Jump to content

Failing to set up Caddy reverse proxy for emby ssl


Gregls
Go to solution Solved by pwhodges,

Recommended Posts

Gregls

What I have done so far,

  1. I have a domain name purchased from namecheap i'll call it <mydomain>
  2. I used namecheap's DDNS on my emby server which creates an A record on the domain.
    1. for whatever reason, I had to use www.<mydomain>.com I don't know why but i had to add the www's to get it to work, I had also tried @<mydomain>.com but it would never update
    2. I have let this run for a week so everything should be updated and ready to go
  3. On my router I forwarded ports 80 and 443 to the emby server
    1. with my particular router I can't figure out a way to permit it through the firewall but my test has the firewall turned off so I dont think it is causing the issue.
  4. Emby's setting
    1. local http 8096 https 8920
    2. public http 80 https 443
    3. allow remote is checked
  5. caddy v2
    1. I downloaded the zip, unzipped it on the root directory. Created the extension-less "caddyfile" its contents are,
      1. {
            email <mygmail>@gmail.com
        }


        www.<mydomain>.com {
            reverse_proxy http://192.168.0.18:80
        }

        1. I know I can use localhost instead of the IP, this should work though because I know it's internal IP and I have it set to not change as I use it to connect using RDP.

  6. Running everything

    1. I use command prompt and navigate to the Caddy directory

    2. with router firewall on and the server's firewall off, I run # caddy run

      1. C:\Caddy>caddy run
        2020/06/21 14:46:17.402 [34mINFO[0m   using adjacent Caddyfile
        2020/06/21 14:46:17.413 [34mINFO[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
        2020/06/21 08:46:17 [INFO][cache:0xc0005ff7c0] Started certificate maintenance routine
        2020/06/21 14:46:17.415 [34mINFO[0m   http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
        2020/06/21 14:46:17.415 [34mINFO[0m   http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
        2020/06/21 14:46:17.418 [34mINFO[0m   tls     cleaned up storage units
        2020/06/21 14:46:17.418 [34mINFO[0m   http    enabling automatic TLS certificate management   {"domains": ["www.<mydomain>.com"]}
        2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Obtain certificate; acquiring lock...
        2020/06/21 14:46:17.425 [34mINFO[0m   autosaved config        {"file": "C:\\Users\\<myuser>\\AppData\\Roaming\\Caddy\\autosave.json"}
        2020/06/21 14:46:17.428 [34mINFO[0m   serving initial configuration
        2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Obtain: Lock acquired; proceeding...
        2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Waiting on rate limiter...
        2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Done waiting
        2020/06/21 08:46:17 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR
        2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605
        2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: Could not find solver for: tls-alpn-01
        2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: use http-01 solver
        2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: Trying to solve HTTP-01
        2020/06/21 08:46:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605
        2020/06/21 08:46:25 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605
        2020/06/21 08:46:25 [ERROR] acme: Error -> One or more domains had a problem:
        [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/P-jvWvwSBjkK_9PQepBe5puAo_TLpsdonnZVunocu-I: Connection reset by peer, url:
         (challenge=http-01 remaining=[tls-alpn-01])
        2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR
        2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673
        2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: use tls-alpn-01 solver
        2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: Trying to solve TLS-ALPN-01
        2020/06/21 08:46:28 http: TLS handshake error from 127.0.0.1:61875: EOF
        2020/06/21 08:46:28 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673
        2020/06/21 08:46:28 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673
        2020/06/21 08:46:28 [ERROR] acme: Error -> One or more domains had a problem:
        [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url:
         (challenge=tls-alpn-01 remaining=[])
        2020/06/21 08:46:30 [ERROR] attempt 1: [www.<mydomain>.com] Obtain: [www.<mydomain>.com] acme: Error -> One or more domains had a problem:
        [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url:
         - retrying in 1m0s (13.0492981s/720h0m0s elapsed)...
        2020/06/21 14:46:34.960 [34mINFO[0m   shutting down   {"signal": "SIGINT"}
        2020/06/21 08:46:34 [INFO][cache:0xc0005ff7c0] Stopped certificate maintenance routine
        2020/06/21 08:46:34 [INFO][www.<mydomain>.com] Obtain: Releasing lock
        2020/06/21 14:46:34.963 [34mINFO[0m   shutdown done   {"signal": "SIGINT"}

    3. with both router and caddy server's firewalls off I run caddy and it does this,

      1. C:\Caddy>caddy run
        2020/06/21 14:47:55.788 [34mINFO[0m   using adjacent Caddyfile
        2020/06/21 14:47:55.794 [34mINFO[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
        2020/06/21 14:47:55.795 [34mINFO[0m   http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
        2020/06/21 14:47:55.795 [34mINFO[0m   http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
        2020/06/21 08:47:55 [INFO][cache:0xc0002e3b80] Started certificate maintenance routine
        2020/06/21 14:47:55.796 [34mINFO[0m   http    enabling automatic TLS certificate management   {"domains": ["www.<mydomain>.com"]}
        2020/06/21 14:47:55.797 [34mINFO[0m   tls     cleaned up storage units
        2020/06/21 14:47:55.798 [34mINFO[0m   autosaved config        {"file": "C:\\Users\\<myuser>\\AppData\\Roaming\\Caddy\\autosave.json"}
        2020/06/21 14:47:55.799 [34mINFO[0m   serving initial configuration
        2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Obtain certificate; acquiring lock...
        2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Obtain: Lock acquired; proceeding...
        2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Waiting on rate limiter...
        2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Done waiting
        2020/06/21 08:47:55 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR
        2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878
        2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: Could not find solver for: tls-alpn-01
        2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: use http-01 solver
        2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: Trying to solve HTTP-01
        2020/06/21 08:48:03 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878
        2020/06/21 08:48:03 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878
        2020/06/21 08:48:03 [ERROR] acme: Error -> One or more domains had a problem:
        [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/fZqo0DmEmVjo9sElqDlmfJv6r_y50shAJ87QeOgb_rE: Connection reset by peer, url:
         (challenge=http-01 remaining=[tls-alpn-01])
        2020/06/21 08:48:05 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR
        2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568
        2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] acme: use tls-alpn-01 solver
        2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] acme: Trying to solve TLS-ALPN-01
        2020/06/21 08:48:06 http: TLS handshake error from 127.0.0.1:62306: EOF
        2020/06/21 08:48:11 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568
        2020/06/21 08:48:11 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568
        2020/06/21 08:48:11 [ERROR] acme: Error -> One or more domains had a problem:
        [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url:
         (challenge=tls-alpn-01 remaining=[])
        2020/06/21 08:48:13 [ERROR] attempt 1: [www.<mydomain>.com] Obtain: [www.<mydomain>.com] acme: Error -> One or more domains had a problem:
        [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url:
         - retrying in 1m0s (17.8656781s/720h0m0s elapsed)...
        2020/06/21 14:48:24.865 [34mINFO[0m   shutting down   {"signal": "SIGINT"}
        2020/06/21 08:48:24 [INFO][cache:0xc0002e3b80] Stopped certificate maintenance routine
        2020/06/21 08:48:24 [INFO][www.<mydomain>.com] Obtain: Releasing lock
        2020/06/21 14:48:24.867 [34mINFO[0m   shutdown done   {"signal": "SIGINT"}

 

The emby server is running windows server 2019 like a lot of server's it doesn't have any additional antivirus or firewall beyond windows defender. This is what I am referring to when I say in the test that the firewall is turned off. Both Private and Public network settings are set to 'Turn off Windows Defender Firewall'.

Any help with why this isn't working would be appreciated. If I left out anything that is important please let me know. I am unfamiliar with all of this so if I didn't mention it I almost certainly didn't do it.

Link to comment
Share on other sites

pwhodges

Leave Emby on its default port of 8096 and specify this in the proxying from Caddy; then Caddy is doing the forwarding from port 80 to port 8096 that some people do in the router..  If you change Emby to port 80, then you have a conflict between two programs (Caddy and Emby) wanting to use the same port, and nothing will work.  

Paul

Link to comment
Share on other sites

Gregls

Ok,

I changed my caddy file to this,

{
    email <mygmail>@gmail.com
}


www.<mydomain>.com {
    reverse_proxy http://192.168.0.18:8086
}

 

and changes my emby external ports to

public http=8096, public https=8920

 

Something I forgot to mention earlier... I have 'Secure connection mode:" set to Handled by reverse proxy.

restarted emby server after making the change and disabled both router and emby server's firewall.

When I run caddy it does this,

C:\Caddy>caddy run
2020/06/21 20:50:54.476 [34mINFO[0m   using adjacent Caddyfile
2020/06/21 20:50:54.482 [34mINFO[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/06/21 20:50:54.483 [34mINFO[0m   http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/06/21 20:50:54.483 [34mINFO[0m   http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/06/21 14:50:54 [INFO][cache:0xc000612870] Started certificate maintenance routine
2020/06/21 20:50:54.484 [34mINFO[0m   tls     cleaned up storage units
2020/06/21 20:50:54.484 [34mINFO[0m   http    enabling automatic TLS certificate management   {"domains": ["www.<mydomain>.com"]}
2020/06/21 20:50:54.485 [34mINFO[0m   autosaved config        {"file": "C:\\Users\\<myuser>\\AppData\\Roaming\\Caddy\\autosave.json"}
2020/06/21 20:50:54.485 [34mINFO[0m   serving initial configuration
2020/06/21 14:50:54 [INFO][www.<mydomain>.com] Obtain certificate; acquiring lock...
2020/06/21 14:50:54 [INFO][www.<mydomain>.com] Obtain: Lock acquired; proceeding...
2020/06/21 14:50:55 [INFO][www.<mydomain>.com] Waiting on rate limiter...
2020/06/21 14:50:55 [INFO][www.<mydomain>.com] Done waiting
2020/06/21 14:50:55 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR
2020/06/21 14:50:55 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5392302097
2020/06/21 14:50:55 [INFO] [www.<mydomain>.com] acme: use tls-alpn-01 solver
2020/06/21 14:50:55 [INFO] [www.<mydomain>.com] acme: Trying to solve TLS-ALPN-01
2020/06/21 14:50:55 http: TLS handshake error from 127.0.0.1:52116: EOF
2020/06/21 14:50:56 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5392302097
2020/06/21 14:50:56 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5392302097
2020/06/21 14:50:56 [ERROR] acme: Error -> One or more domains had a problem:
[www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url:
 (challenge=tls-alpn-01 remaining=[http-01])
2020/06/21 14:50:58 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR
2020/06/21 14:50:58 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5392302762
2020/06/21 14:50:58 [INFO] [www.<mydomain>.com] acme: Could not find solver for: tls-alpn-01
2020/06/21 14:50:58 [INFO] [www.<mydomain>.com] acme: use http-01 solver
2020/06/21 14:50:58 [INFO] [www.<mydomain>.com] acme: Trying to solve HTTP-01
2020/06/21 14:50:59 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5392302762
2020/06/21 14:50:59 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5392302762
2020/06/21 14:50:59 [ERROR] acme: Error -> One or more domains had a problem:
[www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/jI6d16-AWvTQufh94KfY1vRbyD48e3W31BinDLuxUGc: Connection reset by peer, url:
 (challenge=http-01 remaining=[])
2020/06/21 14:51:01 [ERROR] attempt 1: [www.<mydomain>.com] Obtain: [www.<mydomain>.com] acme: Error -> One or more domains had a problem:
[www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/jI6d16-AWvTQufh94KfY1vRbyD48e3W31BinDLuxUGc: Connection reset by peer, url:
 - retrying in 1m0s (6.6651693s/720h0m0s elapsed)...

 

Link to comment
Share on other sites

pwhodges

The message " http server is listening only on the HTTPS port" suggests that port 80 is not getting through your router to Caddy.  Have you checked that both ports 80 and 443 are visible through your router?  You seemed uncertain about the firewall...

Caddy requires port 80 open for the certificate negotiation, but subsequently redirects it to 443, so there's no loss of security.

Paul

Link to comment
Share on other sites

Gregls

Ok,

With firewall disabled on both the router and the server and port forwarding set up to allow any external IP online tools such as whatsmyip's port scanner says the port is closed. I spoke with Centurylink for 2 hours and they say that they don't block any ports besides 25. I specially mentioned 80 and 443. By the end of the call they were saying it has to be an issue with whatever service I'm trying to use that the ports are definitely open even though port checking sites like 'whats my ip' is saying that it's closed. The router is Zyxel C3000Z. They were at least able to confirm my firewall bit on this router is being done the correct way (that I have allowed it through and that I am turning it off as a test correctly as well...)

Tonight after work I'll play around to see if I can't come up with a way to determine exactly where the port is being blocked/failing. Thanks for all the help so far. 

 

Link to comment
Share on other sites

Gregls

Ok, I am finally back.

While I have Caddy running the port checking tools show both 80 and 443 as open, I have learned that it has to literally be running when the port check is done. At this point I have it working even with firewall turned on both on the router and on the server itself.

"Success!   I can see your service on 67.2.49.197 on port (80)
Your ISP/Router/Firewall is not blocking port 80. "

that is with using www.portchecktool.com

However I still get this,

2020/06/26 17:01:48 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5496855493
2020/06/26 17:01:48 [INFO] [www.<mydomain>.com] acme: use tls-alpn-01 solver
2020/06/26 17:01:48 [INFO] [www.<mydomain>.com] acme: Trying to solve TLS-ALPN-01
2020/06/26 17:01:48 http: TLS handshake error from 127.0.0.1:49981: EOF
2020/06/26 17:01:53 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5496855493
2020/06/26 17:01:53 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5496855493
2020/06/26 17:01:53 [ERROR] acme: Error -> One or more domains had a problem:
[www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url:
 (challenge=tls-alpn-01 remaining=[http-01])
2020/06/26 17:01:55 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR
2020/06/26 17:01:56 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5496857235
2020/06/26 17:01:56 [INFO] [www.<mydomain>.com] acme: Could not find solver for: tls-alpn-01
2020/06/26 17:01:56 [INFO] [www.<mydomain>.com] acme: use http-01 solver
2020/06/26 17:01:56 [INFO] [www.<mydomain>.com] acme: Trying to solve HTTP-01
2020/06/26 17:01:56 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5496857235
2020/06/26 17:01:56 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5496857235
2020/06/26 17:01:56 [ERROR] acme: Error -> One or more domains had a problem:
[www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/PlPZL_6Rw1DS6dzZpLgejGMGA0cZulXvz8JKQd_VEuI: Connection reset by peer, url:
 (challenge=http-01 remaining=[])
2020/06/26 17:01:58 [ERROR] attempt 1: [www.<mydomain>.com] Obtain: [www.<mydomain>.com] acme: Error -> One or more domains had a problem:
[www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/PlPZL_6Rw1DS6dzZpLgejGMGA0cZulXvz8JKQd_VEuI: Connection reset by peer, url:
 - retrying in 1m0s (11.6712211s/720h0m0s elapsed)...
2020/06/26 17:02:11 http: TLS handshake error from 8.23.224.110:4377: EOF
2020/06/26 23:02:36.969 [34mINFO[0m   shutting down   {"signal": "SIGINT"}
2020/06/26 17:02:36 [INFO][www.<mydomain>.com] Obtain: Releasing lock
2020/06/26 17:02:36 [INFO][cache:0xc0007cd630] Stopped certificate maintenance routine
2020/06/26 23:02:36.970 [34mINFO[0m   shutdown done   {"signal": "SIGINT"}

------------------------------------------------

Since I don't know what i'm doing it's important to note that if I didn't state it, i didn't do it. Any ideas as to what I am missing to get this to work?

Link to comment
Share on other sites

pwhodges

Can we see your Caddyfile (or whichever form of config you have used), please?  Or is it still exactly as above?

And can you positively confirm that your domain's www record is pointing to your correct external address?  (At a command line, type "nslookup www.domain.ext" and you should be shown what address the outside world is being sent to.)

Paul

Edited by pwhodges
Link to comment
Share on other sites

Gregls

Hi, absolutely

The extension-less caddyfile has this,

 

{
    email <myemail>@gmail.com
}


www.<mydomain>.com {
    reverse_proxy http://192.168.0.18:8096
}

 

the <myemail> has my actual gmail address

the <mydomain> has my actual domain's name. I am using the whole 'www.' part because the only way I got the auto A record using 

192.168.0.18 is always my server's internal IP. I have it set up so it doesn't change and I connect often using the IP from my desktop.

Both ports 443 and 80 are forwarded in the router, I am confident this part is all done as when caddy is running site say that yes, it is open, Namecheaps DDNS client was with it. I tried using @<domain>.com but it would never update. I am also not familiar enough with domains to know how to make a sub domain (assuming that is even possible without paying extra)

for Emby's settings I have, 

 

NETWORK

LAN networks: <blank>

Local IP adddresses: <blank>

Local http port: 8096

Local https port: 8920

allow remote connections: checked

remote IP adddress filter: <blank>

Remote IP address filter mode: whitelist

Public http: 8096

Public https:8920

External domain: <blank>

custom ssl certificate path: <blank>

Secure connection mode: Handled by reverse proxy

Enbable automatic port mapping: unchecked

 

If I left anything out that is needed please let me know. Thanks for all of the help so far.

Link to comment
Share on other sites

On 6/21/2020 at 4:58 PM, Gregls said:

www.<mydomain>.com {
    reverse_proxy http://192.168.0.18:8086
}

 

and changes my emby external ports to

public http=8096, public https=8920

8086 is the wrong port. Should be 8096

Link to comment
Share on other sites

pwhodges

I don't see anything wrong with a quick look - but I am not familiar with the details of Caddy's error messages, because I never see them!

I suggest simplifying things even more by trying the command-line version in my example post.

I'll look further into your error messages tomorrow (I'm afraid it's bedtime here right now...)

Paul

Link to comment
Share on other sites

Gregls

reading that example post i wonder if the issue is my domain "isn't set up yet"

"That's nothing to do with Caddy, nor Emby. The domain "jgcmedia.net" is not yet set up! Assuming you've bought that domain (it's less than a month old, if I read it right), you have missed the step where you configure it, telling it your IP address, where you want mail sent, and so on."

I certainly don't have any kind of mail set up. The only ways I can figure out to set up email seem to cost $6/mo. It has options like email forwarding and MXE records but I dont see how to actually use those. namecheap's instructions are useless unless you already know what you are doing lol. Although, if mail is required somehow maybe that's what wrong. I see in your instructions you have <email>@domain a lot. Does it have to be somehow connected to the domain you are trying to use? my current <email>@gmail is simply my gmail and certainly isn't connected to my domain in any way.

 

 

 

Link to comment
Share on other sites

Have you checked your caddy setup of the port?  I posted a few messages above that your setup had the wrong port listed.

It's not port 8086 but port 8096

Can you confirm the ports are set correctly?

Link to comment
Share on other sites

  • Solution
pwhodges

It doesn't matter where your email goes, so you don't need to set up mail handling for your domain; for this purpose you only need to have the A-record set up so that using your domain name points to your address correctly.  Commonly you would set up A-records for www and for @ (which is equivalent to simply not using anything in front of your domain name).  At a command line, type "nslookup <mydomain>.com" and see if it lists your domain correctly; then the same with "nslookup www.<mydomain>.com", or whatever name you've chosen to use.  If you don't see the correct address listed, then LetsEncrypt will not be able to contact Caddy to confirm the certificate would be valid.

Let's take a step back, and remove Caddy from the equation for a moment.  Stop Caddy, and set forwarding your router to pass port 80 to post 8096 on your Emby machine.  Can you access Emby from outside now, using your IP address or using your domain name?

The other thing I noted is that you mention DDNS at one point.  I have no experience of this, but doesn't it require a client to be running for the DNS to know your address?

Paul

Link to comment
Share on other sites

BAlGaInTl

Out of curiosity.... what do you see if you go to www.<mydomain>.com in a browser?

Do you just get an error?  Or do you see some type of static page from Namecheap?

That would let you know if what @pwhodges is saying still needs to be done.

Edited by BAlGaInTl
Link to comment
Share on other sites

Gregls

Ok,

The 8086 thing was a mis-print into the forum only. The actual file did get changes to 8096.

 

what do you see if you go to www.<mydomain>.com in a browser?

2020 Copyright. All Rights Reserved.

The Sponsored Listings displayed above are served automatically by a third party. Neither Parkingcrew nor the domain owner maintain any relationship with the advertisers.

Privacy Policy

nslookup from the emby server gives me this

C:\Users\<myuser>>nslookup <mydomain>.com
Server:  modem.Home
Address:  192.168.0.1

Name:    <mydomain>.com

 

C:\Users\<myuser>>nslookup www.<mydomain>.com
Server:  modem.Home
Address:  192.168.0.1

Non-authoritative answer:
Name:    www.<mydomain>.com.Home
Addresses:  198.105.244.23
          198.105.254.23

I assume 192.168.0.1 is a reference to my router. both of the 198.x ip address I do not recognize at all.

 

DDNS

Namecheap's DDNS client actively runs on the emby server, it updates an A record on the domain automatically with my external IP. It does this for www.<mydomain>.com. I have tried to do it with @<mydomain>.com but that never updates. When I log into the domain it does show the A record with my correct external IP listed.

 

Stop Caddy, and set forwarding your router to pass port 80 to post 8096 on your Emby machine?

do you mean to forward port 80 external to port 8096 internal? If so, my router is Centurylink's junky C3000Z. It only forwards a port or range of ports to a certain machine. It doesn't have functionality to change the port within the router itself, only to pass it on.

What I did for a test instead is i changed

'Public http port' to 80

I entered 'external domain' as www.<mydomain>.com

changed 'secure connection mode' to disabled

 

then, on the emby app while on LTE (wifi off) and put in www.<mydomain>.com   port 80

when i clicked connect it says connection failure. 

I changed the domain to http://www.<mydomain>.com left it with port 80

still says connection failure

put in my external IP and port 80

connection failure

changed port in the app to connect to in the internal one 8096

www.<mydomain>.com, http://<mydomain>.com, <mydomain>.com, and my external IP. 

none of which connected successfully.

went to the router and forwarded port 8096 to the emby server

using external IP it gives me option to sign in,

www.<mydomain>.com, http://www.<mydomain>.com,  and <mydomain>.com none of them connect

================================================

Even though I have no idea what I'm doing I have the sneaking suspition my domain is not working to point to my address.

I turned off the DDNS and shut it down on the domain side.

I removed the CNAME record on my domain that it came with with the value of parkingpage.namecheap.com

I added 2 A Records, one with host 'www' a second with host '@' both are pointing to my public IP address. It has a TTL of 30min so I will get back on in 2-3 hours to do some troubleshooting.

 

 

 

 

 

Link to comment
Share on other sites

Gregls

YAY progress!!!!!

what I learned is my www.<mydomain>.com NEVER points to my IP correctly. I made 3 A names, www, @ and emby

These were my results,

C:\Users\<myuser>>nslookup www.<mydomain>.com
Server:  modem.Home
Address:  192.168.0.1

Non-authoritative answer:
Name:    www.lachdanan.com.Home
Addresses:  198.105.244.23
          198.105.254.23


C:\Users\<myuser>>nslookup <mydomain>.com
Server:  modem.Home
Address:  192.168.0.1

Non-authoritative answer:
Name:    <mydomain>.com
Address:  <my external IP>


C:\Users\<myuser>>nslookup emby.<mydomain>.com
Server:  modem.Home
Address:  192.168.0.1

Non-authoritative answer:
Name:    emby.<mydomain>.com
Address:  <my external IP>

 

 

Since they displayed my external IP I put emby back to the way it's supposed to be for remote proxy. I changed my caddy file to emby.<mydomain>.com and when I ran it I got this,

C:\Caddy>caddy run
2020/06/30 03:16:55.948 [34mINFO[0m   using adjacent Caddyfile
2020/06/30 03:16:55.957 [34mINFO[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/06/29 21:16:55 [INFO][cache:0xc000609720] Started certificate maintenance routine
2020/06/30 03:16:55.960 [34mINFO[0m   http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/06/30 03:16:55.960 [34mINFO[0m   http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/06/30 03:16:55.962 [34mINFO[0m   tls     cleaned up storage units
2020/06/30 03:16:55.963 [34mINFO[0m   http    enabling automatic TLS certificate management   {"domains": ["emby.<mydomain>.com"]}
2020/06/30 03:16:55.969 [34mINFO[0m   autosaved config        {"file": "C:\\Users\\<myuser>\\AppData\\Roaming\\Caddy\\autosave.json"}
2020/06/30 03:16:55.970 [34mINFO[0m   serving initial configuration
2020/06/29 21:16:55 [INFO][emby.<mydomain>.com] Obtain certificate; acquiring lock...
2020/06/29 21:16:55 [INFO][emby.<mydomain>.com] Obtain: Lock acquired; proceeding...
2020/06/29 21:16:56 [INFO][emby.<mydomain>.com] Waiting on rate limiter...
2020/06/29 21:16:56 [INFO][emby.<mydomain>.com] Done waiting
2020/06/29 21:16:56 [INFO] [emby.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR
2020/06/29 21:16:56 [INFO] [emby.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5564930094
2020/06/29 21:16:56 [INFO] [emby.<mydomain>.com] acme: use tls-alpn-01 solver
2020/06/29 21:16:56 [INFO] [emby.<mydomain>.com] acme: Trying to solve TLS-ALPN-01
2020/06/29 21:16:56 http: TLS handshake error from 127.0.0.1:54360: EOF
2020/06/29 21:16:57 [INFO][emby.<mydomain>.com] Served key authentication certificate (TLS-ALPN challenge)
2020/06/29 21:16:57 [INFO][emby.<mydomain>.com] Served key authentication certificate (TLS-ALPN challenge)
2020/06/29 21:16:57 [INFO][emby.<mydomain>.com] Served key authentication certificate (TLS-ALPN challenge)
2020/06/29 21:16:57 [INFO][emby.<mydomain>.com] Served key authentication certificate (TLS-ALPN challenge)
2020/06/29 21:17:00 [INFO] [emby.<mydomain>.com] The server validated our request
2020/06/29 21:17:00 [INFO] [emby.<mydomain>.com] acme: Validations succeeded; requesting certificates
2020/06/29 21:17:01 [INFO] [emby.<mydomain>.com] Server responded with a certificate.
2020/06/29 21:17:01 [INFO][emby.<mydomain>.com] Certificate obtained successfully
2020/06/29 21:17:01 [INFO][emby.<mydomain>.com] Obtain: Releasing lock

I then used my phone to connect to the server over LTE using emby.<mydomain>.com and my external port (set in emby program)

I think I am good now. My next steps will be to figure out how to get the DDNS to work with something besides the www host as it apparently refuses to actually point to my IP

  • Like 1
Link to comment
Share on other sites

Nice.  Isn't it wonderful (sort of) when it's something utterly simple?

Glad you got it figured out.

Is everything working as it should now?

Link to comment
Share on other sites

jordy

Can I ask if you are running a VPN on the pc that runs the DDNS?

This happened to me because I always run a VPN on all my pcs and to get it working properly I had to set up an old laptop without VPN to just run the DDNS...

What IP do you see if you run www.whatismyIP.com? Is it the same as the one your router tells you? If you are running a VPN, www.whatismyip.com will give you the IP of the VPN server which is useless for incoming connections. The DDNS will send your VPN IP to your Domain.

Edited by jordy
Link to comment
Share on other sites

pwhodges

Glad you're getting there!  Maybe NameCheap can give you some support on the working of their DDNS client.

The reason I like using Caddy for this sort of thing is that it's so simple.  The problem is always something else, not Caddy itself...

Paul

Link to comment
Share on other sites

Gregls

I don't run a VPN

From what I have figure out today is that namecheap's DDNS is garbadge.

It was originally working correctly with www.<mydomain>.com however I wasn't smart enough to realize the 'parking page' namecheap gives you by default was making it not work. Thats what that weird IP was that I was getting from nslookup was to that parking page. I have since removed the parking page record and created 3 profiles in the DDNS client,

@, www, and emby

none of which have updated successfully on the domain side even though I had www updating previously.

I went back to duckdns.org because I love them. I put their little client on the emby server then created a CNAME record on the domain that is like this

type: CNAME Record    Host: test    Value: <chosen name>.duckdns.org   TTL:Automatic

when i nslookup <chosen name>.duckdns.org it gave me my external IP so I knew that part was working. I then gave the record a bit of time and now when I nslookup test.<mydomain>.com it also shows my external IP.

 

The key with everything for me has been nslookup. It has been very tricky getting namecheap to play nice with a dynamic IP. I will let everything run for a couple of days to see if their client will start behaving. If it doesn't I will probably just use duckdns because I already have that working. I think there is less steps if I get namecheap's method going though. I believe the difference is,

namecheap DDNS creates A record on domain, user goes to domain and domain gives my IP

with duckdns method its, user goes to domain, domain points to duckdns domain, duck dns domain give my IP

I believe there is an extra step in there and that I am dependent on both my domain and duckdns being up and working.

  • Like 1
Link to comment
Share on other sites

Gregls

I just learned how to get namecheap's DDNS to work. After letting it sit all day I decided to force a random IP on it instead of having it on auto-detect. This worked instantly. After setting it to a random IP I then changed it to auto detect and now that is working. Just some quirky behavior with it.

Link to comment
Share on other sites

Gregls

sorry kids, one last quirky issue.

I can access the emby server beautifully from outside my network. If I have my phone on LTE etc. Both putting in https://<mydomain>.com and connecting with the app using the same and port 443 connect perfectly every time.

However, I cannot connect to the emby server at all from my own network. I can't reach the https://<mydomain>.com when i put it in any of my browsers either PC or phone successfully. I have tried the domain name with port 443, 80 and 8096 and the server's local ip address with 80, 443 8096.

It's amazing and im super happy I can access it from outside my network flawlessly with my fancy little paddle lock in the browser. Is there a trick to connecting to it from within my network?

Link to comment
Share on other sites

BAlGaInTl
9 hours ago, Gregls said:

sorry kids, one last quirky issue.

I can access the emby server beautifully from outside my network. If I have my phone on LTE etc. Both putting in https://<mydomain>.com and connecting with the app using the same and port 443 connect perfectly every time.

However, I cannot connect to the emby server at all from my own network. I can't reach the https://<mydomain>.com when i put it in any of my browsers either PC or phone successfully. I have tried the domain name with port 443, 80 and 8096 and the server's local ip address with 80, 443 8096.

It's amazing and im super happy I can access it from outside my network flawlessly with my fancy little paddle lock in the browser. Is there a trick to connecting to it from within my network?

You should still be able to access on your home network with http://ip.address:8096.

It depends on other network settings if your domain will work. 

Link to comment
Share on other sites

pwhodges

Whether or not you can access your external address from within your network depends on your router, and whether it can do loopback (aka "hairpin" I believe).  I don't recall ever seeing a setting for this, so it's most likely simply a matter of what router you have - but maybe some have a setting for it.  My router (Draytek Vigor) has it as standard with no setting required or possible.

A possible solution for your desktop is to put the external name with the internal address into a "hosts" file; but that won't fix things for your phone.  You could have a browser bookmark for the internal address in the browser on your phone and use that when at home instead of the app.  But loopback is best if possible; I can go back and forth, in and out of my house, switching between wifi and 4G without a single glitch.

Of course, the padlock is not important when you are at home using your own server.

Paul

Edited by pwhodges
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...