Caddy needs to be reachable on ports 80 and 443, so it won’t work if the ports are forwarded to another machine.

You’d probably be better off making Caddy your entrypoint for all your sites you’re serving, so in Caddy, add a second site for nervhq.space (I guess this is your Jellyfin?) which reverse_proxy's to your Pi on whatever HTTP port Jellyfin is listening on (it defaults to 8096 typically).