New Caddy add-on

I’m not using Caddy to get my SSL certificate. As far as I remember you need to have port 80 and 443 opened if you use Caddy to retrieve an Let’s Encrypt certificate.

Hmm, they are both open…

I followed this manual:

https://dew-itwebservices.com.au/setting-home-assistant-up-for-secure-access-over-the-internet/

How do you update your Duck DNS address? Does the address you are using point to your current IP? Did you make sure the address you are using is not yet registered by anyone else?

If you don’t get it to work I’d suggest using the hass.io add-on Duck DNS to keep your address and certificates updated. That add-on does not even need to have any ports open to get/renew the certs. If you let that add-on do the work you have to change the tls line in your Caddyfile to

tls /ssl/fullchain.pem /ssl/privkey.pem

Looks like this add-on is based on Caddy 0.10.14 since it’s the latest package available for Alpine (https://pkgs.alpinelinux.org/packages?name=caddy&branch=edge).
The other Caddy add-on is using 0.11.0 FYI.

1 Like

I’m wrong, the add-on still uses Caddy 0.10.10,
you can check yourself when using ‘-version’ in your config flags.

New add-ons (built on the raspi itself) are based on Alpine 1.8, and therefore use Caddy 0.10.14.
This add-on uses a remote Docker image which is based on Alpine 1.7, the more you know :wink:

Strange error, and im not able to get caddy setup and i need some help, i’ve ran duck DNS without lets encrypt and my config yaml is as below.

http:
  api_password: !secret http_api_password
  #base_url: !secret http_base_url
  #ssl_certificate: "/ssl/fullchain.pem"
  #ssl_key: "/ssl/privkey.pem"
  trusted_networks:
    - 127.0.0.1
    - ::1
    - !secret trusted_ip
    - !secret trusted_ip_vpn
  ip_ban_enabled: True
  login_attempts_threshold: 5

ERROR BELOW:

starting version 3.2.4
Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email [email protected]
Activating privacy features…2018/08/22 21:37:28 [X.duckdns.org] failed to get certificate: acme: Error 400 - urn:acme:error:connection - Fetching http://X.duckdns.org/.well-known/acme-challenge/l9Tj2GluabKUu1JyfR7C4eQfNYdOC_wst2-P9zz-Rpc: Timeout during connect (likely firewall problem)
Error Detail:
Validation for X.duckdns.org:80
Resolved to:
1.2.3.4
Used: 1.2.3.4

My Port 80 and 443 are open for HA. Caddyfile is as below…

X.duckdns.org {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

grafana.X.duckdns.org {
    proxy / localhost:3000 {
        websocket
        transparent
    }
}

Sometimes, im also seeing this error on the log:

Activating privacy features…2018/08/22 15:53:39
get directory at ‘https://acme-v01.api.letsencrypt.org/directory’: failed to get json “https://acme-v01.api.letsencrypt.org/directory”:
Get https://acme-v01.api.letsencrypt.org/directory: net/http: TLS handshake timeout

acme error 400 means it can’t reach your raspi. Double check that you forward the correct ports to the correct internal IP address of your Hassio. Does ‘1.2.3.4’ (I guess that’s obfuscated) actually match your public IP?

Hello Jorin, thanks for your reply.

1234 is the reacted ip, that matches my public IP . i also get another error which talks about TLS handshake time out. so i get this or the 400 error sometimes. i just added the DNS to the network config of the HassOS system and see the same result.

Activating privacy features…2018/08/22 15:53:39
get directory at ‘https://acme-v01.api.letsencrypt.org/directory’: failed to get json “https://acme-v01.api.letsencrypt.org/directory”:
Get https://acme-v01.api.letsencrypt.org/directory: net/http: TLS handshake timeout

i rebooted the router once and then this happened…

Gets stuck here. and the Addons stops abruptly. @korylprince is this working for HassOS versions?

starting version 3.2.4
Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email [email protected]
Activating privacy features…

It should still work, that’s just a message it’s requesting certificates from Let’s Encrypt.
Depending on the number of (sub)domains it could take some time, it won’t print in the logs while doing that.

the addons stops without any notice, then i restart wherein it begins all over again and stops at activating features.

It’s definitely working in HassOS.

I don’t use the DuckDNS addon as my router establishes the duckdns domain and of course I don’t use SSL either because caddy takes care of that as well.

You will need port 80 forwarded - the LetsEncrypt won’t get a certificate without that. The other port doesn’t have to be port 443 - I use a high port number and I forward that port to port 443.

Hey David, thanks for your reply…I tried much, no go. i even held a call with the ISP and confirmed port 80 and 443 are not blocked. i ran my NVR to port 80 and it works , so im clueless now, Ive got a TP-LINK Router AC5400, the error now remains as error 400.

If it matters i’ve got a bridged mode on the router side, so there is a router from my ISP and i’ve bridged it to my TPlink. I also have a PI-hole in the setup with its port changed from 80 to something

I even installed standalone caddy on another pi3b+ and set the same params for caddy, i get the same error which i get on HA. so its no doubt my router /firewall setup is not going well with just caddy, something is indeed very wrong.

Lets say X.duckdns.org is my address on caddyfile, should the X be accessible on http without port?

No because there is nothing listening on port 80. In my setup it will show as closed. However if Caddy opens 80 for a certificate it is then listening for a response on port 80 and then it closes again.

Mine is the same as this however I do not set a trusted_networks

So does the 1.2.3.4 address match your actual duckdns domain? Is it actually your public IP address? How are you updating your duckdns domain IP address? Does your ISP actually give you a real IP address or is it CGNAT’ed? (Carrier grade nat)

Your caddyfile looks ok to me… it is in /share/caddy/Caddyfile right? No file extension and I think the file name Caddyfile is case sensitive.

I have done this a bunch of times now - changed my Home Assistant / hass.io setup and reinstalled Caddy addon and it just works…

I suspect you don’t have a routable IP address…

Hey David, thanks for your time on this…

Ok i’m on the same page there, so theres nothing on port 80 but it does listen to it, im guessing it sets some data or a connection at 80 when starting the addon to confirm connectivity, not sure, i also see the below error sometimes

Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email [email protected]
2018/08/24 23:16:24 get directory at ‘https://acme-v01.api.letsencrypt.org/directory’: failed to get json “https://acme-v01.api.letsencrypt.org/directory”: Get https://acme-v01.api.letsencrypt.org/directory: net/http: TLS handshake timeout

I tried commenting out the trusted networks still the same and its still the same :sweat:

1234 is the redacted ip, i do get the public IP that is routable.
absolutely, no changes, the file has no extension and is as case sensitive, it is as Caddyfile , i even validated the Caddyfile with -validate flag

Not sure on that, because i had my NVR working on port 80 and i moved it another port to make way for caddy, So port 80 with my public IP is working with my NVR system if i change ports back again.

I also had the duckdns with letsencrypt before all this, working like a charm and it still works if i go back to the previous setup, i just needed the add-on access and also other destinations internally over proxy, but this is unsettling … i also had installed caddy on a separate pi setup and get the same error.

How is your setup getting the domain.duckdns.org address - how does it update?

I’m using duckdns addon with lets encrypt but let’s encrypt terms set to false.

is the duckdns domain resolving to your public ip address? ie is the addon configured correctly and working??

As a side issue, most routers these days can do this for you - that is what I use.

yes it is resolving to my ip. i do have dydns, no ip on the router, maybe i will try that today.