Upgrading from 2.0.0.beta15 to 2.3.0

Help
1

1. Caddy version (caddy version):

  • Current: v2.0.0-beta.15 h1:Td1esMk7bebftnoBuT3gOqUGxew5HqdIKw3s36S8tNw=

  • Want to update to: v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

a. System environment:

  • Ubuntu: 20.04.1
  • Go: 1.15.7
  • xcaddy: 0.1.7

b. Command:

sudo systemctl daemon-reload
sudo systemctl enable caddy
sudo systemctl start caddy

c. Service/unit/compose file:

[Unit]
Description=Caddy Web Server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --config /etc/caddy/caddy.json --resume --environ
ExecReload=/usr/bin/caddy reload --config /etc/caddy/caddy.json
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
  "apps": {
    "tls": {
      "automation": {
        "policies": [{
          "hosts": ["*.tryhexadecimal.com"],
          "management": {
            "module": "acme",
            "email": "letsencrypt@tryhexadecimal.com",
            "challenges": {
              "dns": {
                "provider": "cloudflare",
                "api_token": ""
              }
            }
          }
        },
        {
          "management": {
            "module": "acme",
            "email": "letsencrypt@tryhexadecimal.com",
            "on_demand": true
          }
        }],
        "on_demand": {
          "ask": "https://dashboard.tryhexadecimal.com/webhooks/caddy"
        }
      }
    },
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "match": [
                {
                  "host": [
                    "*.tryhexadecimal.com",
                    "*.*.*"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "encodings": {
                            "gzip": {}
                          },
                          "handler": "encode"
                        },
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "Host": [
                                  "{http.request.host}"
                                ],
                                "X-Forwarded-For": [
                                  "{http.request.remote.host}"
                                ],
                                "X-Forwarded-Port": [
                                  "{server_port}"
                                ],
                                "X-Forwarded-Proto": [
                                  "{http.request.scheme}"
                                ],
                                "X-Real-Ip": [
                                  "{http.request.remote.host}"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "0.0.0.0:3000"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    }
  }
}

3. The problem I’m having:

I’m trying to upgrade Caddy from 2.0.0.beta15 to 2.3.0. I just want to make sure I didn’t miss anything:

Based on the above, here’s the updated config file. Am I missing something?

{
  "apps": {
    "tls": {
      "automation": {
        "policies": [{
          "subjects": ["*.tryhexadecimal.com"],
          "issuers": [{
            "module": "acme",
            "email": "letsencrypt@tryhexadecimal.com",
            "challenges": {
              "dns": {
                "provider": {
                  "name": "cloudflare",
                  "api_token": "API KEY"
                }
              }
            }
          }]
        },
        {
          "issuers": [{
            "module": "acme",
            "email": "letsencrypt@tryhexadecimal.com"
          }],
          "on_demand": true
        }],
        "on_demand": {
          "ask": "WEBHOOK URL"
        }
      }
    },
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "match": [
                {
                  "host": [
                    "*.tryhexadecimal.com",
                    "*.*.*"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "encodings": {
                            "gzip": {}
                          },
                          "handler": "encode"
                        },
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "Host": [
                                  "{http.request.host}"
                                ],
                                "X-Forwarded-For": [
                                  "{http.request.remote.host}"
                                ],
                                "X-Forwarded-Port": [
                                  "{server_port}"
                                ],
                                "X-Forwarded-Proto": [
                                  "{http.request.scheme}"
                                ],
                                "X-Real-Ip": [
                                  "{http.request.remote.host}"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "0.0.0.0:3000"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    }
  }
}

I get the “failed to install root certificate” message. Based on the previous threads, this shouldn’t be a big deal?

{"level":"error","ts":1611840704.7908254,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
2

Remove all of this, it’s not useful.

Based on your config, I’m not sure why it would be trying to enable pki.ca.local. What else is in your logs?

2 Likes
3

Thanks for the help, Francis!

I got a new server, installed all packages from scratch, but still receive this warning (Caddy works fine, though). Here’s the rest of the logs:

{"level":"info","ts":1611857222.5556018,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1611857222.5568812,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1611857222.5570378,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1611857222.5742583,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1611857222.5776513,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000259570"}
{"level":"warn","ts":1611857222.6251335,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
2021/01/28 18:07:02 not NSS security databases found
2021/01/28 18:07:02 define JAVA_HOME environment variable to use the Java trust
{"level":"error","ts":1611857222.6412492,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1611857222.6424534,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.tryhexadecimal.com","*.*.*"]}
4

Hmm. Might be that Caddy is being confused by your *.*.* host matcher. Caddy’s automatic HTTPS is probably reading that as needing the internal issuer.

If I were to write your config with Caddyfile syntax, it would probably look like this:

{
	email letsencrypt@tryhexadecimal.com
	on_demand_tls {
		ask https://dashboard.tryhexadecimal.com/webhooks/caddy
	}
}

(handle-site) {
	encode gzip
	reverse_proxy 127.0.0.1:3000
}

*.tryhexadecimal.com {
	tls {
		dns cloudflare {env.CLOUDFLARE_TOKEN}
	}

	import handle-site
}

https:// {
	tls {
		on_demand
	}

	import handle-site
}
1 Like
5

That’s incredibly helpful. Thank you so much, I really appreciate it!

I remember back in the day Caddyfile wasn’t as powerful, so I had to write JSON config from scratch. It’s great to see how far Caddyfile has evolved!

Just to confirm, this config will be able to obtain both wildcard certificate and certificates for third-party domains (given that the third-party domain points DNS record to my domain)?

6

Yeah that’s the idea. I didn’t run it of course, so you’ll need to try it and see.

1 Like
7

This topic was automatically closed after 30 days. New replies are no longer allowed.