Caddy did not refresh certificate automatically

felizolinha · March 16, 2023, 9:57pm

Hi, I’m using docker to self-host Baserow. I’m pretty inexperienced in it, so I’d be really grateful to get some help here.

My whole config consists of an ubuntu machine running Baserow and n8n, each one using docker.

When installing them both on the same machine, I ran into some conflicts because of using Caddy to expose them both with SSL enabled. The only way I managed to run them at the same time, was by using two Caddys on different ports.

My final configuration ended up being:

Running Caddy on the main machine, without a container, pointing to port 443.
n8n’s SSL pointing to port 443
n8n’s http running on port 80
Running Baserow, with the preconfigured Caddy that comes in Baserow’s container, with SSL on port 4443, and port 8080 for http.

Here’s the command I’m using to run baserow:

docker run -e BASEROW_PUBLIC_URL=https://<website_url>:4443 \
-e WEB_FRONTEND_SSL_PORT=4443 \
-e BASEROW_CADDY_ADDRESSES=https://<website_url> \
--name baserow \
-e BASEROW_TRIGGER_SYNC_TEMPLATES_AFTER_MIGRATION=false \
-d \
--restart unless-stopped \
-v baserow_data:/baserow/data \
-p 8080:80 \
-p 4443:443 \
baserow/baserow:1.13.2

Some of the errors I’m getting from caddy from inside the Baserow’s container:

 [CADDY][2023-03-16 13:40:40] {"level":"error","ts":1678974039.0985837,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"REDACTED","problem":{"type":"urn:ietf:params:acme:error:tls","title":"","detail":"192.99.6.43: remote error: tls: internal error","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/88005793/7776270584","attempt":2,"max_attempts":3} [CADDY][2023-03-16 13:40:40] {"level":"error","ts":1678974040.3031187,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"REDACTED","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[REDACTED] solving challenges: REDACTED: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/88005793/7776270954) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"} [CADDY][2023-03-16 13:40:41] {"level":"warn","ts":1678974040.303319,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"} [CADDY][2023-03-16 13:40:42] {"level":"info","ts":1678974041.0191596,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"XZ1tOcunKGzJ5geEey2bzg"} [CADDY][2023-03-16 13:40:48] {"level":"info","ts":1678974042.3053575,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"REDACTED","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"} [CADDY][2023-03-16 13:40:48] {"level":"error","ts":1678974048.0801446,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"REDACTED","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}}

bram · March 22, 2023, 9:17am

Hi @felizolinha, I’m sorry to hear that you’re having problems with the certificate renewal. It seems like this is due to the alternative port that Baserow is exposed to. Caddy uses Let’s Encrypt to issue an SSL certificate. Let’s Encrypt needs to verify that you own the domain, and they do that by running a challenge. This challenge is basically making an HTTP request to your server and confirming that some temporary files, that Let’s Encrypt generated, are present. According to this topic in the community of Caddy, it’s not possible to change the external ports (Is it possible to do the challenge with a different port? - Help - Caddy Community).

What you could do it run n8n and Baserow on subdomains. If you haven’t already, you must get a domain, for this example, I’ll be using example.com. Then you can run n8n HTTP on port 81, and Baserow HTTP on port 82 for example. Of course, you can choose the ports. Those ports don’t have to be publicly exposed to the internet. Then you need to create two subdomains, n8n.example.com and baserow.example.com. Last, you need to install a web server that proxies the traffic of n8n.example.com to 127.0.0.0:82 and baserow.example.com to 127.0.0.1:82.

Apart from Baserow running on Caddy in Baserow, you can install Caddy on your server as well, and make that work as a proxy. The benefit is that it can get an SSL certificate for you automatically. You probably need to have a caddy config file to make it work, but a basic example for one domain can be found here Reverse proxy quick-start — Caddy Documentation.

I hope that helps!