Confused by Caddy Setup

Hi folks,

Will try to be succinct, but there’s something wrong with my setup and I’d love a bit of help if at all possible.

Started with a standard duckdns setup, and that let me be able to access things outside of the network using the duckdns url but not inside it. Inside, I got a security exception that I could ignore on a desktop browser and proceed with, but not on the ios app.

Next, found Caddy is an option, and installed a Caddy extension from here: https://github.com/korylprince/hassio-caddy. Unfortunately when I try to run it I get this:

Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email {email}@gmail.com
Using built-in Caddy: Caddy 0.10.14 (unofficial)
2019/03/09 10:12:43 [{url}.duckdns.org] failed to get certificate: acme: Error 403 - urn:ietf:params:acme:error:unauthorized - Invalid response from http://{url}.duckdns.org/.well-known/acme-challenge/C3U8tXm8tTqJCs-XoWeymkhUMxWvJjeMeKrIJKhyyxM [68.144.55.18]: 404
Activating privacy features…

I’d been trying to follow this:
https://dew-itwebservices.com.au/setting-home-assistant-up-for-secure-access-over-the-internet/

…and I think my issue is I can’t pass the step 5 check where I should be able to see http://{myurl}.duckdns:8123 inside my network. I can’t, and I don’t think Caddy can either. I can see things using the local ip though.

Any help would be gratefully appreciated!

This one is easier to setup. https://github.com/bestlibre/hassio-addons

{
"homeassistant": "https://XXXXXX.duckdns.org",
"vhosts": [
  {
    "vhost": "https://yyyyy.duckdns.org",
    "remote": "192.168.0.200",
    "port": "8000",
    "paths": []
  }
],
"raw_config": [],
"email": "[email protected]"

}

Dang, getting 2019/03/09 11:37:39 error inspecting server blocks: duplicate site key: https://{url}.duckdns.org

Are you running yours on port 8000? I changed that to 8123

If you are only using Home Assistant with the proxy use:

{
"homeassistant": "https://XXXXXX.duckdns.org",
"vhosts": [],
"raw_config": [],
"email": "[email protected]"
}

The vhost section is for other servers like Plex etc.

Weird, I get the same issue as with the other one:

2019/03/09 11:52:02 [{url}.duckdns.org] failed to get certificate: acme: Error 403 - urn:ietf:params:acme:error:unauthorized - Invalid response from http://{url}.duckdns.org/.well-known/acme-challenge/ppYnDEd-Gs5Nx8iE6DCXMDBkp2ql1YoxYBniytDv-3Q [68.144.55.18]: 404
Activating privacy features…

I now have an acme folder in the SSL folder, so that’s new

Does config look like this?:

http:
api_password: {pwd}
use_x_forwarded_for: true
trusted_proxies:

• 127.0.0.1
• ::1
  ip_ban_enabled: True
  login_attempts_threshold: 5
  base_url: https://{pwd}.duckdns.org:8123

Commented out:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

Are you forwarding port 80 and 443 to your HA IP?

Yep (internal Ip removed in shot to protect the clueless <= me)

Ah, I think it was because I was forwarding 80 to 8123.

The caddy extension is now working, but still no joy on actually using the duckdns url.

Externally, I any attempt to use http forwards to https, but won’t let me in. Internally, it times out.

Thinking it’s the caddy file now, if I had to guess:

1. does the url in line one have to have http or https in front of it?

2. internal ip format look right?

3. thanks for the help so far, you’re a saint

{url}.duckdns.org {
header / {
Strict-Transport-Security “max-age=31536000; includeSubdomains”
X-XSS-Protection “1; mode=block”
X-Content-Type-Options “nosniff”
X-Frame-Options “SAMEORIGIN”
Referrer-Policy “same-origin”
}

proxy / 192.168.0.{port}:8123 {
    websocket
    transparent
}

}

With the addon that i recommended to you theres no need to configure any caddy file, just the config section on the addon.

Removed that, didn’t seem to affect things. Do you have anything in config under http:
for?:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

If they’re not there I can’t get in externally, but I can’t use the secure connection internally either way.

Im not using ssl for my internal network. The add-on manage the ssl part for the external access.

http:
api_password: !secret http_password
ip_ban_enabled: True
login_attempts_threshold: 5

Any baseurl specified?

Also, I saw in another thread about duckdns settings as
“lets_encrypt”: {
“accept_terms”: false,

rather than true. Thoughts?

I’m about to give up, not going to lie lol. Again, appreciate the help

That won’t work… has to be https and you don’t specify a port.
Internally, use http://ip-address:8123

Also with duckdns, you don’t want to generate ssl certificates as caddy does that for you.
What you could try is removing the duckdns addon for now and manually setting your duckdns ip on the duckdns site itself just to check if it works.

You will need port 443 forwarded to 443 and port 80 forwarded to port 80. I use a different high numbered port forwarded to 443 so the 443-443 could be 20000 to 443 for example. 80-80 is needed to generate the ssl certificates. You could use the duckdns addon to do the ssl stuff for you and then reference that in the caddy file too…

Hi David,

What do you mean by: manually setting your duckdns ip on the duckdns site itself just to check if it works? What ip is that to be set to?

If you go to duckdns.org and login you can enter the public IP address for your router there and update the setting. Actually not sure how duckdns addon sets up the duckdns account - I’ve never used that because my router handles that (or it did before I switched to using IPv6)

What is your setup? Raspberry Pi? If you’re on a Linux install I use a script and cronjob to handle the duckdns updates for me… I can share that with you if it will help. Then you don’t need to think about the duckdns addon…

Oh gotcha. It’s already set as such from when I got the account created (it found it out on its own)

I’m not sure what you mean… if you ping your domain from a command prompt, is the IP address the same as your public IP address? It seems there’s just something simple missing preventing this from working for you.