Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Baender]

To be able to read it means to have found it. In other words, to have seen it. I guess I haven't. So everything is fine. Thank you!

[otakian]

Hi Monvlech

New user to OPNsense here. I followed the installation guide and setup the firewall rules. However something is still missing when I attempt to create a new domain and it doesn't end up working.

For starters on my Caddy Certificates widget it says "Caddy does not manage any automatic certificates" and I get the following error from my logs

Code: [Select]

2024-08-15T16:10:33-05:00 Error caddy "error","ts":"2024-08-15T21:10:33Z","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"opnsense-test.marquez.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}

Code: [Select]

2024-08-15T16:10:33-05:00 Error caddy "error","ts":"2024-08-15T21:10:33Z","logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"opnsense-test.marquez.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1893209516/296576201246","attempt":2,"max_attempts":3}

Code: [Select]

2024-08-15T16:10:33-05:00 Error caddy "error","ts":"2024-08-15T21:10:33Z","logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"opnsense-test.marquez.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
Would appreciate any help trying to figure out what I haven't configured correctly. Appreciate the help!

[Monviech]

The error means that the TLS-ALPN-01 challenge fails.

Without knowing more of the infrastructure its hard to help.

Make sure Caddy can receive traffic directed to it for your Domain Name, on IPv4 and (if available) IPv6. That means the A and AAAA records have to point to the external IP address of the OPNsense, or to the external IP of the router you use that forwards or DNATs this traffic to the OPNsense with Caddy.

If you can't open Firewall for ACME, consider using the DNS-01 challenge with a DNS Provider to receive certificatea without Firewall issues.

[otakian]

Thanks for confirming. I was researching for a couple of hours and finally realized my issue. I need a domain first and to point it in the right spot. I was so new and your tutorial made it seem so simple that that part never registered. Thank you, I think once I sort that out I should be good to go.

[Monviech]

Yeah the tutorial does imply some knowledge about how the domain name system works, and that you need your own domains and stuff.

But it's hard to make it clearer cause at some point you just have to assume a certain level of knowledge, or you have to start with adam and eve in these tutorials.

Happy you understood whats not working and how to fix it. 

[Aergernis]

It depends on the provider, all of them are different, and all of the modules are written by different people so they do not all share the same featureset.

Best go to https://github.com/caddy-dns and find the provider you are using and open an issue where you also share part of your caddyfile.

The problem with the IONOS DNS Plugin is fixed and working as it should when "Update only" is selected. See Issue: https://github.com/caddy-dns/ionos/issues/7

Will caddy will be updated automaticly in near future by OPNSense or do i have to stick with my own build? Not sure how it works.

[Monviech]

Thanks for taking care of it.

I'll update the build for the next os-caddy version (1.6.3).

The build works like this:

https://github.com/opnsense/tools/blob/a1c883deffd29c15588e852f7a143bea04d7214a/config/24.7/make.conf#L97

The commit hashes are updated manually every once in a while to keep the build reproducible.

[Monviech]

Im still waiting for another module to get an update so I won't update the dependencies for this minor version since I want to do it in one swoop.

I gonna try again for os-caddy-1.6.4.

[W0nderW0lf]

no one cares...
<delete me>

[Aergernis]

I gonna try again for os-caddy-1.6.4.

Is the IONOS Patch included in 1.6.4?

Never mind. Thought i've seen 1.6.4 but it's 1.6.3_1

[Monviech]

@Aergernis

I have updated the build though, so just go to packages and press "reinstall" on "caddy-custom". The ionos patch should be included then.

https://github.com/opnsense/tools/pull/429

@W0nderW0lf

I did not know an answer there, best go to https://caddy.community.

[Baender]

I have allowed ports 80 and 443 on both WAN and LAN for Caddy. If I now set a subdomain in Caddy for a LAN application: https://foo.example.com:8843, do I then have to allow the port on WAN and on LAN or is LAN sufficient? The application should not be accessible from the Internet.

[Monviech]

Just LAN will be enough I think.

[Calimarina]

Do you have any advice on how I can get wordpress working. I have Caddy working with these domains except wp.domain.org:
        
kuma.domain.org
unraid.domain.org
proxmox.domain.org
portainer.domain.org
wp.domain.org

All of them Kuma, unRaid, Proxmox, and Portainer come up with no problem. Certificates working as well. Except for Wordpress. Kuma, Portainer and Wordpress are all docker containers. When I try to load Wordpress I get a, "Bad gateway Error code 502" from Cloudflare. I just don't understand why all the others work, but WordPress doesn't. Any advise would be greatly appreciated.

I get these two errors from Caddy. I took out my IP's and replaced it with DOMAIN for this message:

"error","ts":"2024-09-10T20:59:47Z","logger":"http.log.access","msg":"handled request","request":{"remote_ip":"DOMAIN","remote_port":"62058","client_ip":"DOMAIN","proto":"HTTP/2.0","method":"GET","host":"DOMAIN","uri":"/","headers":{"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-User":["?1"],"X-Forwarded-Proto":["https"],"Cf-Ipcountry":["US"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8"],"X-Forwarded-For":["DOMAIN"],"Priority":["u=0, i"],"Accept-Encoding":["gzip, br"],"Sec-Fetch-Site":["none"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Upgrade-Insecure-Requests":["1"],"Cdn-Loop":["cloudflare; loops=1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"],"Cf-Ray":["8c1257f16b642863"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Sec-Gpc":["1"],"Cf-Connecting-Ip":["DOMAIN"],"Dnt":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"DOMAIN"}},"bytes_read":0,"user_id":"","duration":3.011785027,"size":0,"status":502,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}

"error","ts":"2024-09-10T20:59:47Z","logger":"http.log.error","msg":"dial tcp 10.10.72.10:8189: i/o timeout","request":{"remote_ip":"DOMAIN","remote_port":"62058","client_ip":"DOMAIN","proto":"HTTP/2.0","method":"GET","host":"DOMAIN","uri":"/","headers":{"X-Forwarded-Proto":["https"],"Cf-Ipcountry":["US"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-User":["?1"],"X-Forwarded-For":["DOMAIN"],"Priority":["u=0, i"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Upgrade-Insecure-Requests":["1"],"Cdn-Loop":["cloudflare; loops=1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"],"Accept-Encoding":["gzip, br"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Dest":["document"],"Sec-Gpc":["1"],"Cf-Connecting-Ip":["DOMAIN"],"Dnt":["1"],"Cf-Ray":["8c1257f16b642863"],"Sec-Fetch-Mode":["navigate"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"DOMAIN"}},"duration":3.011785027,"status":502,"err_id":"hydwhx7fz","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

[Monviech]

Hey. The log states that caddy is unable to connect to
dial tcp 10.10.72.10:8189: i/o timeout

Its a Layer 3 Problem. Maybe a typo? Or the host has a firewall rule that denies access from the IP Caddy comes from? It must be a network problem.

https://caddy.community/t/log-i-o-timeout-meaning/20048