New Caddy add-on

korylprince · August 24, 2019, 5:23pm

It’s going to depend on how the add-on uses the keyfile, etc config you give it. For instance, the Mosquitto add-on just appends /ssl/ to what you supply. So for that instance, you’d use:

{
  "ssl": true,
  "certfile": "acme/acme-v02.api.letsencrypt.org/sites/domain.se/sites/domain.se.crt",
  "keyfile": "acme/acme-v02.api.letsencrypt.org/sites/domain.se/sites/domain.se.key",
  "log_level": "info"
}

The other side of doing it this way is you’ll have to manually restart your add-ons when Caddy updates the cert, unless you write some sort of script that monitors the files and restarts all the add-ons using the API.

DavidFW1960 · September 13, 2019, 1:49am

Decided to stop using Duckdns due to some recent issues with Google Assistant that a lot of people on Home Assistant seemed to be having. Personally, not convinced it was duckdns - I think it was a Google Assistant issue.

Anyway, I had a ‘spare’ domain lying around and I decided I’d try and set that up to point to my home Home Assistant server.

Never done this before and not 100% sure what the hell I am doing with this TBH as I’ve never hosted a domain on a home server before and I could have screwed something up.

Anyway, at Namecheap, I configured the A and AAAA records for my domain and also added a CNAME record… Looks like this:

On my router I also had to add the new domain to a DNS rebind protection list. I also only use IPv6 for this domain - I only have the port opened on my router for IPv6 and that is opened to the server. This also works fine with duckdns… I have never updated the IPv4 address at duckdns. It is port 443 that is opened. I also got the namecheap api key.

So I have a bunch of sub-domains in my caddyfile.

Anyway, yesterday, I downloaded a caddy with the namecheap and duckdns plugins in it and I configured my caddy settings with the environment variables and added the new domains and subdomains to my caddyfile.

Started the caddy addon in home assistant and it seems happy.

But for each and every domain, I get a string of these:

2019/09/13 09:36:39 [INFO] [sub.domain.com] acme: Waiting for DNS record propagation.
2019/09/13 09:36:54 [INFO] [sub.domain.com] acme: Waiting for DNS record propagation.
2019/09/13 09:37:09 [INFO] [sub.domain.com] acme: Waiting for DNS record propagation.
2019/09/13 09:37:25 [INFO] [sub.domain.com] acme: Waiting for DNS record propagation.

Goes on for 15 minutes or longer then I’ll see this:

2019/09/13 09:16:33 [INFO] nonce error retry: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/chall-v3/314207628/-j8WAg :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0001vmrGMAM85RhhduqkKZiO7RctKatXzovN6Yl8-cec_8k", url:

and then the certificate is issued and it moves on to the next one…

The duckdns ones seem to scream right through thougy taking seconds.

Am I doing something wrong here? Do I need to change my DNS records?

I did see a github issue… the domain previously had a letsencrypt certificate from my hosting - could that be causing the problem? The issue is as well that until caddy gets all the certificates, it won’t serve anything at all…

korylprince · September 14, 2019, 1:09am

“acme: Waiting for DNS record propagation.” means the server is waiting to make sure that the record it just set is updated. Are you sure you don’t have something interfering with your DNS server like PiHole or are you running a local DNS server?

The “JWS has an invalid anti-replay nonce” error seems to usually be an issue with using more than one IP. Do you have multiple IPV6 gateways?

DavidFW1960 · September 14, 2019, 1:45am

Only one gateway. I don’t use PiHole or any DNS at all other than the dns container installed nowdays with hass.io - I wonder if that was the issue?
Every subdomain took 30 minutes (to the minute) to validate and then get the certificate. Which sucked because none of the sites worked (other than via the IP) until Caddy had finished the list and started.
Restarting now is instant as per usual and I suspect in 60 days there won’t be a delay and it won’t need to wait for dns propagation (as they are all in dns now)

korylprince · September 14, 2019, 2:44am

Anything that’s caching DNS could cause this issue. I’m not sure how the Hass.io DNS container affects with everything, but it could be causing issues.

DavidFW1960 · September 14, 2019, 2:46am

It doesn’t cause it with duckdns though… Using dns validation for both. I dunno. Anyway, I don’t think it will be an ongoing error…

DavidFW1960 · September 15, 2019, 7:50am

So I found out what was causing the error… At Namecheap, I had the TLS on the AAAA and CNAME records set to AUTOMATIC which very helpfully seems to have been 30 minutes… so that’s how long it took to validate every domain.

Just for a laugh, I registered a new domain today and set it up in Caddy but I changed the TTL to 1 minute - the minimum number. Guess how long DNS validation took per domain? If you said 1 minute, go to the top of the class.

I really don’t understand WHY but anyway, setting to 1 minute seems to have solved it. I need to read up a bit to make sure I’n not going to cause some other kind of problem with a short TTL.

slipx06 · September 15, 2019, 7:47pm

Has any one manged to get the dyndns plugin working. Using the config below and don’t see anything in the logs.

https://xx.xx.xx {
     tls {
         dns cloudflare
     }
     dyndns {
         provider cloudflare
         ipaddress http://whatismyip.akamai.com/
         auth xxxc6bab22129f [email protected]
         domains xx.xxr.xx
         period 1m
     }
     header / {
     Strict-Transport-Security "max-age=31536000; includeSubdomains"
     X-XSS-Protection "1; mode=block"
     X-Content-Type-Options "nosniff"
     X-Frame-Options "SAMEORIGIN"
     Referrer-Policy "same-origin"
     }
     proxy / 192.168.1.103:8123 {
         websocket
         transparent
     }
 
     log stdout
     errors stderr
 
 }

DavidFW1960 · September 15, 2019, 11:08pm

The cloud flare info doesn’t go into the Caddy file - it’s in the configuration of the addon with the credentials as an environment variable. (You need the tls and dns cloudflare in the caddyfile though)

domain.cloudflare {
    tls {
        dns cloudflare
    }

slipx06 · September 16, 2019, 6:35am

Thanks but I already have dns plugin working and pass the credentials as variables. I’m struggling with dynamic dns (dyndns) plugin for which you have to specify the credentials in the caddy file. https://caddyserver.com/docs/dyndns

yeahh · November 5, 2019, 11:29am

has anyone be able to use ios push notification and using caddy at the same time?
which push notification need to enable SSL in iphone app, and thats where ssl files already skip for the part

DavidFW1960 · November 5, 2019, 8:33pm

I do. iOS push and caddy.

yeahh · November 6, 2019, 12:43pm

how did you enable SSL? or any config I should take note of?
The thing is that I disabled ssl certificate and key under duckdns addon because of caddy

DavidFW1960 · November 7, 2019, 3:34am

SSL is provided by Caddy.
The addon:

{
  "flags": [
    "-agree",
    "-email",
    "!secret le_email"
  ],
  "env_vars": [
    "!secret name_user",
    "!secret name_key"
  ]
}

(I am using DNS validation with Namecheap so you might not have any environment variables)

In duckdns, it should look like this:

{
  "lets_encrypt": {
    "accept_terms": false,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "YOUR_DUCKDNS_TOKEN_HERE",
  "domains": [
    "your-domain-here.duckdns.org"
  ],
  "seconds": 300
}

Setting letsencrypt to false means the duckdns addon won’t try and get ssl certs - caddy will do that.

dasbooter · November 18, 2019, 4:50am

Not so much as a home assistant caddy question but maybe more of a caddy question. I set up a sub domain using this addon but my fiancee cannot seem to get to it on IOS. Android and windows work fine. Any body know what the problem might be? My google fu seems to dig up reverse proxy issues mostly with solutions referring to NGINX. Thanks for any help probably a long shot

DavidFW1960 · November 18, 2019, 4:55am

what is in your caddy file for that sub-domain?

dasbooter · November 18, 2019, 5:02am

Ya I should have put this up already, Thanks for answering:

redacted.duckdns.org {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

ombi.redacted.duckdns.org {
    proxy / 192.168.1.38:3579 {
        transparent
    }
}

DavidFW1960 · November 18, 2019, 6:17am

Wow… so identical to me… I wonder if it’s caching issue? For sure it doesn’t sound like Caddy…

dasbooter · November 18, 2019, 6:51am

Great Dave’s think alike I guess. Actually allot of your posts have helped me get through allot of things with HA. Sometimes people dont like your answers but I think your just to the point with out messing around. I appreciate the time you have taken to help in the past and now.

I’ve actually got her to download and try chrome on her Iphone but no dice. I’ll see if she will lend me one of her old iphones so I can trouble shoot. I’ll try clearing the browser cache. The most predictable part of technology for me is the promise that I make that it will make my fiances life better. Than it promptly turns on the light while she is trying to sleep in the middle of the night lol. Thanks for your help

DavidFW1960 · November 18, 2019, 6:55am

Hey thanks for your kind words mate…