Want to load my letsencrypt certificates

abakisensoy · October 12, 2019, 3:28pm

1. My Caddy version (`caddy -version`):

I use docker image: abiosoft/caddy

2. How I run Caddy:

docker-compose up -d

a. System environment:

Docker version 19.03.3, build a872fc2
docker-compose version 1.23.2, build 1110ad01

b. Command:

docker-compose up -d

c. Service/unit/compose file:

    version: '3'
    volumes:
      caddy:

    services:
      caddy:
        image: abiosoft/caddy
        ports:
          - 80:80
          - 443:443
        volumes:
          - /opt/Caddyfile:/etc/Caddyfile
          - $HOME/.caddy:/root/.caddy
        environment:
          ACME_AGREE: 'true'

d. My complete Caddyfile:

status.serverkurma.com {
  proxy / netdata:19999
  tls /opt/certs/fullchain.pem /opt/certs/privkey.pem
}

3. The problem I’m having:

I have letsencrypt certificates fullchain.pem and privkey.pem. I want to start caddy docker with them and use that local certificates files I uploaded.

4. Error messages and/or full log output:

2019/10/12 15:17:43 /etc/Caddyfile:3 - Error during parsing: Unable to load certificate and key files for ‘status.serverkurma.com’: open /opt/certs/fullchain.pem: no such file or directory

5. What I already tried:

chaning tsl block and didnt help anything. Changed permissions of certs folder.

My cert files in /opt folder

drw-r-----  2 root www-data 4096 Oct 12 17:14 certs/

Thank you.

abakisensoy · October 12, 2019, 5:24pm

I fixed volume problem now I get this error:

2019/10/12 19:07:54 [INFO] Successfully loaded TLS assets from /etc/ssl/fullchain.pem and /etc/ssl/privkey.pem
Activating privacy features... done.

Serving HTTPS on port 2015
https://status.serverkurma.com:2015

2019/10/12 19:07:54 [INFO] Serving https://status.serverkurma.com:2015
2019/10/12 19:07:54 [INFO][cache:0xc000032820] Started certificate maintenance routine
2019/10/12 19:07:54 [WARNING] Sending telemetry (attempt 1): Post https://telemetry.caddyserver.com/v1/update/9c4a6c78-3cbb-41ad-be77-d02eac89f471: x509: certificate signed by unknown authority - backing off and retrying
2019/10/12 19:08:02 [WARNING] Sending telemetry (attempt 2): Post https://telemetry.caddyserver.com/v1/update/9c4a6c78-3cbb-41ad-be77-d02eac89f471: x509: certificate signed by unknown authority - backing off and retrying
2019/10/12 19:08:30 [WARNING] Sending telemetry (attempt 3): Post https://telemetry.caddyserver.com/v1/update/9c4a6c78-3cbb-41ad-be77-d02eac89f471: x509: certificate signed by unknown authority - backing off and retrying
2019/10/12 19:09:34 [ERROR] Sending telemetry: Post https://telemetry.caddyserver.com/v1/update/9c4a6c78-3cbb-41ad-be77-d02eac89f471: x509: certificate signed by unknown authority

My config:

 status.serverkurma.com {
tls /etc/ssl/fullchain.pem /etc/ssl/privkey.pem

tls {
    ask http://localhost:19999
}

  proxy / netdata:19999
}

I added this line and start working :

tls {
    ask http://localhost:19999
}

but why?

Whitestrake · October 13, 2019, 11:30pm

Hi @abakisensoy, welcome to the Caddy community.

Have a look at the documentation for Automatic HTTPS - emphasis mine:

Caddy automatically enables HTTPS for all your sites, given that some reasonable criteria are met:

The hostname:

is not empty

is not localhost

is not an IP address

has no more than 1 wildcard ( * )

wildcard must be left-most label

The port is not explicitly 80

The scheme is not explicitly http

TLS is not turned off in site’s definition

Certificates and keys are not provided by you

Caddy is able to bind to ports 80 and 443 (unless you use the DNS challenge)

—Automatic HTTPS — Caddy Documentation

Since you provided keys, Automatic HTTPS is disabled. With Automatic HTTPS disabled, Caddy does not manage your certificate, set up a redirect listener, or move the port to 443 - it sticks with the default port 2015.

You’d have to configure your sites manually to replicate the behaviour of Automatic HTTPS.

abakisensoy · October 14, 2019, 8:55am

Thank you I understand now.

Could you give me any guides or docs about how to set up a redirect listener, or move the port to 443 ?

Whitestrake · October 15, 2019, 12:12am

Redirects are done with the redir directive:

https://caddyserver.com/docs/redir

You can specify the port in the site label:

https://caddyserver.com/docs/http-caddyfile#addresses

As a quick note also, the port is implicit in the scheme, so instead of specifying :443 for example you could use https:// (which I find looks nicer and is more intuitive).

system · January 13, 2020, 12:12am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.