Woke up this morning to all caddy hosted services showing "invalid cert authority" on LAN not WAN

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

caddy run through docker on a raspberry pi4 with the path to the config set as volume mount

a. System environment:

docker on raspberry pi4

b. Command:

sudo docker start caddy

d. My complete Caddyfile or JSON config:


3. The problem I’m having:

I woke up this morning to my caddy hosted emby site saying “invalid certificate authority” in every browser. When i attempted to bypass that warning and continue to the site, i get “forbidden, your client does not have permission to get this page from this server”.

the absolutely strange thing is, this ONLY happens on LAN. On WAN it appears to work just fine.

As you can see, my caddy file is incredibly simple and has been running for months with no issue and then all of a sudden it stops working on WAN. What could have possibly happened?

4. Error messages and/or full log output:

5. What I already tried:

I’ve made separate docker caddy containers with all new config files and started from scratch to no avail

i’ve tried doing caddy untrust / trust commands.
I’ve tried apt-get update on the Pi to see if any of the openssl packages needed updating.
I’ve confirmed the Pi’s internal time is correct to see if that was causing any SSL cert issues
I’ve seen that using a CURL with https:emby.from-pa.com on the pi itself works fine, but doing it on any other LAN device results in some variation of “could not establish trust relation for the SSL/TLS secure channel”

on LAN typing the local IP + port pulls up emby just fine, but not emby.from-pa.com which makes me think it’s some sort of NAT hairpin issue that just suddenly emerged??

Any help at all is appreciated. I’ve been pulling my hair out at this all day and how this seemingly came from nowhere so i feel like it’s a really simple fix but i just can’t grasp it.

I think that’s likely the case. Typically the solution to this is to make sure your domain resolves to the LAN IP address instead, using a DNS server in your home network, like dnsmasq or CoreDNS.

If you run host emby.from-pa.com from one of the machines on your network, what do you see?

If you add <your-rpi's-IP> emby.from-pa.com to the /etc/hosts file on one of your machines, does it start working? This is a temporary override of DNS for that domain.

If that doesn’t work, the issue is likely with the certificate being served.

You literally fixed the issue. Adding it to the host file on the machine fixed it. You’re a saint!!

Is there a way to roll this out to all network connected devices centrally, specifically smart-phone devices on my network? I’m still speechless as to how this issue just materialized over night but at least i know what it is now! Thank you!

Yeah, like I said, run a DNS server in your network and configure your router to point to it. You should be able to find guides online.

This topic was automatically closed after 30 days. New replies are no longer allowed.