How to reverse proxy with caddy, tailscale and docker ?

Hello all, I’m taking my first steps in the realm of self-hosting and am learning as I go. I have a VM running ubuntu and I got it connected to tailscale network to fend off unwanted visitors. I also have discovered Docker and am using it to deploy two web applications: FreshRSS and Podfetch. I can deploy them through Docker and they both have their own ports which I can access through ipadrress:portnumber URL in my webbrowser. But, the connection is unsecured over HTTP. I’d like to take it a step further in order to make the connections go over HTTPS.

I thought to use Caddy to make a reverse proxy as it is supposed to have good support with Tailscale but I’m not being particularly successful. I can connect to the individual applications (FreshRSS, PodFetch) by using the given tailscale DNS name (machine.domain.ts.net) and port directly in the browsers URL, but going to the machine.domain.ts.net does only yield in a connection error.

I’ve attached the stdout from running Caddy, my spidersense is telling it is something to do with getting a cert from letsencrypt. Over at tailscale admin, I’ve ensured I have a tailnet name, MagicDNS and HTTPS certificates enabled.

Here’s some relevant information, Caddy log file is at the end.

Thanks in advance

EDIT: solution to my problem at the end of this post.

sudo docker ps


<span style="color:#323232;">CONTAINER ID   IMAGE                         COMMAND                  CREATED          STATUS          PORTS                                                                                         NAMES                                                                                                                 
</span><span style="color:#323232;">
</span><span style="color:#323232;">86a72dbd2686   samuel19982/podfetch:latest   "./podfetch"             20 minutes ago   Up 18 minutes   0.0.0.0:8480->8000/tcp, :::8480->8000/tcp                                                     podfetch_podfetch_1                                                                                                   
</span><span style="color:#323232;">
</span><span style="color:#323232;">a7dae64308f9   caddy:latest                  "caddy run --config …"   25 hours ago     Up 17 seconds   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 443/udp, 2019/tcp   caddy                                                                                                                 
</span><span style="color:#323232;">
</span><span style="color:#323232;">141bbf69ad62   freshrss/freshrss             "./Docker/entrypoint…"   2 months ago     Up 2 months     0.0.0.0:8080->80/tcp, :::8080->80/tcp                                                         freshrss
</span>

Current Caddyfile:


<span style="color:#323232;">machine.domain.ts.net
</span><span style="color:#323232;">
</span><span style="color:#323232;">respond "hello"
</span><span style="color:#323232;">file_server
</span>

docker-compose.yml for Caddy


<span style="color:#63a35c;">version</span><span style="color:#323232;">: </span><span style="color:#183691;">"3"
</span><span style="color:#323232;">
</span><span style="color:#63a35c;">services</span><span style="color:#323232;">:
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">caddy</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">caddy:latest
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">caddy
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">restart</span><span style="color:#323232;">: </span><span style="color:#183691;">always
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">ports</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"80:80"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"443:443"
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">volumes</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">/home/ubuntu/caddy/caddy_data:/data
</span><span style="color:#323232;">      - </span><span style="color:#183691;">/home/ubuntu/caddy/caddy_config:/config
</span><span style="color:#323232;">      - </span><span style="color:#183691;">/home/ubuntu/caddy/Caddyfile:/etc/caddy/Caddyfile
</span>

log output from running sudo docker-compose up in the directory where docker-compose.yml is located


<span style="color:#323232;">Starting caddy ... done                                                                                                                                    
</span><span style="color:#323232;">
</span><span style="color:#323232;">Attaching to caddy                                                                                                                                         
</span><span style="color:#323232;">
</span><span style="color:#323232;">caddy    | {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0689287</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"using provided configuration",</span><span style="font-weight:bold;color:#183691;">"config_file"</span><span style="color:#323232;">:"/etc/caddy/Caddyfile",</span><span style="font-weight:bold;color:#183691;">"config_adapter"</span><span style="color:#323232;">:"caddyfile"} 
</span><span style="color:#323232;">
</span><span style="color:#323232;">caddy    | {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"warn",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0720005</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies",</span><span style="font-weight:bold;color:#183691;">"adapter"</span><span style="color:#323232;">:"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddyfile</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">file</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">/etc/caddy/Caddyfile</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">line</span><span style="color:#323232;">":9}                                                                                                         </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0762668</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"admin",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"admin endpoint started",</span><span style="font-weight:bold;color:#183691;">"address"</span><span style="color:#323232;">:"localhost:2019",</span><span style="font-weight:bold;color:#183691;">"enforce_origin"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">false</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"origi</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ns</span><span style="font-weight:bold;color:#183691;">":["</span><span style="font-style:italic;color:#969896;">//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}                                                                                                
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">{</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0775971</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http.auto_https",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"enabling automatic HTTP->HTTPS redirects",</span><span style="font-weight:bold;color:#183691;">"server_name"</span><span style="color:#323232;">:"srv0"}       
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.077673</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http.auto_https",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"server is listening only on the HTTPS port but has no TLS connection po</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">licies;</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">adding</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">one</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">to</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">enable</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">TLS</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">server_name</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">srv</span><span style="color:#0086b3;">1</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">https_port</span><span style="color:#323232;">":443}                                                                                   </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.077703</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http.auto_https",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"enabling automatic HTTP->HTTPS redirects",</span><span style="font-weight:bold;color:#183691;">"server_name"</span><span style="color:#323232;">:"srv1"}        
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.07822</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"enabling HTTP/3 listener",</span><span style="font-weight:bold;color:#183691;">"addr"</span><span style="color:#323232;">:":2016"}                                          
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0783753</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">).</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">See</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">https:</span><span style="font-style:italic;color:#969896;">//github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}                                                                             
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0794368</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http.log",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"server running",</span><span style="font-weight:bold;color:#183691;">"name"</span><span style="color:#323232;">:"srv0",</span><span style="font-weight:bold;color:#183691;">"protocols"</span><span style="color:#323232;">:["h1","h2","h3"]}                  
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.079528</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"enabling HTTP/3 listener",</span><span style="font-weight:bold;color:#183691;">"addr"</span><span style="color:#323232;">:":443"}                                          
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.079708</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http.log",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"server running",</span><span style="font-weight:bold;color:#183691;">"name"</span><span style="color:#323232;">:"srv1",</span><span style="font-weight:bold;color:#183691;">"protocols"</span><span style="color:#323232;">:["h1","h2","h3"]}                   
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0798655</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http.log",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"server running",</span><span style="font-weight:bold;color:#183691;">"name"</span><span style="color:#323232;">:"remaining_auto_https_redirects",</span><span style="font-weight:bold;color:#183691;">"protocols"</span><span style="color:#323232;">:["h1","h2</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">h</span><span style="color:#0086b3;">3</span><span style="color:#323232;">"]}                                                                                                                                                   </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0800827</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"autosaved config (load with --resume flag)",</span><span style="font-weight:bold;color:#183691;">"file"</span><span style="color:#323232;">:"/config/caddy/autosave.json"}                
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0801237</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"serving initial configuration"}                                                                  
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0802798</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.cache.maintenance",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"started background certificate maintenance",</span><span style="font-weight:bold;color:#183691;">"cache"</span><span style="color:#323232;">:"0xc00032950</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="color:#0086b3;">0</span><span style="color:#323232;">"}                                                                                                                                                        </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.080402</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"cleaning storage unit",</span><span style="font-weight:bold;color:#183691;">"description"</span><span style="color:#323232;">:"FileStorage:/data/caddy"}                    
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499456.0843327</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"finished cleaning storage units"}                                                 
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">********************</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">*****</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">Connection</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">to</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">is</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">made</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">here</span><span style="color:#323232;">                                             </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">********************</span><span style="color:#323232;">                                                                                                      
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"warn",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499478.27926</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"http",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"could not get status; will try to get certificate anyway",</span><span style="font-weight:bold;color:#183691;">"error"</span><span style="color:#323232;">:"Get </span><span style="color:#0086b3;">"</span><span style="color:#323232;">http://loc</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">al-tailscaled.sock/localapi/v</span><span style="color:#0086b3;">0</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">/status</span><span style="color:#323232;">": dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory"}                                
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"error",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499478.2793655</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.handshake",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"getting certificate from external certificate manager",</span><span style="font-weight:bold;color:#183691;">"remote_ip"</span><span style="color:#323232;">:"100</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">.</span><span style="color:#0086b3;">125.48</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">.</span><span style="color:#0086b3;">40</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">remote_port</span><span style="color:#323232;">":"</span><span style="color:#0086b3;">60140</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">sni</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">cert_manager</span><span style="color:#323232;">":0,"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">error</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">Get</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;"></span><span style="color:#323232;">"http://local-tailscaled.sock/localapi/v0/cert/vaulty.tail</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#0086b3;">5148</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">.ts.net?type=pair</span><span style="color:#323232;">": dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory"}                                               
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499478.2794874</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.on_demand",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"obtaining new certificate",</span><span style="font-weight:bold;color:#183691;">"remote_ip"</span><span style="color:#323232;">:"100.125.48.40",</span><span style="font-weight:bold;color:#183691;">"remote_port"</span><span style="color:#323232;">:"60</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="color:#0086b3;">140</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">server_name</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;">"}                                                                                                              </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499478.2796874</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.obtain",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"acquiring lock",</span><span style="font-weight:bold;color:#183691;">"identifier"</span><span style="color:#323232;">:"machine.domain.ts.net"}                    
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499478.2826056</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.obtain",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"lock acquired",</span><span style="font-weight:bold;color:#183691;">"identifier"</span><span style="color:#323232;">:"machine.domain.ts.net"}                     
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499478.2827125</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.obtain",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"obtaining certificate",</span><span style="font-weight:bold;color:#183691;">"identifier"</span><span style="color:#323232;">:"machine.domain.ts.net"}             
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499478.285254</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"waiting on internal rate limiter",</span><span style="font-weight:bold;color:#183691;">"identifiers"</span><span style="color:#323232;">:["machine.domain.ts.net"],</span><span style="font-weight:bold;color:#183691;">"ca"</span><span style="color:#323232;">:"h</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ttps:</span><span style="font-style:italic;color:#969896;">//acme-v02.api.letsencrypt.org/directory","account":"[email protected]"}                                                                              
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499478.2852805</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"done waiting on internal rate limiter",</span><span style="font-weight:bold;color:#183691;">"identifiers"</span><span style="color:#323232;">:["machine.domain.ts.net"],</span><span style="font-weight:bold;color:#183691;">"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ca</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">https</span><span style="color:#323232;">:</span><span style="font-style:italic;color:#969896;">//acme-v02.api.letsencrypt.org/directory","account":"[email protected]"}                                                                        
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499479.3021843</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.acme_client",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"trying to solve challenge",</span><span style="font-weight:bold;color:#183691;">"identifier"</span><span style="color:#323232;">:"machine.domain.ts.net",</span><span style="font-weight:bold;color:#183691;">"cha</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">llenge_type</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">tls-alpn-01</span><span style="font-weight:bold;color:#183691;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ca</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">https</span><span style="color:#323232;">:</span><span style="font-style:italic;color:#969896;">//acme-v02.api.letsencrypt.org/directory"}                                                                          
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"error",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499479.867296</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.acme_client",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"challenge failed",</span><span style="font-weight:bold;color:#183691;">"identifier"</span><span style="color:#323232;">:"machine.domain.ts.net",</span><span style="font-weight:bold;color:#183691;">"challenge_ty</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">pe</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">tls-alpn-01</span><span style="font-weight:bold;color:#183691;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem</span><span style="font-weight:bold;color:#183691;">":{"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">type</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">urn</span><span style="color:#323232;">:</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ietf:params:acme:error:dns</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">title</span><span style="color:#323232;">":"","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">detail</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem:</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">NXDOMAIN</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">looking</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">up</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">A</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">-</span><span style="color:#323232;"> 
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">check</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">that</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">record</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">exists</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">this</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">domain;</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem:</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">NXDOMAIN</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">looking</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">up</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">AAAA</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">-</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">check</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">that</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">record</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">exists</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">this</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">domain</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">instance</span><span style="color:#323232;">":"","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">subproblems</span><span style="color:#323232;">":[]}}                                                                                                                  </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"error",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499479.867339</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.acme_client",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"validating authorization",</span><span style="font-weight:bold;color:#183691;">"identifier"</span><span style="color:#323232;">:"machine.domain.ts.net",</span><span style="font-weight:bold;color:#183691;">"prob</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">lem</span><span style="font-weight:bold;color:#183691;">":{"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">type</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">urn</span><span style="color:#323232;">:</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ietf:params:acme:error:dns</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">title</span><span style="color:#323232;">":"","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">detail</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem:</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">NXDOMAIN</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">looking</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">up</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">A</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">-</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">check</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">that</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">record</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">exists</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">this</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">domain;</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem:</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">NXDOMAIN</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">looking</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">up</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">AAAA</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">-</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">check</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">that</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">record</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">exists</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">this</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">domain</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">instance</span><span style="color:#323232;">":"",</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="color:#323232;">"subproblems"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">:</span><span style="color:#323232;">[]},</span><span style="font-weight:bold;color:#183691;">"order"</span><span style="color:#323232;">:"https://acme-v02.api.letsencrypt.org/acme/order/1247308536/200246894916",</span><span style="font-weight:bold;color:#183691;">"attempt"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"max_attempts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">3</span><span style="color:#323232;">}                          
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"info",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499481.1934462</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.acme_client",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"trying to solve challenge",</span><span style="font-weight:bold;color:#183691;">"identifier"</span><span style="color:#323232;">:"machine.domain.ts.net",</span><span style="font-weight:bold;color:#183691;">"cha</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">llenge_type</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">http-01</span><span style="font-weight:bold;color:#183691;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ca</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">https</span><span style="color:#323232;">:</span><span style="font-style:italic;color:#969896;">//acme-v02.api.letsencrypt.org/directory"}                                                                              
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {</span><span style="font-weight:bold;color:#183691;">"level"</span><span style="color:#323232;">:"error",</span><span style="font-weight:bold;color:#183691;">"ts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">1691499481.7219243</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"logger"</span><span style="color:#323232;">:"tls.acme_client",</span><span style="font-weight:bold;color:#183691;">"msg"</span><span style="color:#323232;">:"challenge failed",</span><span style="font-weight:bold;color:#183691;">"identifier"</span><span style="color:#323232;">:"machine.domain.ts.net",</span><span style="font-weight:bold;color:#183691;">"challenge_t</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ype</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">http-01</span><span style="font-weight:bold;color:#183691;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem</span><span style="font-weight:bold;color:#183691;">":{"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">type</span><span style="font-weight:bold;color:#183691;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">urn</span><span style="color:#323232;">:</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ietf:params:acme:error:dns</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">title</span><span style="color:#323232;">":"","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">detail</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem:</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">NXDOMAIN</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">looking</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">up</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">A</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">-</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">che</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ck</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">that</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">record</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">exists</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">this</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">domain;</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem:</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">NXDOMAIN</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">looking</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">up</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">AAAA</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">-</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">check</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">that</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">record</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">exists</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">this</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">do</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">main</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">instance</span><span style="color:#323232;">":"","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">subproblems</span><span style="color:#323232;">":[]}}                                                                                                                     </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">caddy</span><span style="color:#323232;">    </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">|</span><span style="color:#323232;"> {"level":"error","ts":</span><span style="color:#0086b3;">1691499481.7219615</span><span style="color:#323232;">,"logger":"tls.acme_client","msg":"validating authorization","identifier":"machine.domain.ts.net","pro</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">blem</span><span style="color:#323232;">":{"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">type</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">urn</span><span style="color:#323232;">:</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">ietf:params:acme:error:dns</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">title</span><span style="color:#323232;">":"","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">detail</span><span style="color:#323232;">":"</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem:</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">NXDOMAIN</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">looking</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">up</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">A</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">-</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">check</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">that</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">recor</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">d</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">exists</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">this</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">domain;</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">problem:</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">NXDOMAIN</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">looking</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">up</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">AAAA</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">machine.domain.ts.net</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">-</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">check</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">that</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">a</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">DNS</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">record</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">exists</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">for</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">this</span><span style="color:#323232;"> </span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">domain</span><span style="color:#323232;">","</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">instance</span><span style="color:#323232;">":""</span><span style="background-color:#f5f5f5;font-weight:bold;color:#b52a1d;">
</span><span style="color:#323232;">
</span><span style="color:#323232;">,"subproblems":[]},</span><span style="font-weight:bold;color:#183691;">"order"</span><span style="color:#323232;">:"https://acme-v02.api.letsencrypt.org/acme/order/1247308536/200246898176",</span><span style="font-weight:bold;color:#183691;">"attempt"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">2</span><span style="color:#323232;">,</span><span style="font-weight:bold;color:#183691;">"max_attempts"</span><span style="color:#323232;">:</span><span style="color:#0086b3;">3</span><span style="color:#323232;">}
</span>

EDIT - SOLUTION: many weeks later, I’ve learn a few things. Running Caddy bare-metal removed the complexity of dealing with docker networks, but it wasn’t as robust as I expected (lets just say - I ran into a very edge-case issue that ruined my day).

The solution to my actual problem was to actually directing the requests to the URL to the actual IP adress of the docker container running the service I want to make avaible, and ensure that both docker and the service are on the same docker network. A very obvious solution in hindsight, and to be fair, I think I’ve had the misfortune to run into several issues before reaching this insight.

AnonymousDeity, (edited )

But, the connection is unsecured over HTTP. I’d like to take it a step further in order to make the connections go over HTTPS.

Why? You’re already VPN’d into a machine you control via tailscale. Protecting the specific application TCP traffic with TLS is kind of redundant at that point. If you really care, just use nginx not Caddy because this will never work using Tailscale DNS, self sign a cert for your Tailscale domain and use nginx to serve traffic on the Tailscale network device.

Also, use docker compose. This will feed DNS records into the containers’ /etc/hosts file as well as put the containers on their own network so the main containers won’t be exposed directly, only caddy.

docker-compose.yml


<span style="color:#323232;">version: "3.4"
</span><span style="color:#323232;">services:
</span><span style="color:#323232;">  caddy:
</span><span style="color:#323232;">    container_name: caddy
</span><span style="color:#323232;">    image: ghcr.io/authp/authp:latest  # I use authp for OAuth authentication instead of VPN-only access
</span><span style="color:#323232;">    restart: unless-stopped
</span><span style="color:#323232;">    ports:
</span><span style="color:#323232;">      - 443:443
</span><span style="color:#323232;">      - 443:443/udp
</span><span style="color:#323232;">      - 80:80
</span><span style="color:#323232;">    volumes:
</span><span style="color:#323232;">      - ${ROOT}/config/caddy/Caddyfile:/etc/caddy/Caddyfile
</span><span style="color:#323232;">      - ${ROOT}/config/caddy/data:/data/
</span><span style="color:#323232;">    dns:
</span><span style="color:#323232;">      - 1.1.1.1  # set these to your local DNS if you have one, I run pihole
</span><span style="color:#323232;">      - 8.8.8.8
</span><span style="color:#323232;">      - 8.8.4.4
</span><span style="color:#323232;">  whoami:
</span><span style="color:#323232;">    container_name: whoami
</span><span style="color:#323232;">    depends_on:
</span><span style="color:#323232;">      - caddy
</span><span style="color:#323232;">    image: containous/whoami
</span><span style="color:#323232;">    restart: unless-stopped
</span>

Caddyfile


<span style="color:#323232;">{
</span><span style="color:#323232;">	http_port 80
</span><span style="color:#323232;">	https_port 443
</span><span style="color:#323232;">}
</span><span style="color:#323232;">
</span><span style="color:#323232;">whoami.example.com{
</span><span style="color:#323232;">    reverse_proxy whoami:80
</span><span style="color:#323232;">}
</span>

As you can see the Caddyfile directs the Caddy container to reverse proxy whoami.example.com to http://whoami:80, which uses the /etc/hosts entry that docker-compose inserts for whoami to the whoami container’s Docker IP address. In this scheme, only Caddy needs to have a port listening on the host machine. Assuming Caddy can access your tailscale network, this will work - for that. (although I worry that Tailscale mounts the network device as a unix socket, which may complicate matters - I ran into this when trying some bullshit with nginx/openresty)

The issue that you’re having in your logs is that you’re trying to get Caddy to get a TLS cert for machine.domain.ts.net, which will never work, because machine.domain.ts.net is not a globally recognized DNS record - it’s a split zone DNS for within the Tailscale network exclusively. LetsEncrypt needs to be able to prove you own machine.domain.ts.net in order to issue a cert for it, meaning it needs to be able to resolve the domain and chat with Caddy. Since LetsEncrypt isn’t on your Tailscale network, it cannot do this.

krash,

Please do, I’d be most grateful for it.

If you have any better suggestion for how I should handle reverse proxying (maybe there’s a easier way than through Caddy?), I’m all ears.

AnonymousDeity, (edited )

I read your comment in more detail, you’re going down the wrong path. What you’re looking for cannot function the way you want the way you want to achieve it, and may not even make sense to want. I am wrong, I didn’t realize Caddy could just serve their cert over the socket. What user is the caddy process on your VM being run as?

If you want to use Tailscale DNS, you can use their TLS cert (assuming it gives a valid cert for machine.domain.ts.net) and just reverse proxy HTTP traffic with nginx on the VPS/VM (assuming nginx can listen on their network device. I’ve fought with that with openresty before, but that may be because I was trying to host it in another docker container lol).

krash,

Is there a reason why you’d recommend Ngnix over Caddy, as Caddy also have the capability to act as a reverse proxy?

And if you have any recommendations on resources where I can expand me knowledge on this topic, I’ll be happy to read more.

Thanks again!

AnonymousDeity,

nginx just has a lower barrier to entry (imo) if you’re not looking to sign your own certs. Caddy is great for that.

That said, I didn’t know Caddy had a beta feature for serving Tailscale certs automatically. So I incorrectly thought you were barking up the completely wrong tree, which you apparently are not. I’ll look at your tech details more.

AnonymousDeity,

{“level”:“error”,“ts”:1691499478.2793655,“logger”:“tls.handshake”,“msg”:“getting certificate from external certificate manager”,“remote_ip”:“100

.125.48.40”,“remote_port”:“60140”,“sni”:“machine.domain.ts.net”,“cert_manager”:0,“error”:“Get "local-tailscaled.sock/localapi/v0/…/vaulty.tail

a5148.ts.net?type=pair": dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory”}

This is your main issue - looks like Caddy can’t access the tailscale socket in order to serve their TLS cert. check you’re running caddy>2.5, check the socket exists and check the user running the caddy process has access to it. docs

Are you running Caddy with docker?

krash,

Good find.

I am running Caddy through docker (with sudo docker-compose up, yml is listed above). I know, sudo:ing docker isn’t best practice, but I’m learning the ropes in a non-production enviorment 🙃 Also, I verified that docker is running as root by ps -eo euser,ruser,suser,fuser,f,comm,label |grep caddy

As for the docker version, I verified it by inspecting the image ID and saw that the image version is 2.7.2:


<span style="color:#323232;">           "Labels": {
</span><span style="color:#323232;">                "org.opencontainers.image.description": "a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go",
</span><span style="color:#323232;">                "org.opencontainers.image.documentation": "https://caddyserver.com/docs",
</span><span style="color:#323232;">                "org.opencontainers.image.licenses": "Apache-2.0",
</span><span style="color:#323232;">                "org.opencontainers.image.source": "https://github.com/caddyserver/caddy-docker",
</span><span style="color:#323232;">                "org.opencontainers.image.title": "Caddy",
</span><span style="color:#323232;">                "org.opencontainers.image.url": "https://caddyserver.com",
</span><span style="color:#323232;">                "org.opencontainers.image.vendor": "Light Code Labs",
</span><span style="color:#323232;">                "org.opencontainers.image.version": "v2.7.2"
</span><span style="color:#323232;">            }
</span>

It seems that my next step is to look into the issue why dockerized-Caddy can’t communicate with Tailscale. Now I have a direction to investigate further into 🙂

AnonymousDeity,

ah, yeah, that’s why. You need to mount the unix socket into Caddy’s container as a volume. Docker uses overlayfs by default to create a layered filesystem, and then launches a distinct user, process, network, etc. namespace for the container’s process, which is why everything is isolated inside the container. You’ll need to make sure the unix socket is available to Caddy’s process inside the container, so you’ll have to mount it using -v or the volume key in the yaml.

sudo is actually entirely unnecessary with Docker, because most containers will run as the container’s root. Part of containers having their own user and process namespace means their root user is not your root user (technically we can have a debate about semantics for overlayfs and mounted files), and almost all images will ship with the default user as their root. Therefore, almost all processes will be “run as root” from within their container by default, meaning sudo does nothing except elevate the perms for the user calling docker. It would really only get around an issue with your user account not having access to docker or the docker daemon (also via socket btw). That said, because of the user namespace thing, running sudo docker run or sudo docker compose up doesn’t actually guarantee the process in the container is run as root… just that the container was created as root with perms over the host’s system.

The important part is that Caddy inside the container will be run by a user that has permissions over the mounted socket.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • [email protected]
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • Socialism
  • KbinCafe
  • TheResearchGuardian
  • Ask_kbincafe
  • oklahoma
  • feritale
  • SuperSentai
  • KamenRider
  • All magazines
    •