Invalid host in redirect target, adding subdomains

My domain is:
meme.market
apidev.meme.market

Good afternoon! I am having a little bit of a trouble with obtaining certificates for subdomains and configuring so that subdomains can work from separate servers. My main domain is meme.market owned by GoDaddy. For the time being, I used Caddy to let it provide a simple static webpage with https and it works great! You can visit the website and that sweet lock will be on the top. It’s hosted on this server 167.172.207.34, let’s call it X. The Caddyfile is very simple and this whole thing is running inside a docker container. Source here https://github.com/thecsw/meme.market-coming-soon

I have a second service that I would like to provide under the subdomain and have it secure too. If I want to create a subdomain apidev.meme.market and proxy that to one of the internals, let’s say proxy / api:5000, where api is one of the services that provides port 5000 and is visible, the new Caddy (docker containers as well, api is a container in the same network as Caddy) fails to run the server. The errors can range from maybe firewall rules (I disabled firewall rules for the sake of testing) or Fetching http://167.172.114.123/.well-known/acme-challenge/AGqgbBMoxHXEMhJm9RxLzrDbAF1sUA9RSp_IxT3pegc: Invalid host in redirect target "167.172.114.123". Only domain names are supported, not IP addresses, url:

I’m quite bewildered with this. Maybe just pointing subdomain to an IP address and then running it from that server is not enough to obtain needed certificates, if the main domain is running elsewhere. I’ve tried running different combinations and separately executing Caddy. Unfortunately, it all just fails to assign. All I needed to do is proxy container’s port to as subdomain. I tried doing dns challenges with goddady as described here https://caddyserver.com/v1/docs/automatic-https#dns-challenge, however it just spits out
Error during parsing: Unknown DNS provider by name 'godaddy'. I’m using just abiosoft/caddy for my caddy container

Thank you!

1 Like

apidev.meme.market currently points to an nginx server, rather than to your Caddy server (as with your main domain).

That nginx server is producing the redirect to an IP address, which Let’s Encrypt will refuse to follow:

$ curl -i apidev.meme.market/.well-known/acme-challenge/xx
HTTP/1.1 302 Found
Server: nginx/1.12.2
Date: Fri, 31 Jan 2020 20:23:55 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Location: http://167.172.114.123/.well-known/acme-challenge/xx

I am going to guess that the correct setup would be for apidev.meme.market to be a DNS A record pointing to 167.172.207.34, rather than the weird HTTP redirect you have now.

If going down the DNS route, I suspect that you have to build a custom Docker image with the GoDaddy TLS plugin, because https://caddyserver.com/v1/docs/tls.dns.godaddy says:

This feature does not come with Caddy by default. To get it, select the tls.dns.godaddy plugin when you download Caddy.

2 Likes

Hi @thecsw

checking your configuration that can’t work - https://check-your-website.server-daten.de/?q=apidev.meme.market

Your DNS:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
apidev.meme.market A 184.168.131.241 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-184-168-131-241.ip.secureserver.net yes 1 0
AAAA yes
www.apidev.meme.market Name Error yes 1 0

That’s a GoDaddy-server, not the server where you run your Caddy.

And that’s

Domainname Http-Status redirect Sec. G
http://apidev.meme.market/ 184.168.131.241 302 http://167.172.114.123 3.386 D
http://167.172.114.123 -2 1.524 V
ConnectFailure - Unable to connect to the remote server
https://apidev.meme.market/ 184.168.131.241 -14 10.050 T
Timeout - The operation has timed out
http://apidev.meme.market/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 184.168.131.241 302 http://167.172.114.123/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 3.483 D
Visible Content:
http://167.172.114.123/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -2 1.520 V
ConnectFailure - Unable to connect to the remote server
Visible Content:

not allowed. Checking your domain Letsencrypt follows redirects to port 80 or port 443 or to other domain names. But not redirects to an ip address.

If your Caddy runs on 167.172.114.123, then you need an A-record

your subdomain -> 167.172.114.123

So first step: Change your dns setup, then try it again.

1 Like

@JuergenAuer @_az

Great find! When I was working couple of days ago, it was pointing to 167., then I tried to use GoDaddy’s subdomain feature, which included the 184. middleman!
DNS is clean pointing to the second server now, https://dnschecker.org/#A/apidev.meme.market now

If you try to open https://apidev.meme.market, it works great! And the API proxy https://apidev.meme.market/api/ is also performing superb!

After some further tinkering, I realized the issues I was having due to non-transparent proxy and browser cache!

Thank you folks! If we meet, I owe you a bottle of champagne!

Cheers

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.