1. Caddy version (caddy version
): 2.4.6
2. How I run Caddy:
# desired Caddy version
ARG VERSION=2.4.6
###########
# builder #
FROM caddy:${VERSION}-builder-alpine AS builder
ARG VERSION
RUN xcaddy build v${VERSION} \
--with github.com/caddy-dns/cloudflare
#########
# image #
FROM caddy:${VERSION}-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
a. System environment:
OS Information linux x86_64 Slackware 14.2 x86_64 (post 14.2 -current)
Kernel Version 5.10.28-Unraid
Total CPU 16
Total memory 16.8 GB
Version 20.10.5 (API: 1.41)
Root directory /var/lib/docker
Storage Driver btrfs
Logging Driver json-file
Volume Plugins local
Network Plugins bridge, host, ipvlan, macvlan, null, overlay
b. Command:
Paste command here.
c. Service/unit/compose file:
version: '3.9'
services:
caddy:
image: erfianugrah/caddy-cfdns:v1.2-2.4.6
hostname: caddy
container_name: caddy
restart: unless-stopped
network_mode: host
privileged: true
volumes:
- /mnt/user/data/caddy/Caddyfile:/etc/caddy/Caddyfile
- /mnt/user/data/caddy/site:/srv
- /mnt/user/data/caddy/data:/data
- /mnt/user/data/caddy/config:/config
- /mnt/user/data/caddy/log:/var/log
environment:
- TZ=Asia/Singapore
- CF_API_TOKEN=${CF_API_TOKEN}
- EMAIL=${EMAIL}
d. My complete Caddyfile or JSON config:
{
email {env.EMAIL}
acme_dns cloudflare {env.CF_API_TOKEN}
cert_issuer acme
http_port 80
https_port 443
admin localhost:2019
debug
grace_period 5s
log {
level debug
output file /var/log/access.log {
roll_size 1gb
roll_keep 5
roll_keep_for 720h
}
}
servers {
protocol {
strict_sni_host
}
}
}
erfianugrah.com {
tls {
resolvers 1.1.1.1
}
@image path_regexp image ^.*\.(jpe?g|png|gif|web)$
header @image {
defer
Cache-Control "public, max-age=31536000, stale-while-revalidate=31536000"
Access-Control-Allow-Origin "*"
Access-Control-Max-Age "86400"
}
reverse_proxy 172.18.0.2:2368
}
port.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.17.0.3:9000
}
servarr.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy localhost:90
}
plex.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.19.0.8:32400
}
hydra.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.19.0.7:5076
}
nzb.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.19.0.6:7000
}
sonarr.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.19.0.3:8989
}
radarr.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.19.0.2:7878
}
bazarr.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.19.0.4:6767
}
lidarr.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.19.0.5:8686
}
nextcloud.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.21.0.2:80
}
grafana-unraid.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.17.0.2:3000
}
prom-unraid.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
reverse_proxy 172.17.0.4:9090
}
vaultwarden.erfianugrah.com {
tls {
resolvers 1.1.1.1
}
encode gzip
reverse_proxy /notifications/hub 172.20.0.2:3012
reverse_proxy 172.20.0.2:80 {
header_up X-Real-IP {remote_host}
}
}
3. The problem I’m having:
Not sure if the global options is even doing anything, the past issuance were with HTTP when I didn’t have acme DNS setup, I just had to grey cloud on CF. But this new host doesn’t work now.
4. Error messages and/or full log output:
{"level":"debug","ts":1642317283.304537,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"info","ts":1642317283.3046834,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"vaultwarden.erfianugrah.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1642317284.6302872,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"172.19.0.3:8989","duration":0.007560517,"request":{"remote_addr":"192.168.1.227:62246","proto":"HTTP/2.0","method":"GET","host":"sonarr.erfianugrah.com","uri":"/api/v3/command","headers":{"Sec-Fetch-Mode":["cors"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"],"Accept":["application/json, text/javascript, */*; q=0.01"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"Accept-Language":["en-GB,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"X-Api-Key":["4d6b845835534fcfbf58b2cd1b726a95"],"X-Requested-With":["XMLHttpRequest"],"Dnt":["1"],"Referer":["https://sonarr.erfianugrah.com/"],"Cookie":["SonarrAuth=AxKYi1OVcfiRNkAWJwN0%2fkXLtUPz2QEaOhTIU4Q88EY%3do%2bYeDwXOJmHs8CPtWFHo43XcrW6s4b2N6GPInUNGFzMJk7YxkhN2PC%2bgT6RvEcf6"],"X-Forwarded-For":["192.168.1.227"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"sonarr.erfianugrah.com"}},"headers":{"Date":["Sun, 16 Jan 2022 07:14:44 GMT"],"Vary":["Accept"],"Access-Control-Allow-Origin":["*"],"Set-Cookie":["SonarrAuth=AxKYi1OVcfiRNkAWJwN0%2fkXLtUPz2QEaOhTIU4Q88EY%3do%2bYeDwXOJmHs8CPtWFHo43XcrW6s4b2N6GPInUNGFzMJk7YxkhN2PC%2bgT6RvEcf6; path=/; expires=Sun, 23-Jan-2022 07:14:44 GMT; HttpOnly; SameSite=Lax"],"Server":["Mono-HTTPAPI/1.0"],"Content-Encoding":["gzip"],"Content-Type":["application/json; charset=utf-8"],"Keep-Alive":["timeout=15,max=100"],"X-Application-Version":["3.0.6.1342"],"Cache-Control":["no-cache, no-store, must-revalidate, max-age=0"],"Pragma":["no-cache"],"Expires":["0"]},"status":200}
{"level":"debug","ts":1642317285.902872,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/tM-_8Y7sHENNy_vyILssAw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["164"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:45 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/7o05y6voi8f8K9tpgkwy8A>;rel=\"up\""],"Replay-Nonce":["cXp_8bbbrLA3N8uKlrkpFI7ASWhji4M56cpCjQpJjuc"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"debug","ts":1642317285.9036982,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"vaultwarden.erfianugrah.com","challenge_type":"http-01"}
{"level":"debug","ts":1642317268.268725,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1441475148","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["40180628"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["1855"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:28 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002gCOcGA-03k_KcHaWhwro5xcjL51MkOXaJPLY03BGUtw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1642317268.269506,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"vaultwarden.erfianugrah.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Invalid response from https://vaultwarden.erfianugrah.com/.well-known/acme-challenge/ycCWWeaG42BB8skQcqo11O8wapaR0oIUPr7LvBfSfWw [2606:4700::6810:ed85]: \"<!DOCTYPE html>\\n<!--[if lt IE 7]> <html class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"> <![endif]-->\\n<!--[if IE 7]> <html class=\\\"no-js \"","instance":"","subproblems":[]}}
{"level":"error","ts":1642317268.2696366,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"vaultwarden.erfianugrah.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Invalid response from https://vaultwarden.erfianugrah.com/.well-known/acme-challenge/ycCWWeaG42BB8skQcqo11O8wapaR0oIUPr7LvBfSfWw [2606:4700::6810:ed85]: \"<!DOCTYPE html>\\n<!--[if lt IE 7]> <html class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"> <![endif]-->\\n<!--[if IE 7]> <html class=\\\"no-js \"","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/40180628/1544867918","attempt":2,"max_attempts":3}
{"level":"debug","ts":1642317269.4954445,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["40180628"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["363"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/40180628/1544868078"],"Replay-Nonce":["0002ixubGOULkMzCeBEJ2qsKJEbGndC-5feXe3Z4O3Cr4Qo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1642317269.701591,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1441475298","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["40180628"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["829"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002jPqHGns10rv8G6qmo4anN8GdqytBgIWDhEfLI4bStq8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1642317269.7017796,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
{"level":"debug","ts":1642317269.9105122,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1441475298","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["40180628"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["833"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:14:29 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002A0cTLjILulcJliR1IQZv6wSLwX0C_aryx5JvR9Jgn_0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
5. What I already tried:
I tried specifying the resolvers and forcing on acme as the cert issuer.
Tried this as well:
vaultwarden.erfianugrah.com {
tls {
dns cloudflare {env.CF_API_TOKEN}
resolvers 1.1.1.1
}
encode gzip
reverse_proxy /notifications/hub 172.20.0.2:3012
reverse_proxy 172.20.0.2:80 {
header_up X-Real-IP {remote_host}
}
}
Which is resulted in this:
{"level":"debug","ts":1642318980.2555122,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/12z-hAOGcDwY-iDBV_kSfA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["457"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:00 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["WFbi5d00AWzGDAcTB5qqbWsW4LOKVGpOGuqrnc718hs"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"info","ts":1642318980.2558122,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"vaultwarden.erfianugrah.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"debug","ts":1642318990.339418,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/VyQazG90IOt5C8r1ap_ZVQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["163"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:10 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\"","<https://acme.zerossl.com/v2/DV90/authz/12z-hAOGcDwY-iDBV_kSfA>;rel=\"up\""],"Replay-Nonce":["VPzh3o6HD6uZ0qBV0WIXJVAGJyGR95Rk3GkEs4kuqJ4"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"debug","ts":1642318990.3397338,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"vaultwarden.erfianugrah.com","challenge_type":"dns-01"}
{"level":"debug","ts":1642318996.0105262,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/12z-hAOGcDwY-iDBV_kSfA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["326"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:15 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["YaoVEJUUjCIGq4Zf7awqDkkAdEwZ3ThaLuS0lOO3Qc8"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"info","ts":1642318996.3237948,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A"}
{"level":"debug","ts":1642319001.2273762,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A/finalize","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["292"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:21 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A"],"Replay-Nonce":["FF4FluCKaH-bkGP0Ax72Qxiyd8gLoLnUTovU5mY5Ez0"],"Retry-After":["15"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"debug","ts":1642319021.4281766,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["364"],"Content-Type":["application/json"],"Date":["Sun, 16 Jan 2022 07:43:41 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/l76Q1zYKgwh8KmBVHqxY3A"],"Replay-Nonce":["DKNla2CrUXViQ5EJlC0-7POm9t3yRiHV36OxM-KEaJU"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"debug","ts":1642319026.3529727,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/cert/ZXqWeNWRz2swlqZhmOdDew","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.4.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["4148"],"Content-Type":["application/pem-certificate-chain"],"Date":["Sun, 16 Jan 2022 07:43:46 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ZF98-14E0FXoVl_OD9MJ3FgPiZdY1Ra1KtltHHWbI_c"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]},"status_code":200}
{"level":"info","ts":1642319026.3532124,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme.zerossl.com/v2/DV90/cert/ZXqWeNWRz2swlqZhmOdDew"}
{"level":"info","ts":1642319026.436798,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"vaultwarden.erfianugrah.com"}
{"level":"info","ts":1642319026.4368877,"logger":"tls.obtain","msg":"releasing lock","identifier":"vaultwarden.erfianugrah.com"}
{"level":"debug","ts":1642319026.4391541,"logger":"tls","msg":"loading managed certificate","domain":"vaultwarden.erfianugrah.com","expiration":1650153599,"issuer_key":"acme.zerossl.com-v2-DV90","storage":"FileStorage:/data/caddy"}
{"level":"warn","ts":1642319027.4483824,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [vaultwarden.erfianugrah.com]: parsing OCSP response: ocsp: error from server: unauthorized"}
{"level":"debug","ts":1642319027.4485528,"logger":"tls.cache","msg":"added certificate to cache","subjects":["vaultwarden.erfianugrah.com"],"expiration":1650153599,"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"88681f2a0270a02c5f4fc419b5eae115b4639dfbfd3e61b353cd29d344585240","cache_size":14,"cache_capacity":10000}
Why wouldn’t the global option work?
6. Links to relevant resources:
### 6. Links to relevant resources: