1. Output of caddy version
:
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
I run caddy with docker compose:
a. System environment:
Ubuntu 22.04 + Docker version 20.10.22, build 3a2c30b
b. Command:
sudo -E docker-compose up
c. Service/unit/compose file:
run this with: " CURRENT_UID=$(id -u):$(id -g) docker-compose up “”
version: “3”
services:
##################################################################################################
caddy:
restart: unless-stopped
# docker run -it -p 80:80 -p 443:443 -p 2019:2019 --rm --name perception_caddy perception_caddy
image: caddy/caddy:alpine
container_name: caddy
hostname: caddy
user: root
# user: ${CURRENT_UID}
ports:
- “80:80”
- “443:443”
- “443:443/udp”
extra_hosts:
- dockerhost:${DOCKERHOST}
volumes:
# Just a note - as of the latest caddy/caddy images, these locations are now /config/caddy and /data/caddy. See the (new!) docs for some details: GitHub - caddyserver/caddy-docker: Source for the official Caddy v2 Docker Image 1
# - “./caddy_secrets/data_lets_encrypt_storage:/data”
# - “./caddy_secrets/config_storage:/config”
- $PWD/caddy/caddy_file/Caddyfile:/etc/caddy/Caddyfile
- $PWD/site:/srv
- $PWD/caddy/caddy_data:/data
- $PWD/caddy/caddy_config:/config
# sysctls:
# - net.ipv4.ip_unprivileged_port_start=0
# cap_add:
# - CAP_NET_BIND_SERVICE
##################################################################################################
d. My complete Caddy config:
itmrdw1.helmholtz-muenchen.de {
respond "hello world!"
}
:80 {
respond "hello world! @ localhost:80"
}
3. The problem I’m having:
neuronflow@itmrdw1:~/pwild_website$ curl https://itmrdw1.helmholtz-muenchen.de
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
neuronflow@itmrdw1:~/pwild_website$ curl http://itmrdw1.helmholtz-muenchen.de
--> returns nothing
4. Error messages and/or full log output:
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
Starting caddy ... done
Attaching to caddy
caddy | {"level":"info","ts":1673520580.854179,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy | {"level":"info","ts":1673520580.8560205,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy | {"level":"info","ts":1673520580.8561893,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy | {"level":"info","ts":1673520580.8562021,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy | {"level":"warn","ts":1673520580.8562076,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
caddy | {"level":"info","ts":1673520580.8563197,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000332850"}
caddy | {"level":"info","ts":1673520580.8564181,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy | {"level":"info","ts":1673520580.8564906,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
caddy | {"level":"info","ts":1673520580.8564167,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
caddy | {"level":"info","ts":1673520580.8565414,"logger":"tls","msg":"finished cleaning storage units"}
caddy | {"level":"info","ts":1673520580.856598,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy | {"level":"info","ts":1673520580.8566313,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
caddy | {"level":"info","ts":1673520580.856635,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["itmrdw1.helmholtz-muenchen.de"]}
caddy | {"level":"info","ts":1673520580.8568811,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy | {"level":"info","ts":1673520580.8568943,"msg":"serving initial configuration"}
caddy | {"level":"info","ts":1673520580.8578832,"logger":"tls.obtain","msg":"acquiring lock","identifier":"itmrdw1.helmholtz-muenchen.de"}
caddy | {"level":"info","ts":1673520580.8633447,"logger":"tls.obtain","msg":"lock acquired","identifier":"itmrdw1.helmholtz-muenchen.de"}
caddy | {"level":"info","ts":1673520580.863517,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"itmrdw1.helmholtz-muenchen.de"}
caddy | {"level":"info","ts":1673520581.7353702,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["itmrdw1.helmholtz-muenchen.de"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
caddy | {"level":"info","ts":1673520581.7354004,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["itmrdw1.helmholtz-muenchen.de"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
caddy | {"level":"info","ts":1673520582.1013937,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy | {"level":"error","ts":1673520583.0607197,"logger":"http.acme_client","msg":"challenge failed","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de","instance":"","subproblems":[]}}
caddy | {"level":"error","ts":1673520583.0608246,"logger":"http.acme_client","msg":"validating authorization","identifier":"itmrdw1.helmholtz-muenchen.de","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/913391897/158367265297","attempt":1,"max_attempts":3}
caddy | {"level":"info","ts":1673520584.4032927,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy | {"level":"error","ts":1673520585.377856,"logger":"http.acme_client","msg":"challenge failed","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de","instance":"","subproblems":[]}}
caddy | {"level":"error","ts":1673520585.3779619,"logger":"http.acme_client","msg":"validating authorization","identifier":"itmrdw1.helmholtz-muenchen.de","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/913391897/158367269347","attempt":2,"max_attempts":3}
caddy | {"level":"error","ts":1673520585.3780339,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"itmrdw1.helmholtz-muenchen.de","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de"}
caddy | {"level":"warn","ts":1673520585.3828506,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy | {"level":"info","ts":1673520601.0149872,"logger":"http","msg":"generated EAB credentials","key_id":"7fsQv3QRz8H0zPwOHs9qFQ"}
caddy | {"level":"info","ts":1673520649.7971747,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["itmrdw1.helmholtz-muenchen.de"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
caddy | {"level":"info","ts":1673520649.7972517,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["itmrdw1.helmholtz-muenchen.de"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
caddy | {"level":"info","ts":1673520682.570528,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
5. What I already tried:
I got a virtual server from my research institute, as I understand it they also provide an SSL certificate.
My aim is to use caddy as a reverse proxy to filter out malicious packets etc.
I don’t want/need caddy to get a certificate from let’s encrypt but use the certificate from the research institute. When I run caddy it complains about a missing A and AAAA record as it tries to get a Let’s encrypt certificate.
As I understand it from reading the links below, I have to obtain the certificate files, probably from the server admins and then configure caddy like in the link provided?