Trouble getting certificate with Caddy


#1

Hi Matt,

I’ve heard that you helped a couple of people with Caddy and Let’s Encrypt so I hope you can answer to my desperate :slight_smile: request.
I’m trying to achieve what suppose to be an easy task. I have followed a several tutorials but I’m still not able to set a simple reverse proxy for some of my services.
I’m running Windows10PRO based media/file server with a couple well known services (e.g. Plex). I would like to access them remotely over encrypted connection with sub-domain for corresponding service so I don’t need to expose and remember all of those ports. For that I have purchased domain through Namecheap.com, set Dynamic DNS and following A+DNS records:


I can access all of my services through mydomain.com:port
I have also installed Caddyserver and configured caddyfile accordingly but when I run caddy.exe I’m getting following errors:
Activating privacy features… 2018/07/09 11:29:44 [sab.szostaki.club] failed to get certificate: acme: Error 400 - urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for sab.szostaki.club
Could you please point me in the right direction. What I’m missing here?
Regards,
Hubert


Help test a web server with Let's Encrypt built in
#2

Well this doesn’t appear to be an issue with Caddy, so if I was you I’d ask the wider Let’s Encrypt community for help, since I’m not sure what causes that error to be generated on their end. :slight_smile: Good luck!


#3

Hi @Hubszo,

First, there’s no benefit from redacting your IP address since DNS records are public and everyone connecting to your web site needs to have access to the IP address in order to connect.

Second, the name sab.szostaki.club really doesn’t exist, perhaps because you haven’t created a DNS record for it at all. However, it appears that you mentioned it in your caddyfile. Each subdomain mentioned in your caddyfile must have an associated DNS record in your DNS zone.

As you’ve pointed various subdomains to 127.0.0.0 (should normally be 127.0.0.1 since 127.0.0.0 refers to the loopback network while 127.0.0.1 refers to localhost), you wouldn’t be able to access them remotely over the Internet (or easily get Let’s Encrypt certificates for those subdomains). To be accessed over the Internet, a name needs to be associated with a publicly-routable IP address.


#4

Thanks for your quick reply. I will certainly dig deeper and it seems that message below from Seth may lead in the right direction.


#5

Hi Seth,

Thanks for your feedback. Perhaps you could help me a bit further since not everything you are saying is either clear to me (I’m really beginning my adventure in this field) nor make sense considering information on Namecheap support page.
My understanding of the secure remote access is that you can, with use of sub-domain and reverse proxy, connect to your local machine running e.g. Plex or Home Assistant over HTTPS without exposing all those ports (you only need to open 80 and 443). I addition you will gain convenience of using subdomain to point you to the specific service of yours.
As for configuration in Namecheap:

  1. ‘szostaki.club’ is my domain as you already know and it is working properly since I can e.g. access remotely my PC over unsecured connection (HTTP) with ‘domain:port’,
  2. I have used 127.0.0.0 (dummy IP) following guidelines from Namecheap while setting up Host for Dynamic DNS with corresponding A+ Dynamic DNS record,
  3. I have actually managed to access remotely specific subdomain with a simple ‘URL Redirect Record’ which points to ‘domain:port’ but this is still over unsecured connection and also requires additional url redirect record for each service.
    Tutorials I have read describing entire subdomain+reverse proxy setup with combo of whatever domain/subdomain, caddyserver and let’s encrypt as walking in the park process but for some reason I can’t get through.
    Anyway I appreciate any kind of help on the subject.

#6

For Let’s Encrypt HTTP validation to work, you have to create your DNS records like sab.szostaki.club with your real IP address before it will work.

(You can instead use DNS validation – you can use Caddy’s tls.dns.namecheap plugin – but I’m not sure how easy it is to get an API key from Namecheap, and if you were going to create the DNS records later anyway…)


#7

I was actually considering DNS validation with dedicated Namecheap plugin but it is quite costly (not so difficult) to obtain both NAMECHEAP_API_USER and NAMECHEAP_API_KEY.
And when you are saying ‘real IP address’ do you mean my public IP or static IP of my server? I believe the former. It seems from Namecheap tutorial that I have to use their Dynamic DNS client to automatically update IP address for corresponding subdomain regardless that my router is already configured with Namecheap as DDNS provider :frowning:


#8

Well, now I’m a bit confused about what you’re trying to do, since you’ve just mentioned that you have both a server with a static IP address and a home machine that will be hosting services with a dynamic IP address (?). Which services are you planning to run where, and which names are you planning to point at each? (I first thought that all of them would be on the home machine.)


#9

My apology, that’s probably me being imprecise.
So I have simple Windows10 based file/media server running 24/7 with things like Plex and Home Assistant (for my home automation in case you wonder). This PC is connected by LAN to ASUS router and has a static IP. In addition a several ports are forwarded on the router so access from outside local network is possible. Router is configured with DDNS (provided by Namecheap) and is correctly updating my public IP given by ISP. With this configuration I can easily connect remotely with my domain.com:port to all corresponding services on my PC. Of course this connection is unsecured and that’s where reverse proxy should come to the play. I would like to use caddy+let’s encrypt since this sounds (at least in theory) much easier to setup than for example nginx or apache.
I hope I have now been detailed enough but in case there is still something unclear, please let me know.


#10

Thanks!

So in order to get certificates using Caddy, each name listed in the Caddyfile must already exist in DNS and must be pointed to the public IP address of your server. So if you use a DDNS client, you must make sure that all of the names specified in your Caddyfile have already been created and updated to point to your public IP address.

Although you may be able to initially create these names referring to 127.0.0.0, if you do that you have to be sure to use the client to point each them to your public IP address before starting Caddy.