Bagul 182 Posted February 9, 2023 Posted February 9, 2023 Hey ! For log you can do this (logging) { log { output file /logs/{args.0}.log { roll_size 10mb roll_keep 3 roll_keep_for 72h } format filter { wrap console fields { request>headers>Authorization delete } } } } emby.domain.com { import logging emby /* [...] */ } sonarr.domain.com { import logging sonarr /* [...] */ } radarr.domain.com { import logging radarr /* [...] */ } And you will have 3 separate log files for each reverse proxy 1 1
justinrh 259 Posted February 10, 2023 Posted February 10, 2023 On 2/9/2023 at 12:36 PM, Bagul said: And you will have 3 separate log files for each reverse proxy I couldn't get this to work. I'm using Windows. Is the syntax viable only for Linux or something? This block goes after the top-most block, I presume.
pwhodges 2012 Posted February 10, 2023 Author Posted February 10, 2023 Caddy syntax doesn't vary between systems (though note that this is only for Caddy v2 - anyone using v1 should know well by now that many features have changed). As it happens, I've never bothered with a snippet like this; but looking at the excellent Caddy documentation on snippets: https://caddyserver.com/docs/caddyfile/concepts#snippets suggests to me that the example above is missing quotes around the parameters of the imports. Paul
Bagul 182 Posted February 10, 2023 Posted February 10, 2023 1 hour ago, justinrh said: I couldn't get this to work. I'm using Windows. Is the syntax viable only for Linux or something? This block goes after the top-most block, I presume. The path for the output file directive has to be changed on your side, in my case only.But otherwise, it works for me. The snippet "(logging){}" must be outside a block 23 minutes ago, pwhodges said: Caddy syntax doesn't vary between systems (though note that this is only for Caddy v2 - anyone using v1 should know well by now that many features have changed). As it happens, I've never bothered with a snippet like this; but looking at the excellent Caddy documentation on snippets: https://caddyserver.com/docs/caddyfile/concepts#snippets suggests to me that the example above is missing quotes around the parameters of the imports. Paul I think in the example of the documentation the inverted commas are there because there are several words. I never put inverted commas.
Gecko 71 Posted March 15, 2023 Posted March 15, 2023 Small update about the Caddy Subject. I was running into issues while outside my home network on my iPhone. So I checked on my browser's dev tools why the heck I was having multiple seconds of delay before getting any response from Emby or even no response at all (Navigation through the list of thumbnails was really a pain with lot's of images not loading at all). Turns out (at least in the latest iOS's Safari), the protocol being used is http3 and not http2 anymore (since when? IDK). But this protocol introduce a lot of "lag" in every response I got though Caddy. So I tested by restricting the protocols to h1 and h2 only and the issue magically disappeared ! Like discussed before, http/1.1 is even a little bit faster than http2, so I went all the way down to restrict only h1 in my Caddyfile using the Global options block. { servers :80 { protocols h1 } servers :443 { protocols h1 } } Hope this help anyone having the same issue.
pwhodges 2012 Posted March 15, 2023 Author Posted March 15, 2023 (edited) Curious... Have you raised this on the Caddy forums? Do you keep up with the latest Caddy version? EDIT: I just tested using Safari on the iPhone (on the LAN, and also remotely), and I am getting no delays at all - it's working as crisply as I expect. Paul Edited March 15, 2023 by pwhodges
rbjtech 5284 Posted March 15, 2023 Posted March 15, 2023 (edited) Could be other end-end devices rejecting QUIC/UDP (what http3 uses) or putting them at lower priority, thus you losing data ? I'm surprised http1 is faster than http2 over a remote connection though (for emby) - that is interesting. I would also be a little cautions forcing http1 - as TLS/SSL is 'optional' for this protocol - thus you may be compromising some security if using TLS. Edited March 15, 2023 by rbjtech
Gecko 71 Posted March 15, 2023 Posted March 15, 2023 @pwhodges, on LAN, i also don't have any delay at all. I updated caddy a few days ago, so I'm on the latest version yes. @rbjtech, what would you suggest to not compromise security ? Caddy redirects any http requests to their https equivalent before processing anything but I can activate h2 on the downstream and keep h1 for the upstream connection with Emby ? This is what the caddy documentation has to say about protocols. That's the last sentence that made me try forbidding h3 protocols The space-separated list of HTTP protocols to support. Default: h1 h2 h3. Accepted values are: h1 for HTTP/1.1 h2 For HTTP/2 h2c for HTTP/2 over cleartext h3 for HTTP/3 Currently, enabling HTTP/2 (including H2C) necessarily implies enabling HTTP/1.1 because the Go standard library does not let us disable HTTP/1.1 when using its HTTP server. However, either HTTP/1.1 or HTTP/3 can be enabled independently. Note that H2C ("Cleartext HTTP/2" or "H2 over TCP") and HTTP/3 are not implemented by the Go standard library, so some functionality or features may be limited. We recommend against enabling H2C unless it is absolutely necessary for your application.
pwhodges 2012 Posted March 15, 2023 Author Posted March 15, 2023 I realised later you were saying it was remote, and did a remote test which was absolutely fine as well - in fact a positively good result seeing as I have a poor mobile signal at home to the extent that the phone switches to wi-fi mode for calls. I wonder if your phone network has an issue with http/3. Paul
rbjtech 5284 Posted March 15, 2023 Posted March 15, 2023 14 minutes ago, Gecko said: @rbjtech, what would you suggest to not compromise security ? Caddy redirects any http requests to their https equivalent before processing anything but I can activate h2 on the downstream and keep h1 for the upstream connection with Emby ? For Internet to Caddy - Stick with http2 using TLS 1.2 or 1.3 only. Caddy to Emby doesn't really matter if it's your private LAN. Performance (should..) not be an issue on the LAN, http is perfectly acceptable.
Bagul 182 Posted March 23, 2023 Posted March 23, 2023 (edited) Hello to all, I made a configuration for goaccess and caddy with a real time visual. For those who don't know goaccess it's a tool coded in C that allows visualization and analysis of log. I took the Docker container here original repo and I updated it. Link: my repo For the configuration of the container: version: '3.3 services: goaccess: image: bagul/goaccess container_name: goaccess ports: - '7889:7889' volumes: - '/path/to/host/nginx/logs:/opt/log' - '/path/to/goaccess/storage:/config' Caddy logs must be in json format And the goaccess configuration: log-format CADDY config-dialog false hl-header true json-pretty-print false no-color false no-column-names false no-csv-summary false no-progress false no-tab-scroll false with-mouse false real-time-html true log-file /opt/log/log_file1.log log-file /opt/log/log_file2.log agent-list false with-output-resolver false exclude-ip 127.0.0.1 exclude-ip 192.168.0.1-192.168.0.254 exclude-ip 192.168.1.1-192.168.1.254 exclude-ip 192.168.4.1-192.168.4.254 http-method yes http-protocol yes output /config/html/index.html no-query-string false no-term-resolver false 444-as-404 false xx-to-unique-count false all-static-files false double-decode false ignore-crawlers false crawlers-only false ignore-panel REFERRERS ignore-panel KEYPHRASES real-os true static-file .css static-file .js static-file .jpg static-file .png static-file .gif static-file .ico static-file .jpeg static-file .pdf static-file .csv static-file .mpeg static-file .mpg static-file .swf static-file .woff static-file .woff2 static-file .xls static-file .xlsx static-file .doc static-file .docx static-file .ppt static-file .pptx static-file .txt static-file .zip static-file .ogg static-file .mp3 static-file .mp4 static-file .exe static-file .iso static-file .gz static-file .rar static-file .svg static-file .bmp static-file .tar static-file .tgz static-file .tiff static-file .tif static-file .ttf static-file .flv geoip-database /usr/local/share/GeoIP/GeoLite2-City.mmdb Edited March 23, 2023 by Bagul 1
Bagul 182 Posted March 23, 2023 Posted March 23, 2023 (edited) result: Edited March 23, 2023 by Bagul 2
Gecko 71 Posted May 25, 2023 Posted May 25, 2023 @Bagulthat's really nice, thank you ! About my previous issues with http3, I moved caddy from a pi4 to a more powerful toy and all my issues are now ancient history. Reverse Proxy is rock solid and Emby has never been so fast even if I still don't know what was the issue with the pi... 1
xibinim 7 Posted November 4, 2023 Posted November 4, 2023 On 04/05/2020 at 14:27, pwhodges said: OK, I have run an initial trial of Caddy version 2, and it works as simply as they say it should. I used Caddy 2 rc3 for the trial. Note that you can no longer get Windows binaries of Caddy v1, only source, so v2 is where it's at now! First, the setup I tried it in, and the assumptions I made. A domain name is required for external access; you need to get that and specify your IP address in the DNS. I use ports 80 and 443 for Caddy, because this enables it to get the required certificate from Let's Encrypt; it does this completely automatically in most circumstances, but you must have port 80 open for the process to work. When you try to access port 80, however, Caddy automatically redirects the request to port 443 - again, you don't need to configure this or think about it. So, I open ports 80 and 443 in my router to the machine running Caddy (and in the router's firewall as well, if this is a separate action), and ensure that the Windows firewall will also allow these ports through to caddy.exe. Next, I am running Emby in another machine, which for this example has IP address 192.168.1.66. I leave its ports as default, and only use the http one (8096). As it's on a different machine I could change this to port 80 for convenience, but I don't bother for other reasons. For an initial test, I went to the directory where I had dropped the Caddy executable and in a command window in the directory containing Caddy typed the command: caddy reverse-proxy --from emby.mydomain.com --to http://192.168.1.66:8096 That's it - the first time it may take a little while to get the certificate organised, but subsequent runs will be almost instant, as the certificate is already in place. The command doesn't return, so the window needs to be preserved while Caddy is running in this manner. Then simply typing emby.mydomain.com in a browser shows me what I expect. Note, I use the external domain name for internal access as well - this means that I can set up mobile devices to work whether I am at home or away. This does require a router that will loop back internal requests to the outside address efficiently, though; my Draytek Vigor does this perfectly. Finally I tried a config file for Caddy which enables running in the background or as a service (I haven't checked setting Caddy 2 up as a Windows service yet, which is how I'm running Caddy v1). This went as follows: in the same directory as caddy.exe I created a file called caddyfile (no extension). In this I placed the following text: { email name@maildomain.com } emby.mydomain.com { reverse_proxy http://192.168.1.66:8096 } Note the underscore in "reverse_proxy" where the command line version had a dash. If you can't find how to edit a file without an extension, create it with ".txt" and then delete the extension after editing it. The email directive enables Let's Encrypt to email you warnings if problems arise in the future. If Caddy is started in the directory containing the exe file and caddyfile, it will automatically use the specified configuration. I first simply ran it in the command window using the following command: caddy run As before, this does not return, and the proxy is now operating. It is also possible to start Caddy in the background from a command, thus: caddy start In this case you can stop it using the command: caddy stop which is rather unsurprising. If you ran caddy using the previous commands which held the window without returning, Ctrl-C will stop it in the usual manner, as will closing the window, or using the "caddy stop" command in another window. At least in my system, this really is all it takes for the proxy to work and do all the things required. But Caddy can be extensively customised if other systems require tweaks. There is even a facility to give it an nginx config file which it should then translate internally, but as I don't use nginx, I'm not going to try that out - in any case, it would take as much typing to specify that as to provide the trivially simple Caddy commands that work. Paul You legend, thank you. I first attmpeted SSL on my server months ago with no luck. Recently moved house an discovered I'd been put on CGNAT, fortunately that got resolved. But been hitting road block after road block this last week trying various guides and YT video - absolute nightmare. And then this morning - your post solved it. Danke. 1
xibinim 7 Posted November 4, 2023 Posted November 4, 2023 So now that's working, I need to make run as a service in the background. I think I just follow/add on the below guide for Caddy v2? Quote If you want, you can also run Caddy as a service, it'll start automatically with your computer even if you're not logged in, and it will be invisible, so no annoying command window always there. If you downloaded Caddy with the hook.service plug-in then it's easy. First open a CMD window, change to your caddy directory (cd c:\caddy) and run this command to install the service. You have to run these commands as an administrator, so when you run CMD, right click and choose "Run as Administrator." caddy -service install -agree -email "myemail@email.com" -conf "c:\caddyfile.txt" -log "c:\caddylog.txt" You'll notice it's the same as what you ran before to start Caddy, but with -service install added, and with -log c:\caddylog.txt added. If you click run, type "services" and start the Services control panel, you'll now see Caddy listed as a service but it will not be running. Now run the command: caddy -service start That's it. In the Services control panel you'll see that the Caddy service is running. You only have to do this once, when you reboot it'll automatically start the service again for you. You can look at the caddylog.txt file to see the running status, and you can always check the Services control panel to verify it's running.
pwhodges 2012 Posted November 4, 2023 Author Posted November 4, 2023 Personally I use nssm to set up the service (it gives you a GUI for configuration, and the tab remind you of things like choosing the logic user). Instructions for using nssm to start Emby are here, and the parallel for Caddy should be clear enough. I could fill this out in detail in a while, but I'm just starting to be busy cooking right now. Paul
PixelWizard 7 Posted November 16, 2023 Posted November 16, 2023 (edited) I have this error triyng to use Caddy.. I get this error when I try to play something, it plays but this error appears in Caddy 2023/11/16 10:15:54.696 ERROR http.handlers.reverse_proxy aborting with incomplete response {"upstream": "localhost:8096", "duration": 0.022399, "request": {"remote_ip": "124.120.193.XXX", "remote_port": "3307", "client_ip": "124.120.193.XXX", "proto": "HTTP/2.0", "method": "GET", "host": "emb1.mypublicdomain.com", "uri": "/emby/videos/269145/original.mkv?DeviceId=ca5a2b89-75e4-4da7-92da-223c87cffe1d&MediaSourceId=8ee174b7dc1f83c5a8066856d3f9e6a5&PlaySessionId=34ce1c95f5644510900246251d749ca6&api_key=7fe0c8e1c14c442695bfe52a5988c799", "headers": {"Accept-Encoding": ["identity;q=1"], "Upgrade": [""], "X-Forwarded-For": ["124.120.193.72"], "If-Range": ["\"5c48811a6eafbe93d215093aae184e57\""], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Ch-Ua": ["\"Microsoft Edge\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\""], "X-Forwarded-Proto": ["https"], "Dnt": ["1"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Accept-Language": ["es,es-ES;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,th;q=0.5"], "Sec-Fetch-Mode": ["cors"], "Connection": [""], "Accept": ["*/*"], "X-Forwarded-Host": ["emb1.mypublicdomain.com"], "Sec-Gpc": ["1"], "Range": ["bytes=35778-2147519424"], "Referer": ["https://emb1.mypublicdomain.com/web/index.html"], "Sec-Fetch-Site": ["same-origin"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0"], "Sec-Fetch-Dest": ["video"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "emb1.mypublicdomain.com"}}, "error": "writing: http2: stream closed"} And i not doing nothing special. caddy reverse-proxy --from emb1.mypublicdomain.com --to localhost:8096 Edited November 16, 2023 by est3ban129
Bagul 182 Posted November 16, 2023 Posted November 16, 2023 8 hours ago, est3ban129 said: I have this error triyng to use Caddy.. I get this error when I try to play something, it plays but this error appears in Caddy 2023/11/16 10:15:54.696 ERROR http.handlers.reverse_proxy aborting with incomplete response {"upstream": "localhost:8096", "duration": 0.022399, "request": {"remote_ip": "124.120.193.XXX", "remote_port": "3307", "client_ip": "124.120.193.XXX", "proto": "HTTP/2.0", "method": "GET", "host": "emb1.mypublicdomain.com", "uri": "/emby/videos/269145/original.mkv?DeviceId=ca5a2b89-75e4-4da7-92da-223c87cffe1d&MediaSourceId=8ee174b7dc1f83c5a8066856d3f9e6a5&PlaySessionId=34ce1c95f5644510900246251d749ca6&api_key=7fe0c8e1c14c442695bfe52a5988c799", "headers": {"Accept-Encoding": ["identity;q=1"], "Upgrade": [""], "X-Forwarded-For": ["124.120.193.72"], "If-Range": ["\"5c48811a6eafbe93d215093aae184e57\""], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Ch-Ua": ["\"Microsoft Edge\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\""], "X-Forwarded-Proto": ["https"], "Dnt": ["1"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Accept-Language": ["es,es-ES;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,th;q=0.5"], "Sec-Fetch-Mode": ["cors"], "Connection": [""], "Accept": ["*/*"], "X-Forwarded-Host": ["emb1.mypublicdomain.com"], "Sec-Gpc": ["1"], "Range": ["bytes=35778-2147519424"], "Referer": ["https://emb1.mypublicdomain.com/web/index.html"], "Sec-Fetch-Site": ["same-origin"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0"], "Sec-Fetch-Dest": ["video"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "emb1.mypublicdomain.com"}}, "error": "writing: http2: stream closed"} And i not doing nothing special. caddy reverse-proxy --from emb1.mypublicdomain.com --to localhost:8096 This error is not generated by caddy directly, but by a "tool" (go's net/http lib). It's just that the client has closed the connection while transferring information. This isn't necessarily a problem if it doesn't cause any malfunction on your end. I've got it too. 1
okseby 1 Posted April 27, 2024 Posted April 27, 2024 On 3/15/2023 at 5:58 AM, Gecko said: Small update about the Caddy Subject. I was running into issues while outside my home network on my iPhone. So I checked on my browser's dev tools why the heck I was having multiple seconds of delay before getting any response from Emby or even no response at all (Navigation through the list of thumbnails was really a pain with lot's of images not loading at all). Turns out (at least in the latest iOS's Safari), the protocol being used is http3 and not http2 anymore (since when? IDK). But this protocol introduce a lot of "lag" in every response I got though Caddy. So I tested by restricting the protocols to h1 and h2 only and the issue magically disappeared ! Like discussed before, http/1.1 is even a little bit faster than http2, so I went all the way down to restrict only h1 in my Caddyfile using the Global options block. { servers :80 { protocols h1 } servers :443 { protocols h1 } } Hope this help anyone having the same issue. I have been fighting a weird issue with Emby + Caddy for the last few weeks and I was having the exact same issue, except my server is running Linux. Thank you as I was going insane trying to solve this.
okseby 1 Posted April 28, 2024 Posted April 28, 2024 nvm, I was too quick to assume it fixed my issue.
HairyBizRat 21 Posted August 9, 2024 Posted August 9, 2024 On 11/4/2023 at 9:09 AM, xibinim said: You legend, thank you. I first attmpeted SSL on my server months ago with no luck. Recently moved house an discovered I'd been put on CGNAT, fortunately that got resolved. But been hitting road block after road block this last week trying various guides and YT video - absolute nightmare. And then this morning - your post solved it. Danke. Would you be able to help me? I'm new to EMby just over a week and struggling with this. I downloaded Caddy, followed the below instructions and ran the command Quote caddy reverse-proxy --from emby.mydomain.com --to http://192.168.1.66:8096 But after running it, i get the below errors (note i substituted my real domain name for "mydomainnamehere" Quote Microsoft Windows [Version 10.0.19045.4651] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>cd\ C:\>cd caddy C:\Caddy>caddy reverse-proxy --from mydomainnamehere.com --to http10.0.0.70:8096 2024/08/09 15:28:39.108 ←[33mWARN←[0m admin admin endpoint disabled 2024/08/09 15:28:39.108 ←[34mINFO←[0m http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443} 2024/08/09 15:28:39.109 ←[34mINFO←[0m http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "proxy"} 2024/08/09 15:28:39.108 ←[34mINFO←[0m tls.cache.maintenance started background certificate maintenance {"cache": "0xc000191500"} 2024/08/09 15:28:39.110 ←[34mINFO←[0m http enabling HTTP/3 listener {"addr": ":443"} 2024/08/09 15:28:39.111 ←[34mINFO←[0m http.log server running {"name": "proxy", "protocols": ["h1", "h2", "h3"]} 2024/08/09 15:28:39.111 ←[34mINFO←[0m http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]} 2024/08/09 15:28:39.111 ←[34mINFO←[0m http enabling automatic TLS certificate management {"domains": ["mydomainnamehere.com"]} 2024/08/09 15:28:39.111 ←[34mINFO←[0m caddy proxying {"from": "https://mydomainnamehere.com", "to": ["http10.0.0.70:8096"]} 2024/08/09 15:28:39.115 ←[34mINFO←[0m tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:C:\\Users\\PLEX_SERVER\\AppData\\Roaming\\Caddy", "instance": "274ef569-0dad-4625-b5e6-85665157c6c6", "try_again": "2024/08/10 15:28:39.115", "try_again_in": 86400} 2024/08/09 15:28:39.116 ←[34mINFO←[0m tls finished cleaning storage units 2024/08/09 15:28:39.128 ←[34mINFO←[0m tls.obtain acquiring lock {"identifier": "mydomainnamehere.com"} 2024/08/09 15:28:39.128 ←[34mINFO←[0m [INFO][FileStorage:C:\Users\PLEX_SERVER\AppData\Roaming\Caddy] Lock for 'issue_cert_mydomainnamehere.com' is stale (created: 2024-08-09 11:20:48.9650423 -0400 EDT, last update: 2024-08-09 11:26:39.8885268 -0400 EDT); removing then retrying: C:\Users\PLEX_SERVER\AppData\Roaming\Caddy\locks\issue_cert_mydomainnamehere.com.lock 2024/08/09 15:28:39.134 ←[34mINFO←[0m tls.obtain lock acquired {"identifier": "mydomainnamehere.com"} 2024/08/09 15:28:39.136 ←[34mINFO←[0m tls.obtain obtaining certificate {"identifier": "mydomainnamehere.com"} 2024/08/09 15:28:39.139 ←[34mINFO←[0m http waiting on internal rate limiter {"identifiers": ["mydomainnamehere.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "mydomainnamehere@gmail.com"} 2024/08/09 15:28:39.139 ←[34mINFO←[0m http done waiting on internal rate limiter {"identifiers": ["mydomainnamehere.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "mydomainnamehere@gmail.com"} 2024/08/09 15:28:39.139 ←[34mINFO←[0m http using ACME account {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/1882600666", "account_contact": ["mailto:mydomainnamehere@gmail.com"]} 2024/08/09 15:28:39.797 ←[34mINFO←[0m http.acme_client trying to solve challenge {"identifier": "mydomainnamehere.com", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"} 2024/08/09 15:28:40.529 ←[31mERROR←[0m http.acme_client challenge failed {"identifier": "mydomainnamehere.com", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/FYFUgyFKBPMNd5ngRvYS7SlsSq8LiJX6rVf1N6hbiJs: 204", "instance": "", "subproblems": []}} 2024/08/09 15:28:40.529 ←[31mERROR←[0m http.acme_client validating authorization {"identifier": "mydomainnamehere.com", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/FYFUgyFKBPMNd5ngRvYS7SlsSq8LiJX6rVf1N6hbiJs: 204", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1882600666/294816571756", "attempt": 1, "max_attempts": 3} 2024/08/09 15:28:41.646 ←[31mERROR←[0m tls.obtain could not get certificate from issuer {"identifier": "mydomainnamehere.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"} 2024/08/09 15:28:41.647 ←[31mERROR←[0m tls.obtain will retry {"error": "[mydomainnamehere.com] Obtain: [mydomainnamehere.com] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/ (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 2.5112694, "max_duration": 2592000} 2024/08/09 15:29:41.655 ←[34mINFO←[0m tls.obtain obtaining certificate {"identifier": "mydomainnamehere.com"} 2024/08/09 15:29:42.160 ←[34mINFO←[0m http using ACME account {"account_id": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/158825773", "account_contact": ["mailto:mydomainnamehere@gmail.com"]} 2024/08/09 15:29:42.413 ←[34mINFO←[0m http.acme_client trying to solve challenge {"identifier": "mydomainnamehere.com", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"} 2024/08/09 15:29:42.745 ←[34mINFO←[0m tls served key authentication certificate {"server_name": "mydomainnamehere.com", "challenge": "tls-alpn-01", "remote": "66.133.109.36:35949", "distributed": false} 2024/08/09 15:29:43.102 ←[34mINFO←[0m tls served key authentication certificate {"server_name": "mydomainnamehere.com", "challenge": "tls-alpn-01", "remote": "3.144.207.24:34662", "distributed": false} 2024/08/09 15:29:43.892 ←[31mERROR←[0m http.acme_client challenge failed {"identifier": "mydomainnamehere.com", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:tls", "title": "", "detail": "During secondary validation: 74.208.236.77: remote error: tls: internal error", "instance": "", "subproblems": []}} 2024/08/09 15:29:43.892 ←[31mERROR←[0m http.acme_client validating authorization {"identifier": "mydomainnamehere.com", "problem": {"type": "urn:ietf:params:acme:error:tls", "title": "", "detail": "During secondary validation: 74.208.236.77: remote error: tls: internal error", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/158825773/18311965723", "attempt": 1, "max_attempts": 3} 2024/08/09 15:29:45.128 ←[34mINFO←[0m http.acme_client trying to solve challenge {"identifier": "mydomainnamehere.com", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"} 2024/08/09 15:29:45.909 ←[31mERROR←[0m http.acme_client challenge failed {"identifier": "mydomainnamehere.com", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/fdHFlOsiS4eC_XsV8DEWSLW34ZTe6i6Y0vvUEDyIAK4: 204", "instance": "", "subproblems": []}} 2024/08/09 15:29:45.909 ←[31mERROR←[0m http.acme_client validating authorization {"identifier": "mydomainnamehere.com", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/fdHFlOsiS4eC_XsV8DEWSLW34ZTe6i6Y0vvUEDyIAK4: 204", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/158825773/18311966293", "attempt": 2, "max_attempts": 3} 2024/08/09 15:29:45.913 ←[31mERROR←[0m tls.obtain could not get certificate from issuer {"identifier": "mydomainnamehere.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 403 urn:ietf:params:acme:error:unauthorized - 2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/fdHFlOsiS4eC_XsV8DEWSLW34ZTe6i6Y0vvUEDyIAK4: 204"} 2024/08/09 15:29:45.914 ←[31mERROR←[0m tls.obtain will retry {"error": "[mydomainnamehere.com] Obtain: [mydomainnamehere.com] solving challenge: mydomainnamehere.com: [mydomainnamehere.com] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/fdHFlOsiS4eC_XsV8DEWSLW34ZTe6i6Y0vvUEDyIAK4: 204 (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 2, "retrying_in": 120, "elapsed": 66.7787787, "max_duration": 2592000} 2024/08/09 15:31:45.917 ←[34mINFO←[0m tls.obtain obtaining certificate {"identifier": "mydomainnamehere.com"} 2024/08/09 15:31:45.919 ←[34mINFO←[0m http using ACME account {"account_id": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/158825773", "account_contact": ["mailto:mydomainnamehere@gmail.com"]} 2024/08/09 15:31:46.250 ←[34mINFO←[0m http.acme_client trying to solve challenge {"identifier": "mydomainnamehere.com", "challenge_type": "tls-alpn-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"} 2024/08/09 15:31:46.554 ←[34mINFO←[0m tls served key authentication certificate {"server_name": "mydomainnamehere.com", "challenge": "tls-alpn-01", "remote": "66.133.109.36:32881", "distributed": false} 2024/08/09 15:31:47.373 ←[31mERROR←[0m http.acme_client challenge failed {"identifier": "mydomainnamehere.com", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "During secondary validation: 74.208.236.77: Error getting validation data", "instance": "", "subproblems": []}} 2024/08/09 15:31:47.373 ←[31mERROR←[0m http.acme_client validating authorization {"identifier": "mydomainnamehere.com", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "During secondary validation: 74.208.236.77: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/158825773/18311997333", "attempt": 1, "max_attempts": 3} 2024/08/09 15:31:48.596 ←[34mINFO←[0m http.acme_client trying to solve challenge {"identifier": "mydomainnamehere.com", "challenge_type": "http-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"} 2024/08/09 15:31:49.028 ←[31mERROR←[0m http.acme_client challenge failed {"identifier": "mydomainnamehere.com", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/ZfQDsdp0SWubrmbCMwdizHlKHDgOC2DQ0zB93LzL-dI: 204", "instance": "", "subproblems": []}} 2024/08/09 15:31:49.028 ←[31mERROR←[0m http.acme_client validating authorization {"identifier": "mydomainnamehere.com", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/ZfQDsdp0SWubrmbCMwdizHlKHDgOC2DQ0zB93LzL-dI: 204", "instance": "", "subproblems": []}, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/158825773/18311998123", "attempt": 2, "max_attempts": 3} 2024/08/09 15:31:49.033 ←[31mERROR←[0m tls.obtain could not get certificate from issuer {"identifier": "mydomainnamehere.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 403 urn:ietf:params:acme:error:unauthorized - 2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/ZfQDsdp0SWubrmbCMwdizHlKHDgOC2DQ0zB93LzL-dI: 204"} 2024/08/09 15:31:49.034 ←[31mERROR←[0m tls.obtain will retry {"error": "[mydomainnamehere.com] Obtain: [mydomainnamehere.com] solving challenge: mydomainnamehere.com: [mydomainnamehere.com] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 2607:f1c0:100f:f000::200: Invalid response from http://mydomainnamehere.com/.well-known/acme-challenge/ZfQDsdp0SWubrmbCMwdizHlKHDgOC2DQ0zB93LzL-dI: 204 (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 3, "retrying_in": 120, "elapsed": 189.8983396, "max_duration": 2592000}
pwhodges 2012 Posted August 9, 2024 Author Posted August 9, 2024 The errors imply that Caddy is not receiving the response from the certificate supplier. This could be because of a DNS error, or because of the firewall on the machine running Caddy, for instance. BTW, it is much preferable to discuss your problem in one place, not in two separate threads. Paul
Q-Droid 989 Posted August 9, 2024 Posted August 9, 2024 All relevant ports need to be open, active and reachable for domain validation, right? Unless it's using a different challenge method out of the box.
pwhodges 2012 Posted August 9, 2024 Author Posted August 9, 2024 I see in your other thread that you have an HTTP connection working, so we don't have cgNAT to worry about, nor DNS errors. Caddy has been v2 for many years; my first set of instructions here was for v1, and the date would confirm that. Paul
pwhodges 2012 Posted August 9, 2024 Author Posted August 9, 2024 Just now, Q-Droid said: All relevant ports need to be open, active and reachable for domain validation, right? Unless it's using a different challenge method out of the box. Both ports 80 and 443 are required for the default setup. Paul
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now