1. The problem I’m having:
I have been trying to get a reverse proxy set up with Caddy and DuckDNS for use with a Jellyfin server for 2 days now and I’m at the end of my rope
2. Error messages and/or full log output:
C:\Tools\Caddy>caddy run --config Caddyfile
2023/10/02 00:14:10.079 e[34mINFOe[0m using provided configuration {"config_file": "Caddyfile", "config_adapter": ""}
2023/10/02 00:14:10.079 e[33mWARNe[0m Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies {"adapter": "caddyfile", "file": "Caddyfile", "line": 6}
2023/10/02 00:14:10.100 e[34mINFOe[0m admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//127.0.0.1:2019", "//localhost:2019", "//[::1]:2019"]}
2023/10/02 00:14:10.101 e[34mINFOe[0m tls.cache.maintenance started background certificate maintenance {"cache": "0xc00048a100"}
2023/10/02 00:14:10.101 e[34mINFOe[0m http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/10/02 00:14:10.102 e[34mINFOe[0m http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2023/10/02 00:14:10.102 e[35mDEBUGe[0m http.auto_https adjusted config {"tls": {"automation":{"policies":[{"subjects":["balthasar2.duckdns.org"]},{}]}}, "http": {"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8096"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
2023/10/02 00:14:10.103 e[34mINFOe[0m tls cleaning storage unit {"description": "FileStorage:C:\\Users\\BALTHASAR-2\\AppData\\Roaming\\Caddy"}
2023/10/02 00:14:10.103 e[34mINFOe[0m http enabling HTTP/3 listener {"addr": ":443"}
2023/10/02 00:14:10.103 e[34mINFOe[0m tls finished cleaning storage units
2023/10/02 00:14:10.104 e[35mDEBUGe[0m http starting server loop {"address": "[::]:443", "tls": true, "http3": true}
2023/10/02 00:14:10.104 e[34mINFOe[0m http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/10/02 00:14:10.104 e[35mDEBUGe[0m http starting server loop {"address": "[::]:80", "tls": false, "http3": false}
2023/10/02 00:14:10.104 e[34mINFOe[0m http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/10/02 00:14:10.105 e[34mINFOe[0m http enabling automatic TLS certificate management {"domains": ["balthasar2.duckdns.org"]}
2023/10/02 00:14:10.116 e[34mINFOe[0m autosaved config (load with --resume flag) {"file": "C:\\Users\\BALTHASAR-2\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/10/02 00:14:10.117 e[34mINFOe[0m serving initial configuration
2023/10/02 00:14:10.117 e[34mINFOe[0m tls.obtain acquiring lock {"identifier": "balthasar2.duckdns.org"}
2023/10/02 00:14:10.145 e[34mINFOe[0m tls.obtain lock acquired {"identifier": "balthasar2.duckdns.org"}
2023/10/02 00:14:10.153 e[34mINFOe[0m tls.obtain obtaining certificate {"identifier": "balthasar2.duckdns.org"}
2023/10/02 00:14:10.153 e[35mDEBUGe[0m events event {"name": "cert_obtaining", "id": "5d8bccff-139b-4937-92c7-60bc5656d99f", "origin": "tls", "data": {"identifier":"balthasar2.duckdns.org"}}
2023/10/02 00:14:10.155 e[35mDEBUGe[0m tls.obtain trying issuer 1/2 {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2023/10/02 00:14:11.548 e[35mDEBUGe[0m tls.issuance.acme.acme_client http request {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["752"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:14:06 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/02 00:14:11.935 e[35mDEBUGe[0m tls.issuance.acme.acme_client http request {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 02 Oct 2023 00:14:07 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["ufY58pLaIbvqtxLZw4Rv4sxtYP39Tefo2OhdR9_HxSsgJQzU4ko"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/02 00:14:12.405 e[35mDEBUGe[0m tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1338794386"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["326"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:14:07 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/1338794386"],"Replay-Nonce":["ufY58pLaHpY0uSpAZaqRtbw1SKF5UcuVmQhmhSgvvWg11Bs8TUw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/10/02 00:14:12.452 e[34mINFOe[0m tls.issuance.acme waiting on internal rate limiter {"identifiers": ["balthasar2.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "<redacted>@gmail.com"}
2023/10/02 00:14:12.453 e[34mINFOe[0m tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["balthasar2.duckdns.org"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "<redacted>@gmail.com"}
2023/10/02 00:14:13.295 e[35mDEBUGe[0m tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1338794386"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["348"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:14:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1338794386/212213182156"],"Replay-Nonce":["GuszAyB3ADwtSKSEGLcKmARI7BOFK4C2i5msbNVNiGoVkwXmOTQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/10/02 00:14:13.689 e[35mDEBUGe[0m tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/269841738126", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1338794386"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["806"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:14:09 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["ufY58pLank-gYKcZtmEjpDe9n1owSY6_s4OoESrzbAv1BL8UTGM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/02 00:14:13.694 e[34mINFOe[0m tls.issuance.acme.acme_client trying to solve challenge {"identifier": "balthasar2.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/10/02 00:16:53.872 e[31mERRORe[0m tls.issuance.acme.acme_client cleaning up solver {"identifier": "balthasar2.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.balthasar2.duckdns.org\" (usually OK if presenting also failed)"}
2023/10/02 00:16:54.267 e[35mDEBUGe[0m tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/269841738126", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1338794386"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["810"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:49 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["ufY58pLa1aoIna_Byqm8tVDBc5Q8CycrJ7Putz6q1Yv3wBjym-w"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/10/02 00:16:54.269 e[31mERRORe[0m tls.obtain could not get certificate from issuer {"identifier": "balthasar2.duckdns.org", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[balthasar2.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.balthasar2.duckdns.org\": could not find the start of authority for _acme-challenge.balthasar2.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme-v02.api.letsencrypt.org/acme/order/1338794386/212213182156) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2023/10/02 00:16:54.273 e[35mDEBUGe[0m tls.obtain trying issuer 2/2 {"issuer": "acme.zerossl.com-v2-DV90"}
2023/10/02 00:16:57.069 e[34mINFOe[0m tls.issuance.zerossl generated EAB credentials {"key_id": "E-tMV-ndH1ZUZT6TU4POfg"}
2023/10/02 00:16:59.021 e[35mDEBUGe[0m tls.issuance.zerossl.acme_client http request {"method": "GET", "url": "https://acme.zerossl.com/v2/DV90", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:54 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/10/02 00:16:59.723 e[35mDEBUGe[0m tls.issuance.zerossl.acme_client http request {"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Mon, 02 Oct 2023 00:16:55 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["6-P0V6T2GV9gTDWnRu0wT4RIEyFVR3Oue0LGzqETyl8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/10/02 00:17:00.556 e[35mDEBUGe[0m tls.issuance.zerossl.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newAccount", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["587"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:55 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Location":["https://acme.zerossl.com/v2/DV90/account/E-tMV-ndH1ZUZT6TU4POfg"],"Replay-Nonce":["CddAyDSah5dCA3IFrI_dsmk2B8gSxtVOlH_cJJHI2zQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/10/02 00:17:00.589 e[34mINFOe[0m tls.issuance.zerossl waiting on internal rate limiter {"identifiers": ["balthasar2.duckdns.org"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "<redacted>@gmail.com"}
2023/10/02 00:17:00.590 e[34mINFOe[0m tls.issuance.zerossl done waiting on internal rate limiter {"identifiers": ["balthasar2.duckdns.org"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "<redacted>@gmail.com"}
2023/10/02 00:17:01.813 e[35mDEBUGe[0m tls.issuance.zerossl.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["284"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:57 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/u2lYM0-c2Y9T9G4xqy6C5g"],"Replay-Nonce":["HgH0BXAjpI3ebC1Td9_6PT1C4xIJuZliFoyanFp-HPw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/10/02 00:17:02.778 e[35mDEBUGe[0m tls.issuance.zerossl.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/bg8i3wIkDUb3gek9Hg_Fbg", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:16:58 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["dfY2t7k12_gQZfVtVZLqnaKNEmj4i0F7QRLGvUDvnyM"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/10/02 00:17:02.791 e[34mINFOe[0m tls.issuance.zerossl.acme_client trying to solve challenge {"identifier": "balthasar2.duckdns.org", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/10/02 00:19:42.959 e[31mERRORe[0m tls.issuance.zerossl.acme_client cleaning up solver {"identifier": "balthasar2.duckdns.org", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.balthasar2.duckdns.org\" (usually OK if presenting also failed)"}
2023/10/02 00:19:46.105 e[35mDEBUGe[0m tls.issuance.zerossl.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/bg8i3wIkDUb3gek9Hg_Fbg", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.4 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["134"],"Content-Type":["application/json"],"Date":["Mon, 02 Oct 2023 00:19:40 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["bd5Qv5ew2dKv68pLIZMXCGYFlN9kGej-LHctkAw4WyU"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/10/02 00:19:46.113 e[31mERRORe[0m tls.obtain could not get certificate from issuer {"identifier": "balthasar2.duckdns.org", "issuer": "acme.zerossl.com-v2-DV90", "error": "[balthasar2.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.balthasar2.duckdns.org\": could not find the start of authority for _acme-challenge.balthasar2.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/u2lYM0-c2Y9T9G4xqy6C5g) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/10/02 00:19:46.116 e[35mDEBUGe[0m events event {"name": "cert_failed", "id": "ba5b84ee-daaa-4ffd-aa1a-81a183835e04", "origin": "tls", "data": {"error":{},"identifier":"balthasar2.duckdns.org","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
2023/10/02 00:19:46.117 e[31mERRORe[0m tls.obtain will retry {"error": "[balthasar2.duckdns.org] Obtain: [balthasar2.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.balthasar2.duckdns.org\": could not find the start of authority for _acme-challenge.balthasar2.duckdns.org.: dial tcp 1.0.0.1:53: connectex: An attempt was made to access a socket in a way forbidden by its access permissions. (order=https://acme.zerossl.com/v2/DV90/order/u2lYM0-c2Y9T9G4xqy6C5g) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 335.9649322, "max_duration": 2592000}
3. Caddy version:
I’m using the standard caddy build (2.7.4) + the duckdns module (0.4.0) [latest] found on the downloads page.
4. How I installed and ran Caddy:
Whenever I run caddy run, every single attempt of acme “trying to solve challenge” times out and fails and I can’t make sense of the errors.
a. System environment:
Windows 10, ethernet connection, and ports 80 & 443 opened and confirmed working through telenet test.
b. Command:
caddy run --config Caddyfile
c. Service/unit/compose file:
d. My complete Caddy config:
(duckdns) {
tls {
dns duckdns <my-api-key>
}
}
balthasar2.duckdns.org {
reverse_proxy localhost:8096
import duckdns
}