Closed TurboSlayer closed 6 months ago
What version are you using? What's the error message you see, exactly? Show your logs & config.
Yep, my bad, I was in a rush yesterday. Here's the info:
Version: caddy:latest
on docker (v2.7.6)
Caddyfile:
{
debug
}
:443 {
log {
level INFO
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
tls {
get_certificate tailscale # Didn't need this before (ever since the feature was released)
}
encode gzip
reverse_proxy vaultwarden:80
reverse_proxy /notifications/hub vaultwarden:3012
}
Error:
caddy_vaultwarden | {"level":"info","ts":1706153302.1186092,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy_vaultwarden | {"level":"warn","ts":1706153302.1194217,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy_vaultwarden | {"level":"info","ts":1706153302.1199346,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
caddy_vaultwarden | {"level":"info","ts":1706153302.1200917,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0006f5880"}
caddy_vaultwarden | {"level":"info","ts":1706153302.1201015,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0006f5880"}
caddy_vaultwarden | Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details
caddy_vaultwarden | {"level":"info","ts":1706153303.7275922,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy_vaultwarden | {"level":"warn","ts":1706153303.7283955,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy_vaultwarden | {"level":"info","ts":1706153303.7289453,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy_vaultwarden | {"level":"info","ts":1706153303.729059,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000789300"}
caddy_vaultwarden | {"level":"info","ts":1706153303.729068,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000789300"}
caddy_vaultwarden | Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details
caddy_vaultwarden exited with code 1
EDIT: I have managed to work around this using the solution given in #5986.
Hi!
Just want to report the same issue as it is still open, but using get_certificate http
and not tailscale
.
Previously I used tls cert key
with a separate cron job fetching fresh wildcard cert and reloading Caddy at a given interval before trying out a new config using get_certificate
. After config rewrite and trying to reload it fails with the same error message as above.
It works with the work-around as mentioned in #5986.
Providers cert endpoint returns 200 OK
as expected.
Version
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
Running as service on Ubuntu 22.04 LTS.
Config
{
debug
}
*.mydomain.com {
tls {
# Extra query params as specified by provider
get_certificate http https://cert.myprovider.com?domain=*.mydomain.com&secret=SECRET
}
log {
format json
output file /var/log/caddy/wildcard.log
}
@app1 host app1.mydomain.com
handle @app1 {
reverse_proxy localhost:3000
}
respond "No service running on {host}, yet...."
}
Log on caddy reload
{
"level": "error",
"ts": 1712191729.55823,
"logger": "admin.api",
"msg": "request error",
"error": "loading config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 1: on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details",
"status_code": 400
}
Thanks for the great work you are doing with Caddy 👏
@filiabel I believe I have just fixed this in #6229
Backstory: I have a docker/caddy setup where I use a docker volume to expose the tailscaled socket to Caddy. It randomly stopped working today, so I tried to fix it. It looked like there were recent changes with socket paths so I tried different combinations with /tmp and /run but nothing worked. (EDIT: the error for this is
caddy_vaultwarden | {"level":"debug","ts":1706154566.203921,"logger":"http.stdlib","msg":"http: TLS handshake error from 100.107.69.109:41312: no certificate available for 'redacted.x.ts.net'"}
)The problem: In order to debug this I tried enabling
get_certificate tailscale
under the tls directive, but then it starts enforcing the "ask" endpoint which doesn't make sense for tailscale users. An example of the error is here.I believe the "ask" enforcing is a fairly recent change, and so this may have been overlooked when the change was implemented. I know the docker volume approach isn't officially supported but it'd be great if this issue could be resolved so that I can try and debug it myself. Thanks!