Vaultwarden with caddy DNS challenge

Hi, this is my first time posting i hope i did everything good .

I’ve search a lot on my problem but anything i tried failed so my last hope is here .

Thanks in advance for your time and help.

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy: (This is my actual config)

My docker is host on an debian vm on an truenas host
I use xcady to build caddy with ovh features rename it “caddy”
I run caddy on a docker container via a docker-compose file and use a Caddyfile to setup a self hosted vaultwarden
On my OVH account i added an A entry for →

  image: caddy:2
  container_name: home-caddy
  restart: always
   - 80:80
   - 443:443
   - ./caddy/caddy:/usr/bin/caddy
   - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
   - ./caddy/caddy-config:/config
   - ./caddy/caddy-data:/data
   DOMAIN: ""
   EMAIL: "myemail"
   LOG_FILE: "/data/access.log"
   ENDPOINT: "ovh-eu"

  image: vaultwarden/server
  container_name: home-vaultwarden
  restart: always
   - ./vaultwarden/vaultwarden-data:/data

{$DOMAIN}:443 {
        log {
                level INFO
                output file {$LOG_FILE} {
                        roll_size 10MB
                        roll_keep 10

        # Use the ACME DNS-01 challenge to get a cert for the configured domain.
        tls {
                dns ovh {
                        endpoint {$ENDPOINT}
                        application_key {$APPLICATION_KEY}
                        application_secret {$APPLICATION_SECRET}
                        consumer_key {$CONSUMER_KEY}

        # This setting may have compatibility issues with some browsers
        # (e.g., attachment downloading on Firefox). Try disabling this
        # if you encounter issues.
        # encode gzip

        # Notifications redirected to the WebSocket server
        reverse_proxy /notifications/hub home-vaultwarden:3012

        # Proxy everything else to Rocket
        reverse_proxy home-vaultwarden:80

3. The problem I’m having:

I can’t join my vaultwarden via HTTPS only working on HTTP

4. Error messages and/or full log output:

Log of my caddy in portainer

{"level":"info","ts":1666717918.6710472,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}

{"level":"warn","ts":1666717918.6722085,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}

{"level":"info","ts":1666717918.7030625,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//"]}

{"level":"info","ts":1666717918.7033775,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}

{"level":"info","ts":1666717918.7033987,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}

{"level":"info","ts":1666717918.717901,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000296150"}

{"level":"info","ts":1666717918.7398272,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}

{"level":"info","ts":1666717918.7400386,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See for details."}

{"level":"info","ts":1666717918.7415555,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}

{"level":"info","ts":1666717918.7426543,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}

{"level":"info","ts":1666717918.7427006,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}

{"level":"info","ts":1666717918.7427113,"logger":"http","msg":"enabling automatic TLS certificate management","domains":[""]}

{"level":"info","ts":1666717918.8268254,"logger":"tls","msg":"finished cleaning storage units"}

{"level":"info","ts":1666717918.8375309,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}

{"level":"info","ts":1666717918.8375502,"msg":"serving initial configuration"}

{"level":"info","ts":1666735918.9226694,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":[""],"from":1667037598,"to":1667339998}

Log of my vaultwarden in portainer


|                        Starting Vaultwarden                        |

|                           Version 1.26.0                           |


| This is an *unofficial* Bitwarden implementation, DO NOT use the   |

| official channels to report bugs/features, regardless of client.   |

| Send usage/configuration questions or feature requests to:         |

|                             |

| Report suspected bugs/issues in the software itself at:            |

|            |


FO] No .env file found.

[2022-10-26 08:27:13.272][vaultwarden::api::notifications][INFO] Starting WebSockets server on

[2022-10-26 08:27:13.273][start][INFO] Rocket has launched from

curl -Iv --> OK show vaultwarden page 
curl -Iv
*   Trying
* connect to port 443 failed: Connection refused
* Failed to connect to port 443 after 34 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to port 443 after 34 ms: Connection refused

5. What I already tried:

I’ve tried :

Add ROCKET_PORT on vaultwarden environement
changed reverse proxy hostname to IP changed port
remove my network settings to the default docker
rebuild rebuild and rebuild my caddy (cause i wasn’t sure of myself)

6. Links to relevant resources:

A possibility to use local ip instead domain · Discussion #1491 · dani-garcia/vaultwarden · GitHub

Running a private vaultwarden instance with Let’s Encrypt certs · dani-garcia/vaultwarden Wiki · GitHub

Using Docker Compose · dani-garcia/vaultwarden Wiki · GitHub

GitHub - caddy-dns/ovh: Caddy module:

Hi :slight_smile:

Caddy managed to issue a certificate for your domain (
Just to be sure we are on the same page:

  • That’s an internal IP, so it won’t be reachable outside your home network (unless you have set up a VPN too)
  • Your A record points to, but the Caddy container in your docker-compose.yml reads ipv4_address: Caddy is supposed to terminate https:// for vaultwarden (“make vaultwarden accessible via https://”). Thus, all traffic must go through Caddy, so you need to change the IP. Either change the DNS record to the current Caddy container IP, or do a little switcheroo and swap the IPs in your docker-compose.yml. I would recommend the latter, so you don’t run into DNS caching, but it doesn’t really matter all that much.

Hi @IndeedNotJames

Thank you so much.

Yes this only for internal use.

I feel kinda dumb. Now that u writed this its seems logic.
I thought that my record need to point on vaultwarden but no, it has to point to caddy and caddy do the redirection to vaultwarden.

So as you said i just switch my vaultwarden and caddy IP so my record point to the caddy container and it work perfectly

1 Like

To be precise, you’re proxying, not redirecting. A redirect is a separate concept, i.e. having the server tell the client to try again but with a different URL.


This topic was automatically closed after 30 days. New replies are no longer allowed.