Using caddy with external SSL certificate

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

I run caddy with docker compose:

a. System environment:

Ubuntu 22.04 + Docker version 20.10.22, build 3a2c30b

b. Command:

sudo -E docker-compose up

c. Service/unit/compose file:


run this with: " CURRENT_UID=$(id -u):$(id -g) docker-compose up “”

version: “3”
services:
##################################################################################################
caddy:
restart: unless-stopped
# docker run -it -p 80:80 -p 443:443 -p 2019:2019 --rm --name perception_caddy perception_caddy
image: caddy/caddy:alpine
container_name: caddy
hostname: caddy
user: root
# user: ${CURRENT_UID}
ports:
- “80:80”
- “443:443”
- “443:443/udp”
extra_hosts:
- dockerhost:${DOCKERHOST}
volumes:
# Just a note - as of the latest caddy/caddy images, these locations are now /config/caddy and /data/caddy. See the (new!) docs for some details: GitHub - caddyserver/caddy-docker: Source for the official Caddy v2 Docker Image 1
# - “./caddy_secrets/data_lets_encrypt_storage:/data”
# - “./caddy_secrets/config_storage:/config”
- $PWD/caddy/caddy_file/Caddyfile:/etc/caddy/Caddyfile
- $PWD/site:/srv
- $PWD/caddy/caddy_data:/data
- $PWD/caddy/caddy_config:/config
# sysctls:
# - net.ipv4.ip_unprivileged_port_start=0
# cap_add:
# - CAP_NET_BIND_SERVICE
##################################################################################################

d. My complete Caddy config:

itmrdw1.helmholtz-muenchen.de {
	respond "hello world!"
}

:80 {
	respond "hello world! @ localhost:80"
}

3. The problem I’m having:

neuronflow@itmrdw1:~/pwild_website$ curl https://itmrdw1.helmholtz-muenchen.de
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

neuronflow@itmrdw1:~/pwild_website$ curl http://itmrdw1.helmholtz-muenchen.de
--> returns nothing

4. Error messages and/or full log output:

curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
Starting caddy ... done
Attaching to caddy
caddy    | {"level":"info","ts":1673520580.854179,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy    | {"level":"info","ts":1673520580.8560205,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy    | {"level":"info","ts":1673520580.8561893,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy    | {"level":"info","ts":1673520580.8562021,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy    | {"level":"warn","ts":1673520580.8562076,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
caddy    | {"level":"info","ts":1673520580.8563197,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000332850"}
caddy    | {"level":"info","ts":1673520580.8564181,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy    | {"level":"info","ts":1673520580.8564906,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
caddy    | {"level":"info","ts":1673520580.8564167,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
caddy    | {"level":"info","ts":1673520580.8565414,"logger":"tls","msg":"finished cleaning storage units"}
caddy    | {"level":"info","ts":1673520580.856598,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy    | {"level":"info","ts":1673520580.8566313,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
caddy    | {"level":"info","ts":1673520580.856635,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["itmrdw1.helmholtz-muenchen.de"]}
caddy    | {"level":"info","ts":1673520580.8568811,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy    | {"level":"info","ts":1673520580.8568943,"msg":"serving initial configuration"}
caddy    | {"level":"info","ts":1673520580.8578832,"logger":"tls.obtain","msg":"acquiring lock","identifier":"itmrdw1.helmholtz-muenchen.de"}
caddy    | {"level":"info","ts":1673520580.8633447,"logger":"tls.obtain","msg":"lock acquired","identifier":"itmrdw1.helmholtz-muenchen.de"}
caddy    | {"level":"info","ts":1673520580.863517,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"itmrdw1.helmholtz-muenchen.de"}
caddy    | {"level":"info","ts":1673520581.7353702,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["itmrdw1.helmholtz-muenchen.de"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
caddy    | {"level":"info","ts":1673520581.7354004,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["itmrdw1.helmholtz-muenchen.de"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
caddy    | {"level":"info","ts":1673520582.1013937,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy    | {"level":"error","ts":1673520583.0607197,"logger":"http.acme_client","msg":"challenge failed","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de","instance":"","subproblems":[]}}
caddy    | {"level":"error","ts":1673520583.0608246,"logger":"http.acme_client","msg":"validating authorization","identifier":"itmrdw1.helmholtz-muenchen.de","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/913391897/158367265297","attempt":1,"max_attempts":3}
caddy    | {"level":"info","ts":1673520584.4032927,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy    | {"level":"error","ts":1673520585.377856,"logger":"http.acme_client","msg":"challenge failed","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de","instance":"","subproblems":[]}}
caddy    | {"level":"error","ts":1673520585.3779619,"logger":"http.acme_client","msg":"validating authorization","identifier":"itmrdw1.helmholtz-muenchen.de","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/913391897/158367269347","attempt":2,"max_attempts":3}
caddy    | {"level":"error","ts":1673520585.3780339,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"itmrdw1.helmholtz-muenchen.de","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for itmrdw1.helmholtz-muenchen.de; no valid AAAA records found for itmrdw1.helmholtz-muenchen.de"}
caddy    | {"level":"warn","ts":1673520585.3828506,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy    | {"level":"info","ts":1673520601.0149872,"logger":"http","msg":"generated EAB credentials","key_id":"7fsQv3QRz8H0zPwOHs9qFQ"}
caddy    | {"level":"info","ts":1673520649.7971747,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["itmrdw1.helmholtz-muenchen.de"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
caddy    | {"level":"info","ts":1673520649.7972517,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["itmrdw1.helmholtz-muenchen.de"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
caddy    | {"level":"info","ts":1673520682.570528,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"itmrdw1.helmholtz-muenchen.de","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}

5. What I already tried:

I got a virtual server from my research institute, as I understand it they also provide an SSL certificate.
My aim is to use caddy as a reverse proxy to filter out malicious packets etc.
I don’t want/need caddy to get a certificate from let’s encrypt but use the certificate from the research institute. When I run caddy it complains about a missing A and AAAA record as it tries to get a Let’s encrypt certificate.

As I understand it from reading the links below, I have to obtain the certificate files, probably from the server admins and then configure caddy like in the link provided?

6. Links to relevant resources:

You shouldn’t be using caddy/caddy, use caddy instead. The difference is that caddy is the official docker image, and caddy/caddy is our CI target, not meant to be used by anyone.

Seems like your DNS records aren’t set up correctly.

If DNS is set up to point to your server, and you have ports 80/443 forwarded and opened, then Caddy can automate issuance of TLS certs.

There’s rarely any reason these days to use anything but ACME certificates. I guess your org might require you to use the certs they want by policy, but there’s no practical security reason to do that.

But you can easily do so with the tls directive, to load a cert+key pair for each site.