Vaultwarden with caddy DNS challenge

flq · October 26, 2022, 11:25am

Hi, this is my first time posting i hope i did everything good .

I’ve search a lot on my problem but anything i tried failed so my last hope is here .

Thanks in advance for your time and help.

1. Output of `caddy version`:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy: (This is my actual config)

My docker is host on an debian vm on an truenas host
I use xcady to build caddy with ovh features rename it “caddy”
I run caddy on a docker container via a docker-compose file and use a Caddyfile to setup a self hosted vaultwarden
On my OVH account i added an A entry for home-vaultwarden.flq.ovh → 192.168.2.5

docker-compose.yml 
caddy:
  image: caddy:2
  container_name: home-caddy
  restart: always
  ports:
   - 80:80
   - 443:443
  networks:
   homenetwork:
    ipv4_address: 192.168.2.6
  volumes:
   - ./caddy/caddy:/usr/bin/caddy
   - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
   - ./caddy/caddy-config:/config
   - ./caddy/caddy-data:/data
  environment:
   DOMAIN: "https://home-vaultwarden.flq.ovh"
   EMAIL: "myemail"
   LOG_FILE: "/data/access.log"
   ENDPOINT: "ovh-eu"
   APPLICATION_KEY: "MYAPPLICATION_KEY"
   APPLICATION_SECRET: "MYAPPLICATION_SECRET"
   CONSUMER_KEY: "MYCONSUMER_KEY"

 vaultwarden:
  image: vaultwarden/server
  container_name: home-vaultwarden
  networks:
   homenetwork:
    ipv4_address: 192.168.2.5
  restart: always
  environment:
   WEBSOCKET_ENABLED: "true"
  volumes:
   - ./vaultwarden/vaultwarden-data:/data

Caddyfile 

{$DOMAIN}:443 {
        log {
                level INFO
                output file {$LOG_FILE} {
                        roll_size 10MB
                        roll_keep 10
                }
        }

        # Use the ACME DNS-01 challenge to get a cert for the configured domain.
        tls {
                dns ovh {
                        endpoint {$ENDPOINT}
                        application_key {$APPLICATION_KEY}
                        application_secret {$APPLICATION_SECRET}
                        consumer_key {$CONSUMER_KEY}
                }
        }

        # This setting may have compatibility issues with some browsers
        # (e.g., attachment downloading on Firefox). Try disabling this
        # if you encounter issues.
        # encode gzip

        # Notifications redirected to the WebSocket server
        reverse_proxy /notifications/hub home-vaultwarden:3012

        # Proxy everything else to Rocket
        reverse_proxy home-vaultwarden:80
}

3. The problem I’m having:

I can’t join my vaultwarden via HTTPS only working on HTTP

4. Error messages and/or full log output:

Log of my caddy in portainer

{"level":"info","ts":1666717918.6710472,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}


{"level":"warn","ts":1666717918.6722085,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}


{"level":"info","ts":1666717918.7030625,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}


{"level":"info","ts":1666717918.7033775,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}


{"level":"info","ts":1666717918.7033987,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}


{"level":"info","ts":1666717918.717901,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000296150"}


{"level":"info","ts":1666717918.7398272,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}


{"level":"info","ts":1666717918.7400386,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}


{"level":"info","ts":1666717918.7415555,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}


{"level":"info","ts":1666717918.7426543,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}


{"level":"info","ts":1666717918.7427006,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}


{"level":"info","ts":1666717918.7427113,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["home-vaultwarden.flq.ovh"]}


{"level":"info","ts":1666717918.8268254,"logger":"tls","msg":"finished cleaning storage units"}


{"level":"info","ts":1666717918.8375309,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}


{"level":"info","ts":1666717918.8375502,"msg":"serving initial configuration"}


{"level":"info","ts":1666735918.9226694,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["home-vaultwarden.flq.ovh"],"from":1667037598,"to":1667339998}

Log of my vaultwarden in portainer

/--------------------------------------------------------------------\


|                        Starting Vaultwarden                        |


|                           Version 1.26.0                           |


|--------------------------------------------------------------------|


| This is an *unofficial* Bitwarden implementation, DO NOT use the   |


| official channels to report bugs/features, regardless of client.   |


| Send usage/configuration questions or feature requests to:         |


|   https://vaultwarden.discourse.group/                             |


| Report suspected bugs/issues in the software itself at:            |


|   https://github.com/dani-garcia/vaultwarden/issues/new            |


\--------------------------------------------------------------------/




FO] No .env file found.




[2022-10-26 08:27:13.272][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012


[2022-10-26 08:27:13.273][start][INFO] Rocket has launched from http://0.0.0.0:80

curl -Iv http://home-vaultwarden.flq.ovh --> OK show vaultwarden page

curl -Iv https://home-vaultwarden.flq.ovh
*   Trying 192.168.2.5:443...
* connect to 192.168.2.5 port 443 failed: Connection refused
* Failed to connect to home-vaultwarden.flq.ovh port 443 after 34 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to home-vaultwarden.flq.ovh port 443 after 34 ms: Connection refused

5. What I already tried:

I’ve tried :

Add ROCKET_PORT on vaultwarden environement
changed reverse proxy hostname to IP changed port
remove my network settings to the default docker
rebuild rebuild and rebuild my caddy (cause i wasn’t sure of myself)

6. Links to relevant resources:

A possibility to use local ip instead domain · Discussion #1491 · dani-garcia/vaultwarden · GitHub

Running a private vaultwarden instance with Let’s Encrypt certs · dani-garcia/vaultwarden Wiki · GitHub

Using Docker Compose · dani-garcia/vaultwarden Wiki · GitHub

GitHub - caddy-dns/ovh: Caddy module: dns.providers.ovh

emilylange · October 27, 2022, 9:40am

Hi

Caddy managed to issue a certificate for your domain (home-vaultwarden.flq.ovh).
Just to be sure we are on the same page:

That’s an internal IP, so it won’t be reachable outside your home network (unless you have set up a VPN too)
Your A record points to 192.168.2.5, but the Caddy container in your docker-compose.yml reads ipv4_address: 192.168.2.6. Caddy is supposed to terminate https:// for vaultwarden (“make vaultwarden accessible via https://”). Thus, all traffic must go through Caddy, so you need to change the IP. Either change the DNS record to the current Caddy container IP, or do a little switcheroo and swap the IPs in your docker-compose.yml. I would recommend the latter, so you don’t run into DNS caching, but it doesn’t really matter all that much.

flq · October 27, 2022, 4:03pm

Hi @emilylange

Thank you so much.

Yes this only for internal use.

I feel kinda dumb. Now that u writed this its seems logic.
I thought that my record need to point on vaultwarden but no, it has to point to caddy and caddy do the redirection to vaultwarden.

So as you said i just switch my vaultwarden and caddy IP so my record point to the caddy container and it work perfectly

francislavoie · October 27, 2022, 11:32pm

To be precise, you’re proxying, not redirecting. A redirect is a separate concept, i.e. having the server tell the client to try again but with a different URL.

system · November 25, 2022, 11:25am

This topic was automatically closed after 30 days. New replies are no longer allowed.