Using caddy with your own certificate in docker compose

1. Caddy version (caddy version):

abiosoft/caddy 1.0.3

2. How I run Caddy:

I use docker compose to start caddy and bitwarden_rs see below for my Caddyfile and docker-compose.yml

a. System environment:

Ubuntu 20.04, Docker 19.03.8, Docker Compose 1.25.0

b. Command:

docker-compose up

c. Service/unit/compose file:

# docker-compose.yml
version: '3'

services:
  bitwarden:
    image: bitwardenrs/server
    restart: always
    volumes:
      - ./bw-data:/data
    environment:
      WEBSOCKET_ENABLED: 'true' # Required to use websockets
      SIGNUPS_ALLOWED: 'true'   # set to false to disable signups

  caddy:
    image: abiosoft/caddy
    restart: always
    volumes:
      - ./Caddyfile:/etc/Caddyfile:ro
    ports:
      - 80:80
      - 443:443

d. My complete Caddyfile or JSON config:

# Caddyfile
https://bitwardenrs.dangerling.com {
    tls /home/administrator/Certificate.crt /home/administrator/CertKey.key

    header / {
        # Enable HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000;"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # Prevent search engines from indexing (optional)
        #X-Robots-Tag "none"
    }

    # The negotiation endpoint is also proxied to Rocket
    proxy /notifications/hub/negotiate bitwarden:80 {
        transparent
    }

    # Notifications redirected to the websockets server
    proxy /notifications/hub bitwarden:3012 {
        websocket
    }

    # Proxy the Root directory to Rocket
    proxy / bitwarden:80 {
        transparent
    }
}

3. The problem I’m having:

I want to run bitwarden_rs behind a reverse proxy using certificates I provide as I have a wilecard cert from a company who’s name is not LetsEncrypt.

Upon docker-compose executing bitwarden starts and then caddy tries to start. The problem is it is unable to find the certificate file I defined in my Caddyfile. For testing purposes I chmod 777 both the crt and key files but no luck.

4. Error messages and/or full log output:

administrator@bitwardenrs:~$ sudo docker-compose up
Starting administrator_caddy_1     ... done
Starting administrator_bitwarden_1 ... done
Attaching to administrator_bitwarden_1, administrator_caddy_1
bitwarden_1  | /--------------------------------------------------------------------\
bitwarden_1  | |                       Starting Bitwarden_RS                        |
bitwarden_1  | |                           Version 1.17.0                           |
bitwarden_1  | |--------------------------------------------------------------------|
bitwarden_1  | | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
bitwarden_1  | | official channels to report bugs/features, regardless of client.   |
bitwarden_1  | | Send usage/configuration questions or feature requests to:         |
bitwarden_1  | |   https://bitwardenrs.discourse.group/                             |
bitwarden_1  | | Report suspected bugs/issues in the software itself at:            |
bitwarden_1  | |   https://github.com/dani-garcia/bitwarden_rs/issues/new           |
bitwarden_1  | \--------------------------------------------------------------------/
bitwarden_1  |
caddy_1      | 2020/11/19 23:06:28 /etc/Caddyfile:3 - Error during parsing: Unable to load certificate and key files for 'https://bitwardenrs.dangerling.com': open /home/administrator/Certificate.crt: no such file or directory
caddy_1      | exit status 1
bitwarden_1  | [2020-11-19 23:06:28.515][start][INFO] Rocket has launched from http://0.0.0.0:80
bitwarden_1  | [2020-11-19 23:06:28.515][ws][INFO] Listening for new connections on 0.0.0.0:3012.
caddy_1      | exit status 1
administrator_caddy_1 exited with code 1

5. What I already tried:

Google, but to be completely honest I am out of my element when it comes to docker, docker compose, and caddy. I have tried setting the permissions for the certificate files to 777 just in case caddy didn’t have read access to those files. Unfortunately several hours of googling has not helped here as it seems very few are doing the same thing as me.

Its likely I am missing out here on something fundamental, but as I said I am a little out of my element here.

6. Links to relevant resources:

Caddy v1 is EOL. I strongly recommend you upgrade to Caddy v2.

When running in Docker, you need to use volumes to share files with the container. Docker containers are… contained. They’re isolated from the rest of your system.

Giving files 777 permissions is almost always a bad idea. You’re throwing away all security provided by the Linux permission system.

You can use the official Docker image for Caddy v2 here: https://hub.docker.com/_/caddy/ (please read the documentation for proper usage)

You can find the Caddy v2 upgrade guide here: