1. Output of caddy version
:
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
a. System environment:
Ubuntu 22.04.1 LTS, 5.15.0-1017-raspi, aarch64
Caddy is running inside a docker container
b. Command:
docker-compose up -d
c. Service/unit/compose file:
version: "3.7"
services:
caddy:
container_name: caddy
image: caddy
ports:
- "50404:80"
- "60504:443"
- "60504:443/udp"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./site:/srv
- ./data:/data
- ./config:/config
restart: unless-stopped
networks:
default:
name: testing
external: true
d. My complete Caddy config:
(basic-auth) {
basicauth {
user hashed-password
}
}
family.xincept.xyz {
tls /data/caddy/certificates/cert.pem /data/caddy/certificates/cert.key
reverse_proxy 172.18.0.1:5678
import basic-auth
}
port.xincept.xyz {
tls /data/caddy/certificates/cert.pem /data/caddy/certificates/cert.key
reverse_proxy 172.18.0.1:9001
import basic-auth
}
git.xincept.xyz {
tls myemail@gmail.com
reverse_proxy 172.18.0.1:3000
import basic-auth
}
3. The problem I’m having:
I have some services running with a cloudflare origin certificate [family.xincept.xyz, port.xincept.xyz], and others with lets encrypt [git.xincept.xyz].
I cant seem to run both. It works perfectly fine if i just run the ones with origin cert or just lets encrypt. When i include both, the origin cert ones work fine [family, port] but the lets encrypt [git] one shows up with a cloudflare ssl cert and since its using lets encrypt i get a “not secure, your connection is not private. The moment i remove port
and family
[CF] and keep git
[lets encrypt] its back to normal with the correct ssl (lets encrypt)”
The first subdomain I added was “git” i was issued a lets encrypt cert. It worked, so then i decided to add more subdomains and after i added the ones using CF origin cert “port, family” its completely ignoring lets encrypt cert.
4. Error messages and/or full log output:
2022-10-30T05:36:58.483247791Z {"level":"info","ts":1667108218.4828503,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2022-10-30T05:36:58.491776969Z {"level":"info","ts":1667108218.491429,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
2022-10-30T05:36:58.492348369Z {"level":"info","ts":1667108218.4921145,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x400043ce70"}
2022-10-30T05:36:58.493530170Z {"level":"warn","ts":1667108218.493308,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [cloudflare origin certificate *.xincept.xyz xincept.xyz]: no URL to issuing certificate"}
2022-10-30T05:36:58.493738131Z {"level":"debug","ts":1667108218.493536,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"4a6a28ef-43e0-42f9-b865-558546b7d009","origin":"tls","data":{"sans":["cloudflare origin certificate","*.xincept.xyz","xincept.xyz"]}}
2022-10-30T05:36:58.493800130Z {"level":"debug","ts":1667108218.493613,"logger":"tls.cache","msg":"added certificate to cache","subjects":["cloudflare origin certificate","*.xincept.xyz","xincept.xyz"],"expiration":2104022221,"managed":false,"issuer_key":"","hash":"fbf4dc799612924b5b6ff92bfe19404117e54d6431d2be5df05402d152657844","cache_size":1,"cache_capacity":10000}
2022-10-30T05:36:58.494228662Z {"level":"info","ts":1667108218.4940534,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"port.xincept.xyz","server_name":"srv0"}
2022-10-30T05:36:58.494269884Z {"level":"info","ts":1667108218.4941003,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"git.xincept.xyz","server_name":"srv0"}
2022-10-30T05:36:58.494295402Z {"level":"info","ts":1667108218.4941223,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"family.xincept.xyz","server_name":"srv0"}
2022-10-30T05:36:58.494319050Z {"level":"info","ts":1667108218.49414,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2022-10-30T05:36:58.496482358Z {"level":"info","ts":1667108218.4962194,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2022-10-30T05:36:58.496673837Z {"level":"info","ts":1667108218.4964697,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
2022-10-30T05:36:58.496996444Z {"level":"info","ts":1667108218.4968154,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
2022-10-30T05:36:58.497381107Z {"level":"debug","ts":1667108218.4971159,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
2022-10-30T05:36:58.497436365Z {"level":"info","ts":1667108218.4971695,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
2022-10-30T05:36:58.497733695Z {"level":"debug","ts":1667108218.4973693,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
2022-10-30T05:36:58.497817213Z {"level":"info","ts":1667108218.4974277,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
2022-10-30T05:36:58.498290429Z {"level":"info","ts":1667108218.4980798,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
2022-10-30T05:36:58.498345429Z {"level":"info","ts":1667108218.49813,"msg":"serving initial configuration"}
2022-10-30T05:36:58.500632106Z {"level":"info","ts":1667108218.5001671,"logger":"tls","msg":"finished cleaning storage units"}
5. What I already tried:
Before i noticed i was still being issued a cloudflare cert for “git”:
- I tried using zerossl instead of lets encrypt
- tried switching the order of which subdomain was first incase that played a role (it did not)
- tried setting email myemail.gmail.com as a global flag instead of inside each subdomain
When i noticed i was being issued a cloudflare cert instead of the previous letsencrypt cert it had:
- changed ssl mode on cloudflare (flexible, full, full strict)
Other things to note is on cloudflare i only have proxied enabled for the ones with origin cert. the “git” one is just dns since its suppose to be using lets encrypt. I was previously using npm with same setup (using both lets encrypt and origin cert for different services) and it worked fine but wanted to move over to caddy so i know it worked.