Using Caddy to give Https access to pfsense firewall

1. The problem I’m having:

I am running Caddy and a number of web services as docker containers on a raspberry pi. So far with this setup I have managed to give all the web services that run on the raspberry pi lets encrypt SSL certs and can access these services with my duck dns domain, along with a wildcard for each service. Now I am looking to add external services that run on their own dedicated hardware with their own private IP to Caddy on my raspberry pi.

In particular I want to be able to access my pfsense firewall with the same service.domain.duckdns.org setup I use with my raspberry pi docker web services. However I am having trouble with this. I have added an entry into my Caddyfile for pfsense and point it to the IP of pfsense. I then try to access pfsense like so: https://pfsense.test111.duckdns.org:8000. However it always gives me a Did Not Connect: Potential Security Issue in the browser. Although I can still use the IP address to connect with the built in self signed certificate for pfsense.

I should note that before Caddy, I did manage to get pfsense obtaining lets encrypt certs and using the same duckdns domain by using pfsenses built in ACME and HAProxy packages by following a combination of this and this video. However I find this method rather convoluted and much prefer the simplicity of Caddy as well as liking the idea of a single place to handle all my SSL certs.

Here is a picture of my pfsense settings that I think will be important for setting up Caddy. Note I have re-enabled the self signed certificate so pfsense doesn’t use the one I generated with ACME and HAProxy.

Screenshot 2025-03-09 at 12-45-20 pfSense.home.arpa - System Advanced Admin Access1140×1371 190 KB

2. Error messages and/or full log output:

Caddy docker logs:

{"level":"info","ts":1741522890.7888181,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"warn","ts":1741522890.8001466,"logger":"caddyfile","msg":"Unnecessary header_up X-Forwarded-For: the reverse proxy's default behavior is to pass headers to the upstream"}
{"level":"warn","ts":1741522890.800453,"logger":"caddyfile","msg":"Unnecessary header_up X-Forwarded-Proto: the reverse proxy's default behavior is to pass headers to the upstream"}
{"level":"info","ts":1741522890.804668,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"info","ts":1741522890.8157327,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1741522890.816444,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x400062e480"}
{"level":"info","ts":1741522890.8171046,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1741522890.8172185,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1741522890.8172698,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
{"level":"info","ts":1741522890.8386512,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1741522890.8391519,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1741522890.839644,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1741522890.8400154,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
{"level":"info","ts":1741522890.8405359,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
{"level":"warn","ts":1741522890.840965,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1741522890.841004,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1741522890.8410168,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1741522890.841034,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.test111.duckdns.org","vaultwarden.test111.duckdns.org","pfsense.test111.duckdns.org","unifi.test111.duckdns.org"]}
{"level":"info","ts":1741522890.8892062,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"a16163dc-5a65-4977-a1d2-99f3861efde9","try_again":1741609290.889202,"try_again_in":86399.9999985}
{"level":"info","ts":1741522890.8915582,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1741522890.9124584,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1741522890.9127226,"msg":"serving initial configuration"}
{"level":"info","ts":1741522890.9262986,"logger":"tls.obtain","msg":"acquiring lock","identifier":"vaultwarden.test111.duckdns.org"}
{"level":"info","ts":1741522890.9262984,"logger":"tls.obtain","msg":"acquiring lock","identifier":"pfsense.test111.duckdns.org"}
{"level":"info","ts":1741522890.9528105,"logger":"tls.obtain","msg":"lock acquired","identifier":"vaultwarden.test111.duckdns.org"}
{"level":"info","ts":1741522890.9531705,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"vaultwarden.test111.duckdns.org"}
{"level":"info","ts":1741522890.9537354,"logger":"tls.obtain","msg":"lock acquired","identifier":"pfsense.test111.duckdns.org"}
{"level":"info","ts":1741522890.954138,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"pfsense.test111.duckdns.org"}
{"level":"info","ts":1741522890.9783883,"logger":"tls","msg":"waiting on internal rate limiter","identifiers":["vaultwarden.test111.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1741522890.9784508,"logger":"tls","msg":"done waiting on internal rate limiter","identifiers":["vaultwarden.test111.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1741522890.9784837,"logger":"tls","msg":"waiting on internal rate limiter","identifiers":["pfsense.test111.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1741522890.9786146,"logger":"tls","msg":"done waiting on internal rate limiter","identifiers":["pfsense.test111.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1741522890.978665,"logger":"tls","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1972895377","account_contact":[]}
{"level":"info","ts":1741522890.9788687,"logger":"tls","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1972895377","account_contact":[]}
{"level":"info","ts":1741522891.992128,"msg":"trying to solve challenge","identifier":"pfsense.test111.duckdns.org","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1741522892.0048127,"msg":"trying to solve challenge","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1741522892.6046786,"msg":"challenge failed","identifier":"pfsense.test111.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522892.616569,"msg":"validating authorization","identifier":"pfsense.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1972895377/361782770016","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522892.634798,"msg":"challenge failed","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522892.635291,"msg":"validating authorization","identifier":"vaultwarden.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1972895377/361782770136","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"info","ts":1741522893.955492,"msg":"trying to solve challenge","identifier":"pfsense.test111.duckdns.org","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1741522893.972833,"msg":"trying to solve challenge","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1741522894.502912,"msg":"challenge failed","identifier":"pfsense.test111.duckdns.org","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522894.5031183,"msg":"validating authorization","identifier":"pfsense.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1972895377/361782777656","attempt":2,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522894.5032885,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"pfsense.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org"}
{"level":"error","ts":1741522894.5034156,"logger":"tls.obtain","msg":"will retry","error":"[pfsense.test111.duckdns.org] Obtain: [pfsense.test111.duckdns.org] solving challenge: pfsense.test111.duckdns.org: [pfsense.test111.duckdns.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":3.549581825,"max_duration":2592000}
{"level":"error","ts":1741522894.5202942,"msg":"challenge failed","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522894.5206387,"msg":"validating authorization","identifier":"vaultwarden.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1972895377/361782777726","attempt":2,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522894.52084,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"vaultwarden.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org"}
{"level":"error","ts":1741522894.5209808,"logger":"tls.obtain","msg":"will retry","error":"[vaultwarden.test111.duckdns.org] Obtain: [vaultwarden.test111.duckdns.org] solving challenge: vaultwarden.test111.duckdns.org: [vaultwarden.test111.duckdns.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":3.568060348,"max_duration":2592000}
{"level":"info","ts":1741522954.5040593,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"pfsense.test111.duckdns.org"}
{"level":"info","ts":1741522954.5129013,"logger":"tls","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/165121373","account_contact":[]}
{"level":"info","ts":1741522954.522469,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"vaultwarden.test111.duckdns.org"}
{"level":"info","ts":1741522954.5253806,"logger":"tls","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/165121373","account_contact":[]}
{"level":"info","ts":1741522955.5889032,"msg":"trying to solve challenge","identifier":"pfsense.test111.duckdns.org","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1741522955.6471725,"msg":"trying to solve challenge","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1741522956.1588385,"msg":"challenge failed","identifier":"pfsense.test111.duckdns.org","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522956.1594877,"msg":"validating authorization","identifier":"pfsense.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org","instance":"","subproblems":null},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/23132691434","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522956.2270584,"msg":"challenge failed","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522956.2275198,"msg":"validating authorization","identifier":"vaultwarden.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":null},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/23132691444","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"info","ts":1741522957.4964,"msg":"trying to solve challenge","identifier":"pfsense.test111.duckdns.org","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1741522957.5613558,"msg":"trying to solve challenge","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1741522958.0635228,"msg":"challenge failed","identifier":"pfsense.test111.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522958.0640364,"msg":"validating authorization","identifier":"pfsense.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org","instance":"","subproblems":null},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/23132691704","attempt":2,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522958.064406,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"pfsense.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org"}
{"level":"error","ts":1741522958.0649276,"logger":"tls.obtain","msg":"will retry","error":"[pfsense.test111.duckdns.org] Obtain: [pfsense.test111.duckdns.org] solving challenge: pfsense.test111.duckdns.org: [pfsense.test111.duckdns.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for pfsense.test111.duckdns.org; no valid AAAA records found for pfsense.test111.duckdns.org (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":67.111093167,"max_duration":2592000}
{"level":"error","ts":1741522958.1182153,"msg":"challenge failed","identifier":"vaultwarden.test111.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522958.1192088,"msg":"validating authorization","identifier":"vaultwarden.test111.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org","instance":"","subproblems":null},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/165121373/23132691714","attempt":2,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1741522958.1198637,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"vaultwarden.test111.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org"}
{"level":"error","ts":1741522958.1205072,"logger":"tls.obtain","msg":"will retry","error":"[vaultwarden.test111.duckdns.org] Obtain: [vaultwarden.test111.duckdns.org] solving challenge: vaultwarden.test111.duckdns.org: [vaultwarden.test111.duckdns.org] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for vaultwarden.test111.duckdns.org; no valid AAAA records found for vaultwarden.test111.duckdns.org (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":67.167488841,"max_duration":2592000}

3. Caddy version:

v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

docker container on a raspberry pi

a. System environment:

b. Command:

I can confirm I can reach my pfsense firewall from my raspberry pi (they reside on the same local LAN)

sudo nc -zv 192.168.117.1 8000
Connection to 192.168.117.1 8000 port [tcp/*] succeeded!

sudo nc -zv 192.168.117.1 443
Connection to 192.168.117.1 443 port [tcp/https] succeeded!

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

All services work apart from pfsense:

*.{$DOMAIN} {
	tls {
		dns duckdns {$DUCKDNS_TOKEN}
	}

	# Logs configuration (optional, adjust as necessary)
	log {
		level INFO
		output file {$LOG_FILE} {
			roll_size 10MB
			roll_keep 10
		}
	}

	# Default reverse proxy to a generic service if no specific service matches
	reverse_proxy service_default:80
}

# Vaultwarden Service
vaultwarden.{$DOMAIN} {
	reverse_proxy vaultwarden:80 {
		header_up X-Real-IP {http.request.remote.host}
		header_up X-Forwarded-For {http.request.remote.host}
		header_up X-Forwarded-Proto {scheme}
	}
	log {
		level INFO
		output file {$LOG_FILE} {
			roll_size 10MB
			roll_keep 10
		}
		format filter {
			wrap json
			fields {
				request>uri query {
					replace access_token REDACTED
				}
			}
		}
	}
}

unifi.{$DOMAIN} {
	reverse_proxy unifi-network-application:8443 {
		transport http {
			tls_insecure_skip_verify
		}
	}

	# Add an optional redirect rule for "http://unifi.<your-domain>"
	#redir https://unifi.{$DOMAIN} permanent

	log {
		level INFO
		output file {$LOG_FILE} {
			roll_size 10MB
			roll_keep 10
		}
	}
}

unifi.{$DOMAIN}:8443 {
	redir https://unifi.{$DOMAIN} permanent
}

pfsense.{$DOMAIN} {
	reverse_proxy https://192.168.117.1:8000 {
		transport http {
			tls_insecure_skip_verify
		}
	}
	log {
		level INFO
		output file {$LOG_FILE} {
			roll_size 10MB
			roll_keep 10
		}
	}
}

5. Links to relevant resources:

You’re using a DNS challenge to obtain a certificate for your default *.test111.duckdns.org site. However, you’re trying to obtain a certificate for pfsense.test111.duckdns.org using HTTP and TLS-ALPN challenges.

Both of these challenges require direct access from the Internet to complete, but it looks like neither port 80 nor 443 is open for pfsense.test111.duckdns.org, causing the challenges to fail and preventing the certificate from being issued.

Thank you for your answer. Does this mean I need to open port 80 and 443 on my pfsense firewall?

Yes. You need port forwarding to the Pi, and you need to open those ports in your firewall.

It depends.

If you want to keep your current Caddy configuration, meaning you’re using the HTTP-01 or TLS-ALPN-01 challenge, then yes, you’ll need to open port 80/tcp (for HTTP-01) and/or port 443/tcp (for TLS-ALPN-01).

However, if you’d rather not open those ports to the public internet, you can use the DNS-01 challenge for all your sites, just like you’re already doing for *.{$DOMAIN}.

There’s also another option - a variation of the DNS-01 challenge. Since you’re already using DNS-01 for *.{$DOMAIN}, you can simply reuse that wildcard certificate for all your sites. This works by enabling the auto_https prefer_wildcard directive in the global options section, which, as of now, is an undocumented feature introduced in Caddy v2.9.0. Since you’re on v2.9.1, you should be good to go.

To enable it, add this global option at the beginning of your Caddyfile:

{
	auto_https prefer_wildcard
}

Give it a try and see if it helps!

Hi again,

Yes I would much rather use DNS challenges rather than opening ports. I have tried what you suggested and added the auto_https prefer_wildcard option. It seems to have worked, I can access my pfsense webGUI with the domain and wildcard defined in my caddy file.

However there is a problem in that the SSL certificate is not lets encrypt. It still uses pfsenses default self signed certificate.

I think this needs switching off in pfsense or overriding in Caddy somehow.
If you look at the picture I took of my pfsense web configurator you can see that I have enabled HTTPS with the GUI DEFAULT SSL cert. However this is my only option in the drop down. I did also try to enable just HTTP to the left of the HTTPS option but it ended up locking me out of my pfsense webGUI.

Either I need to so something on Caddys end or my pfsense to stop using the default self signed cert so I can use lets encrypt like my other services.

Any ideas on how I might achieve this? I can provide more caddy docker logs if necessary.

Thanks.

This sounds contradictory - it’s either the wildcard certificate from Caddy or a self-signed one from pfSense.

Could you do me a favour and run these two commands, then copy-paste the results here?

curl -kv https://pfsense.test111.duckdns.org

curl -kv https://pfsense.test111.duckdns.org:8000

If those don’t work, try these instead:

curl -kv https://192.168.117.1 -H 'Host: pfsense.test111.duckdns.org'

curl -kv https://192.168.117.1:8000 -H 'Host: pfsense.test111.duckdns.org'

I tried these commands from a desktop PC on the same LAN as my raspberry pi running Caddy and pfsense:

sudo curl -kv https://pfsense.test111.duckdns.org

- Host pfsense.test111.duckdns.org:443 was resolved.

- IPv6: (none)

- IPv4: 192.168.117.1

- Trying 192.168.117.1:443...

- Connected to pfsense.test111.duckdns.org (192.168.117.1) port 443

- ALPN: curl offers h2,http/1.1

- TLSv1.3 (OUT), TLS handshake, Client hello (1):

- TLSv1.3 (IN), TLS handshake, Server hello (2):

- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

- TLSv1.3 (IN), TLS handshake, Certificate (11):

- TLSv1.3 (IN), TLS handshake, CERT verify (15):

- TLSv1.3 (IN), TLS handshake, Finished (20):

- TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

- TLSv1.3 (OUT), TLS handshake, Finished (20):

- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS

- ALPN: server accepted h2

- Server certificate:

- subject: CN=\*.test111.duckdns.org

- start date: Mar 8 10:20:17 2025 GMT

- expire date: Jun 6 10:20:16 2025 GMT

- issuer: C=US; O=Let's Encrypt; CN=R11

- SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

- Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption

- Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption

- using HTTP/2

- [HTTP/2] [1] OPENED stream for https://pfsense.test111.duckdns.org/

- [HTTP/2] [1] [:method: GET]

- [HTTP/2] [1] [:scheme: https]

- [HTTP/2] [1] [:authority: pfsense.test111.duckdns.org]

- [HTTP/2] [1] [:path: /]

- [HTTP/2] [1] [user-agent: curl/8.5.0]

- [HTTP/2] [1] [accept: */*]

> GET / HTTP/2

> Host: pfsense.test111.duckdns.org

> User-Agent: curl/8.5.0

> Accept: _/_

- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

- old SSL session ID is stale, removing

< HTTP/2 503

< content-length: 107

< cache-control: no-cache

< content-type: text/html

<

<html><body><h1>503 Service Unavailable</h1>

No server is available to handle this request.

</body></html>

- Connection #0 to host pfsense.test111.duckdns.org left intact

sudo curl -kv https://pfsense.test111.duckdns.org:8000

- Host pfsense.test111.duckdns.org:8000 was resolved.
- IPv6: (none)
- IPv4: 192.168.117.1
- Trying 192.168.117.1:8000...
- Connected to pfsense.test111.duckdns.org (192.168.117.1) port 8000
- ALPN: curl offers h2,http/1.1
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
- TLSv1.3 (IN), TLS handshake, Certificate (11):
- TLSv1.3 (IN), TLS handshake, CERT verify (15):
- TLSv1.3 (IN), TLS handshake, Finished (20):
- TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.3 (OUT), TLS handshake, Finished (20):
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
- ALPN: server accepted h2
- Server certificate:
- subject: O=pfSense GUI default Self-Signed Certificate; CN=pfSense-668fa2b44e06e
- start date: Jul 11 09:15:32 2024 GMT
- expire date: Aug 13 09:15:32 2025 GMT
- issuer: O=pfSense GUI default Self-Signed Certificate; CN=pfSense-668fa2b44e06e
- SSL certificate verify result: self-signed certificate (18), continuing anyway.
- Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
- using HTTP/2
- [HTTP/2] [1] OPENED stream for https://pfsense.test111.duckdns.org:8000/
- [HTTP/2] [1] [:method: GET]
- [HTTP/2] [1] [:scheme: https]
- [HTTP/2] [1] [:authority: pfsense.test111.duckdns.org:8000]
- [HTTP/2] [1] [:path: /]
- [HTTP/2] [1] [user-agent: curl/8.5.0]
- [HTTP/2] [1] [accept: */*]
  > GET / HTTP/2
  > Host: pfsense.test111.duckdns.org:8000
  > User-Agent: curl/8.5.0
  > Accept: _/_
- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- old SSL session ID is stale, removing
  < HTTP/2 200
  < server: nginx
  < date: Wed, 12 Mar 2025 18:22:19 GMT
  < content-type: text/html; charset=UTF-8
  < x-frame-options: SAMEORIGIN
  < last-modified: Wed, 12 Mar 2025 18:22:19 GMT
  < set-cookie: PHPSESSID=a5d6cf70d5452ef24150c031eacfafdd; path=/; secure; HttpOnly
  < expires: Thu, 19 Nov 1981 08:52:00 GMT
  < cache-control: no-store, no-cache, must-revalidate
  < pragma: no-cache
  < strict-transport-security: max-age=31536000
  < x-content-type-options: nosniff
  <
  <!DOCTYPE html>
  <html lang="en">
  	<head>
  		<meta name="viewport" content="width=device-width, initial-scale=1">
  	    <link rel="stylesheet" href="/vendor/bootstrap/css/bootstrap.min.css" type="text/css">
  	    <link rel="stylesheet" href="/css/login.css?v=1701893362" type="text/css">
  		<title>pfSense - Login</title>
  		<script type="text/javascript">
  			//<![CDATA{
  			var events = events || [];
  			//]]>
  		</script>
  	<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script><script type="text/javascript">var csrfMagicToken = "sid:68afaf7ac4d37754e150b83bc34ebc604f176c49,1741803739;ip:c476ada74d188f952d742d0f23cc9d6a837feb53,1741803739";var csrfMagicName = "__csrf_magic";</script><script src="/csrf/csrf-magic.js" type="text/javascript"></script></head>

      <body id="login" >
      	<div id="total">
      		<header>
      			<div id="headerrow">
      				<div class="row">
      					<!-- Header left logo box -->
      					<div class="col-sm-4">
      						<div id="logodiv" style="text-align:center" class="nowarning">
      							<svg id="logo" role="img" aria-labelledby="pfsense-logo" x="0px" y="0px" viewBox="0 0 282.8 84.2">
      <title id="pfsense-logo-svg">pfSense Logo</title>
      <path class="logo-st0" d="M27.8,57.7c2.9,0,5.4-0.9,7.5-2.6c2.1-1.7,3.6-4,4.4-6.8c0.8-2.8,0.6-5.1-0.5-6.8c-1.1-1.7-3.2-2.6-6.1-2.6 c-2.9,0-5.4,0.9-7.5,2.6c-2.1,1.7-3.5,4-4.3,6.8c-0.8,2.8-0.7,5.1,0.5,6.8C22.8,56.9,24.8,57.7,27.8,57.7"/>
      <path class="logo-st0" d="M115.1,46.6c-1.5-0.8-3-1.4-4.7-1.8c-1.7-0.4-3.2-0.7-4.7-1.1c-1.5-0.3-2.7-0.7-3.6-1.1c-0.9-0.4-1.4-1.1-1.4-2 c0-1.1,0.5-1.9,1.4-2.4c0.9-0.5,1.9-0.7,2.8-0.7c2.8,0,5,1,6.7,3.1l7-7c-1.7-1.8-3.9-3.1-6.4-3.8c-2.5-0.7-5-1.1-7.4-1.1 c-1.9,0-3.9,0.2-5.7,0.7c-1.9,0.5-3.6,1.2-5,2.3c-1.5,1-2.6,2.3-3.5,3.9c-0.9,1.6-1.3,3.5-1.3,5.7c0,2.3,0.5,4.2,1.4,5.6 c0.9,1.4,2.1,2.5,3.6,3.3c1.5,0.8,3,1.3,4.7,1.7c1.7,0.4,3.2,0.7,4.7,1.1c1.5,0.3,2.7,0.7,3.6,1.2c0.9,0.5,1.4,1.2,1.4,2.2 c0,1-0.5,1.7-1.6,2.1c-1.1,0.4-2.3,0.6-3.6,0.6c-1.7,0-3.3-0.3-4.6-1c-1.3-0.7-2.5-1.7-3.6-3l-7,7.7c1.8,1.9,4.1,3.2,6.7,3.9 c2.7,0.7,5.3,1.1,7.9,1.1c2,0,4-0.2,6.1-0.6c2-0.4,3.9-1,5.5-2c1.6-0.9,3-2.2,4-3.8c1-1.6,1.6-3.5,1.6-5.9c0-2.3-0.5-4.2-1.4-5.6 C117.7,48.6,116.5,47.4,115.1,46.6"/>
      <path class="logo-st0" d="M156.3,34.1c-1.5-1.7-3.3-3-5.5-3.9c-2.2-0.9-4.6-1.4-7.2-1.4c-2.9,0-5.6,0.5-8.1,1.4c-2.5,0.9-4.7,2.2-6.6,3.9 c-1.9,1.7-3.3,3.8-4.4,6.2c-1.1,2.4-1.6,5.1-1.6,8c0,3,0.5,5.6,1.6,8c1.1,2.4,2.5,4.5,4.4,6.2c1.9,1.7,4.1,3,6.6,3.9 c2.5,0.9,5.2,1.4,8.1,1.4c3,0,5.9-0.6,8.7-1.9c2.8-1.3,5.1-3.1,7-5.4l-8-5.9c-1,1.3-2.1,2.4-3.4,3.3c-1.3,0.8-2.9,1.3-4.8,1.3 c-2.2,0-4.1-0.7-5.7-2c-1.5-1.3-2.5-3.1-3-5.2H161v-3.6c0-3-0.4-5.6-1.2-8C159,37.9,157.8,35.8,156.3,34.1 M134.3,44.1 c0.1-0.9,0.3-1.8,0.7-2.6c0.4-0.8,0.9-1.6,1.6-2.2c0.7-0.6,1.5-1.2,2.5-1.6c1-0.4,2.1-0.6,3.4-0.6c2.1,0,3.8,0.7,5.1,2.1 c1.3,1.4,2,3,1.9,5H134.3z"/>
      <path class="logo-st0" d="M198.3,33.8c-1-1.6-2.4-2.8-4.2-3.7c-1.8-0.9-4.1-1.3-7-1.3c-1.4,0-2.7,0.2-3.8,0.5c-1.2,0.4-2.2,0.8-3.1,1.4 c-0.9,0.6-1.7,1.2-2.4,1.9c-0.7,0.7-1.2,1.4-1.5,2.1H176v-5.1h-11v37.2h11.5V48.4c0-1.2,0.1-2.4,0.2-3.5c0.2-1.1,0.5-2.1,1-3 c0.5-0.9,1.2-1.6,2.1-2.1c0.9-0.5,2.1-0.8,3.6-0.8c1.5,0,2.6,0.3,3.4,0.9c0.8,0.6,1.4,1.4,1.8,2.4c0.4,1,0.6,2,0.7,3.2 c0.1,1.1,0.1,2.3,0.1,3.3v18.2h11.5V46.4c0-2.5-0.2-4.8-0.5-7C199.9,37.3,199.3,35.4,198.3,33.8"/>
      <path class="logo-st0" d="M231.5,46.6c-1.5-0.8-3-1.4-4.7-1.8c-1.7-0.4-3.2-0.7-4.7-1.1c-1.5-0.3-2.7-0.7-3.6-1.1c-0.9-0.4-1.4-1.1-1.4-2 c0-1.1,0.5-1.9,1.4-2.4c0.9-0.5,1.9-0.7,2.8-0.7c2.8,0,5,1,6.7,3.1l7-7c-1.7-1.8-3.9-3.1-6.4-3.8c-2.5-0.7-5-1.1-7.4-1.1 c-1.9,0-3.9,0.2-5.7,0.7c-1.9,0.5-3.6,1.2-5,2.3c-1.5,1-2.6,2.3-3.5,3.9c-0.9,1.6-1.3,3.5-1.3,5.7c0,2.3,0.5,4.2,1.4,5.6 c0.9,1.4,2.1,2.5,3.6,3.3c1.5,0.8,3,1.3,4.7,1.7c1.7,0.4,3.2,0.7,4.7,1.1c1.5,0.3,2.7,0.7,3.6,1.2c0.9,0.5,1.4,1.2,1.4,2.2 c0,1-0.5,1.7-1.6,2.1c-1.1,0.4-2.3,0.6-3.6,0.6c-1.7,0-3.3-0.3-4.6-1c-1.3-0.7-2.5-1.7-3.6-3l-7,7.7c1.8,1.9,4.1,3.2,6.7,3.9 c2.7,0.7,5.3,1.1,7.9,1.1c2,0,4-0.2,6.1-0.6c2-0.4,3.9-1,5.5-2c1.6-0.9,3-2.2,4-3.8c1-1.6,1.6-3.5,1.6-5.9c0-2.3-0.5-4.2-1.4-5.6 C234.1,48.6,232.9,47.4,231.5,46.6"/>
      <path class="logo-st0" d="M277.4,51.9v-4.2c-0.1-2.7-0.5-5.2-1.2-7.4c-0.8-2.4-2-4.5-3.5-6.2c-1.5-1.7-3.3-3-5.5-3.9 c-2.2-0.9-4.6-1.4-7.2-1.4c-2.9,0-5.6,0.5-8.1,1.4c-2.5,0.9-4.7,2.2-6.6,3.9c-1.9,1.7-3.3,3.8-4.4,6.2c-1.1,2.4-1.6,5.1-1.6,8 c0,3,0.5,5.6,1.6,8c1.1,2.4,2.5,4.5,4.4,6.2c1.9,1.7,4.1,3,6.6,3.9c2.5,0.9,5.2,1.4,8.1,1.4c3,0,5.9-0.6,8.7-1.9 c2.8-1.3,5.1-3.1,7-5.4l-8-5.9c-1,1.3-2.1,2.4-3.4,3.3c-1.3,0.8-2.9,1.3-4.8,1.3c-2.2,0-4.1-0.7-5.7-2c-1.5-1.3-2.5-3.1-3-5.2H277.4 z M250.7,44.1c0.1-0.9,0.3-1.8,0.7-2.6c0.4-0.8,0.9-1.6,1.6-2.2c0.7-0.6,1.5-1.2,2.5-1.6c1-0.4,2.1-0.6,3.4-0.6 c2.1,0,3.8,0.7,5.1,2.1c1.3,1.4,2,3,1.9,5H250.7z"/>
      <path class="logo-st1" d="M52.6,38.9l2.6-9.2h4.6l1.8-6.6c0.6-2,1.3-4,2.2-5.8c0.8-1.8,2-3.4,3.4-4.8c1.4-1.4,3.2-2.5,5.3-3.3 c2.1-0.8,4.8-1.2,7.9-1.2c0.8,0,1.5,0,2.3,0.1c-0.7-2.9-3.3-5-6.3-5.1H11.9c-3.6,0-6.5,3-6.5,6.6V67l10.5-37.3h10.6l-1.4,4.9h0.2 c0.6-0.7,1.4-1.3,2.4-2c1-0.7,2-1.3,3.1-1.9c1.1-0.6,2.3-1,3.6-1.4c1.3-0.4,2.6-0.5,3.9-0.5c2.8,0,5.1,0.5,7.1,1.4 c2,0.9,3.5,2.3,4.7,4c1,1.5,1.6,3.3,1.9,5.4l0.8-0.6H52.6z"/>
      <path class="logo-st2" d="M82.1,17.9c-0.5-0.1-1.1-0.2-1.8-0.2c-1.8,0-3.3,0.4-4.5,1.2c-1.1,0.8-2.1,2.4-2.8,4.9l-1.7,5.9h6.5l1.6,5.1 l-4.2,4.1h-6.5l-7.9,28H49.4l7.9-28h-4.4L52,39.5c0,0.2,0.1,0.5,0.1,0.7c0.2,2.3-0.1,4.9-0.9,7.7c-0.7,2.6-1.8,5.1-3.3,7.5 c-1.5,2.4-3.2,4.5-5.1,6.3c-2,1.8-4.2,3.3-6.6,4.4c-2.4,1.1-4.9,1.6-7.6,1.6c-2.4,0-4.5-0.4-6.4-1.1c-1.9-0.7-3.2-2-4-3.8h-0.2 l-5,17.7h63.3c3.6,0,6.6-2.9,6.6-6.6V18.2C82.6,18.1,82.3,18,82.1,17.9"/>
      <path class="logo-st0" d="M277.6,68.5h0.8c0.4,0,0.6-0.1,0.7-0.2c0.1-0.1,0.2-0.2,0.2-0.4c0-0.1,0-0.2-0.1-0.3c-0.1-0.1-0.1-0.2-0.3-0.2 c-0.1,0-0.3-0.1-0.6-0.1h-0.7V68.5z M277,70.6v-3.8h1.3c0.5,0,0.8,0,1,0.1c0.2,0.1,0.4,0.2,0.5,0.4c0.1,0.2,0.2,0.4,0.2,0.6 c0,0.3-0.1,0.5-0.3,0.7c-0.2,0.2-0.5,0.3-0.8,0.3c0.1,0.1,0.2,0.1,0.3,0.2c0.2,0.2,0.3,0.4,0.6,0.8l0.5,0.7h-0.8l-0.3-0.6 c-0.3-0.5-0.5-0.8-0.6-0.9c-0.1-0.1-0.3-0.1-0.5-0.1h-0.4v1.6H277z M278.6,65.7c-0.5,0-1,0.1-1.5,0.4c-0.5,0.3-0.8,0.6-1.1,1.1 c-0.3,0.5-0.4,1-0.4,1.5c0,0.5,0.1,1,0.4,1.5c0.3,0.5,0.6,0.8,1.1,1.1c0.5,0.3,1,0.4,1.5,0.4c0.5,0,1-0.1,1.5-0.4 c0.5-0.3,0.8-0.6,1.1-1.1c0.3-0.5,0.4-1,0.4-1.5c0-0.5-0.1-1-0.4-1.5c-0.3-0.5-0.6-0.8-1.1-1.1C279.6,65.8,279.1,65.7,278.6,65.7z M278.6,65.1c0.6,0,1.2,0.2,1.8,0.5c0.6,0.3,1,0.7,1.3,1.3c0.3,0.6,0.5,1.2,0.5,1.8c0,0.6-0.2,1.2-0.5,1.8c-0.3,0.6-0.8,1-1.3,1.3 c-0.6,0.3-1.2,0.5-1.8,0.5c-0.6,0-1.2-0.2-1.8-0.5c-0.6-0.3-1-0.8-1.3-1.3c-0.3-0.6-0.5-1.2-0.5-1.8c0-0.6,0.2-1.2,0.5-1.8 c0.3-0.6,0.8-1,1.3-1.3C277.4,65.2,278,65.1,278.6,65.1z"/>

  </svg>
  							</div>
  						</div>

      					<!-- Header center message box -->
      					<div class="col-sm-4 nowarning msgbox text-center text-danger">
      					</div>

      					<!-- Header right message box (hostname or msg)-->
      					<div class="col-sm-4 nowarning msgbox text-center">
      						<span id="hostspan">
      							<h4>Login to pfSense</h4>
      						</span>
      					</div>
      				</div>
                  </div>
              </header>

              <div style="background: #1e3f75;" class="pagebody">
              	<div class="col-sm-4"></div>

              	<div class="col-sm-4 offset-md-4 logoCol">
      				<div class="loginCont center-block">
      	                <form method="post"  class="login"><input type='hidden' name='__csrf_magic' value="sid:68afaf7ac4d37754e150b83bc34ebc604f176c49,1741803739;ip:c476ada74d188f952d742d0f23cc9d6a837feb53,1741803739" />
      		                <p class="form-title">Sign In</p>
      		                <input name="usernamefld" id="usernamefld" type="text" placeholder="Username" autocorrect="off" autocapitalize="none"/>
      		                <input name="passwordfld" id="passwordfld" type="password" placeholder="Password" />
      		                <input type="submit" name="login" value="Sign In" class="btn btn-success btn-sm" />
      	                </form>
      				</div>
                  </div>

              	<div class="col-sm-4"></div>
              </div>

              <footer id="3">
                  <div id="footertext">
      				<p class="text-muted">
      					<a target="_blank" href="https://pfsense.org">pfSense</a> is developed and maintained by <a target="_blank" href="https://netgate.com">Netgate. </a> &copy; ESF 2004 - 2025<a target="_blank" href="https://pfsense.org/license"> View license.</a>		</p>
                  </div>
              </footer>
          </div>

      	<script type="text/javascript">
      	//<![CDATA[
      		/* Prevent duplicate submission  */
      		events.push(function() {
      			var submitted = false;

      			$(form).submit(function(e){
      				if (submitted) {
      					e.preventDefault();
      				} else {
      					submitted = true;
      					// Form is submitted because default action is not prevented
      				}
      			});
      		});
      	//]]>
      	</script>

          <script src="/vendor/jquery/jquery-3.5.1.min.js?v=1701893362"></script>
      	<script src="/vendor/bootstrap/js/bootstrap.min.js?v=1701893362"></script>
      	<script src="/js/pfSense.js?v=1701893362"></script>

      	<script type="text/javascript">
      	//!<[CDATA[
      	events.push(function() {
      		document.cookie=
      			"cookie_test=1" +
      			"; secure";

      		if (document.cookie.indexOf("cookie_test") == -1) {
      			alert("The browser must support cookies to login.");
      		}

      		// Delete it
      		document.cookie = "cookie_test=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";
      	});
      	//]]>
      	</script>

      <script type="text/javascript">CsrfMagic.end();</script></body>

  </html>

- Connection #0 to host pfsense.test111.duckdns.org left intact

OK, I’m a bit confused now. 192.168.117.1 is the internal IP address of your pfSense firewall, right?

You mentioned running Caddy on an RPi, but what’s actually listening on 192.168.117.1:443? And what’s the IP address of your RPi?

Here’s what I think is happening - please correct me if I’m wrong:

• Your pfSense internal IP: 192.168.117.1
• Your RPi IP: 192.168.117.x
• Your DuckDNS FQDN is pointed to your pfSense
• Something on pfSense is either listening on port 443, or you have a redirect configured to send traffic on that port to your RPi running Caddy

Can you try the following command?

curl -kv https://YOUR-RPi-IP-ADDRESS -H 'Host: pfsense.test111.duckdns.org'

What I expect to see from this is Caddy actually responding to the request. Right now, whatever is on 192.168.117.1:443 doesn’t seem to be Caddy at all. I suspect your pfSense might be misconfigured and not forwarding incoming traffic on port 443 to your RPi to Caddy. But that’s just my guess.

That almost sounds correct, one thing i did forget to say was that my duckdns domain points to the private IP address of my pi not the pfsense ip. That’s how I’ve been getting all my docker web services working. I have also added the following entries into my pfsense DNS resolver host overrides:

Host            Parent domain of host     IP to return to host

test111 	    duckdns.org 	              192.168.117.10 	
pfsense	        test111.duckdns.org 	      192.168.117.1
unifi 	        test111.duckdns.org 	      192.168.117.10 		
vaultwarden 	test111.duckdns.org 	      192.168.117.10 

I also recently enabled this in my pfsense web configurator as it kept giving me a https referrer error:

This is the result of the command you said to try:

curl -kv https://192.168.117.10 -H 'Host: pfsense.test111.duckdns.org'
*   Trying 192.168.117.10:443...
* Connected to 192.168.117.10 (192.168.117.10) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection
curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error

Just know that if you open 80 and 443 to the world, every one of your services will then be available to the world. Personally I’d skip using that caddy instance and just use the ACME package on pfsense to get a let’s encrypt cert for your pfsense box.

That’s my backup plan if no one can help me set it up with Caddy. I’d just rather have one place to handle all SSL related things. I do think i’m close though, i’m, able to access pfsense with the domain defined in my caddyfile on my pi, but pfsenses self signed certificate seems to be getting in the way. And there’s seemingly no way to disable it through the GUI on pfsense.

I also have no intention of opening up any ports on my network. Which is why I’ve been using Caddy with DNS challenges so no ports need to be open to obtain SSL certs.

Two things. If your pi is open tot he world, every service in your caddy is as well. So just make sure you’re ok with that. You can disable the pfsense https, System > Advanced > Admin Access and selecting HTTP as the protocol. Make sure you don’t make this available to the world though. This will make your pfsense only available over http which you can then front with your caddy instance. The alternative is to configure ACME on pfsense, then it will have a valid cert, then in your caddy, you can proxy to the hostname (that matches cert name) using https.

First scenario is https (caddy) → http (pfsense), second would be https (caddy) → https (pfsense). Only benefit to the second is if you’re worried about traffic on your local network being sniffed. However, if they’re on your local netwokr to sniff that traffic, you’ve got bigger issues already.

The real question is why do you want to enable pfsense admin ui to the world? You really should just setup a vpn on your pfsense box that you connect to when you want to do remote pfsense work.

There are zero open ports on my network aside from a port for wireguard. All services including pfsense are accessible locally only or through my wireguard vpn. The same is true of my pi, but since I have no open ports on my pfsense my pi is not accessible on the interent anyway.

My duck dns points to my local pi private IP. The only connection to the internet is when i get my DNS challenges through caddy to obtain my SSL certs which requires no ports open I believe. As far as i’m aware nothing on my network is accessible from the outside aside from the VPN.

I already tried changing my pfsense to use http only, but it ended up locking me out from accessing my pfsense webgui and I had to roll back from the command line.

I don’t want to enable the pfsense webgui to the outside at all. I just want caddy to issue it an SSl cert so pfsense can have a lets encrypt cert. Like I said i do have this working already with pfsenses built in acme package but I was just trying to get this working with caddy on my pi instead like i am with other services than run on the pi.

I found this. Did you already look at this documentation?

I haven’t yet, I could give this a go although I’m not sure if you can get the certificate from a caddy docker container easily.

As long as the volume is mounted to your host machine, you can pull it that way. The container stores the certificates in the /data folder.