Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

Started by Monviech (Cedrik), February 09, 2024, 01:31:44 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 8 9 10 11 12 ... 20
User actions
August 14, 2024, 10:55:48 PM #135
To be able to read it means to have found it. In other words, to have seen it. I guess I haven't. So everything is fine. Thank you!
August 15, 2024, 11:25:58 PM #136 Last Edit: August 15, 2024, 11:28:05 PM by otakian
Hi Monvlech

New user to OPNsense here. I followed the installation guide and setup the firewall rules. However something is still missing when I attempt to create a new domain and it doesn't end up working.

For starters on my Caddy Certificates widget it says "Caddy does not manage any automatic certificates" and I get the following error from my logs

Code Select
2024-08-15T16:10:33-05:00 Error caddy "error","ts":"2024-08-15T21:10:33Z","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"opnsense-test.marquez.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
Code Select
2024-08-15T16:10:33-05:00 Error caddy "error","ts":"2024-08-15T21:10:33Z","logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"opnsense-test.marquez.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1893209516/296576201246","attempt":2,"max_attempts":3}
Code Select
2024-08-15T16:10:33-05:00 Error caddy "error","ts":"2024-08-15T21:10:33Z","logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"opnsense-test.marquez.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}

Would appreciate any help trying to figure out what I haven't configured correctly. Appreciate the help!
August 16, 2024, 06:05:05 AM #137
The error means that the TLS-ALPN-01 challenge fails.

Without knowing more of the infrastructure its hard to help.

Make sure Caddy can receive traffic directed to it for your Domain Name, on IPv4 and (if available) IPv6. That means the A and AAAA records have to point to the external IP address of the OPNsense, or to the external IP of the router you use that forwards or DNATs this traffic to the OPNsense with Caddy.

If you can't open Firewall for ACME, consider using the DNS-01 challenge with a DNS Provider to receive certificatea without Firewall issues.
Hardware:
DEC740
August 16, 2024, 06:27:59 AM #138
Thanks for confirming. I was researching for a couple of hours and finally realized my issue. I need a domain first and to point it in the right spot. I was so new and your tutorial made it seem so simple that that part never registered. Thank you, I think once I sort that out I should be good to go.
August 16, 2024, 06:53:40 AM #139
Yeah the tutorial does imply some knowledge about how the domain name system works, and that you need your own domains and stuff.

But it's hard to make it clearer cause at some point you just have to assume a certain level of knowledge, or you have to start with adam and eve in these tutorials.

Happy you understood whats not working and how to fix it.  :)
Hardware:
DEC740
August 18, 2024, 06:49:36 PM #140
Quote from: Monviech on August 14, 2024, 06:30:11 AM
It depends on the provider, all of them are different, and all of the modules are written by different people so they do not all share the same featureset.

Best go to https://github.com/caddy-dns and find the provider you are using and open an issue where you also share part of your caddyfile.

The problem with the IONOS DNS Plugin is fixed and working as it should when "Update only" is selected. See Issue: https://github.com/caddy-dns/ionos/issues/7

Will caddy will be updated automaticly in near future by OPNSense or do i have to stick with my own build? Not sure how it works.
August 18, 2024, 07:11:36 PM #141
Thanks for taking care of it.

I'll update the build for the next os-caddy version (1.6.3).

The build works like this:

https://github.com/opnsense/tools/blob/a1c883deffd29c15588e852f7a143bea04d7214a/config/24.7/make.conf#L97

The commit hashes are updated manually every once in a while to keep the build reproducible.
Hardware:
DEC740
August 20, 2024, 07:02:26 PM #142 Last Edit: August 20, 2024, 07:07:30 PM by Monviech
Im still waiting for another module to get an update so I won't update the dependencies for this minor version since I want to do it in one swoop.

I gonna try again for os-caddy-1.6.4.
Hardware:
DEC740
August 23, 2024, 01:31:04 PM #143 Last Edit: August 26, 2024, 06:55:53 PM by W0nderW0lf
no one cares...
<delete me>
August 29, 2024, 05:05:22 PM #144 Last Edit: August 29, 2024, 05:08:23 PM by Aergernis
Quote from: Monviech on August 20, 2024, 07:02:26 PM
I gonna try again for os-caddy-1.6.4.

Is the IONOS Patch included in 1.6.4?

Never mind. Thought i've seen 1.6.4 but it's 1.6.3_1
August 29, 2024, 05:18:04 PM #145 Last Edit: August 29, 2024, 05:37:05 PM by Monviech
@Aergernis

I have updated the build though, so just go to packages and press "reinstall" on "caddy-custom". The ionos patch should be included then.

https://github.com/opnsense/tools/pull/429

@W0nderW0lf

I did not know an answer there, best go to https://caddy.community.
Hardware:
DEC740
September 02, 2024, 10:04:57 AM #146
I have allowed ports 80 and 443 on both WAN and LAN for Caddy. If I now set a subdomain in Caddy for a LAN application: https://foo.example.com:8843, do I then have to allow the port on WAN and on LAN or is LAN sufficient? The application should not be accessible from the Internet.
September 02, 2024, 10:23:24 AM #147
Just LAN will be enough I think.
Hardware:
DEC740
September 10, 2024, 11:10:04 PM #148
Do you have any advice on how I can get wordpress working. I have Caddy working with these domains except wp.domain.org:
       
kuma.domain.org
unraid.domain.org
proxmox.domain.org
portainer.domain.org
wp.domain.org

All of them Kuma, unRaid, Proxmox, and Portainer come up with no problem. Certificates working as well. Except for Wordpress. Kuma, Portainer and Wordpress are all docker containers. When I try to load Wordpress I get a, "Bad gateway Error code 502" from Cloudflare. I just don't understand why all the others work, but WordPress doesn't. Any advise would be greatly appreciated.

I get these two errors from Caddy. I took out my IP's and replaced it with DOMAIN for this message:

"error","ts":"2024-09-10T20:59:47Z","logger":"http.log.access","msg":"handled request","request":{"remote_ip":"DOMAIN","remote_port":"62058","client_ip":"DOMAIN","proto":"HTTP/2.0","method":"GET","host":"DOMAIN","uri":"/","headers":{"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-User":["?1"],"X-Forwarded-Proto":["https"],"Cf-Ipcountry":["US"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8"],"X-Forwarded-For":["DOMAIN"],"Priority":["u=0, i"],"Accept-Encoding":["gzip, br"],"Sec-Fetch-Site":["none"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Upgrade-Insecure-Requests":["1"],"Cdn-Loop":["cloudflare; loops=1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"],"Cf-Ray":["8c1257f16b642863"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Sec-Gpc":["1"],"Cf-Connecting-Ip":["DOMAIN"],"Dnt":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"DOMAIN"}},"bytes_read":0,"user_id":"","duration":3.011785027,"size":0,"status":502,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}

"error","ts":"2024-09-10T20:59:47Z","logger":"http.log.error","msg":"dial tcp 10.10.72.10:8189: i/o timeout","request":{"remote_ip":"DOMAIN","remote_port":"62058","client_ip":"DOMAIN","proto":"HTTP/2.0","method":"GET","host":"DOMAIN","uri":"/","headers":{"X-Forwarded-Proto":["https"],"Cf-Ipcountry":["US"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-User":["?1"],"X-Forwarded-For":["DOMAIN"],"Priority":["u=0, i"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Upgrade-Insecure-Requests":["1"],"Cdn-Loop":["cloudflare; loops=1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"],"Accept-Encoding":["gzip, br"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Dest":["document"],"Sec-Gpc":["1"],"Cf-Connecting-Ip":["DOMAIN"],"Dnt":["1"],"Cf-Ray":["8c1257f16b642863"],"Sec-Fetch-Mode":["navigate"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"DOMAIN"}},"duration":3.011785027,"status":502,"err_id":"hydwhx7fz","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
September 11, 2024, 06:12:41 AM #149
Hey. The log states that caddy is unable to connect to
dial tcp 10.10.72.10:8189: i/o timeout

Its a Layer 3 Problem. Maybe a typo? Or the host has a firewall rule that denies access from the IP Caddy comes from? It must be a network problem.

https://caddy.community/t/log-i-o-timeout-meaning/20048
Hardware:
DEC740
Print
Go Up Pages 1 ... 8 9 10 11 12 ... 20
User actions