caddy ssl not working correctly

[Maescool]

When using letsencrypt cert directly, caddy starts on 443, but assets don't load
When disabling ssl, content shows up fine

[mixman68]

I have same problem but with a regular SSL loaded by SSL_CERT and SSL_CERT_KEY

My pterodactyl is gone..

[VozDeOuro]

Is there a way to enable the --debug option on the cert creation ?
Because mine isn't working either.

[VozDeOuro]

When using letsencrypt cert directly, caddy starts on 443, but assets don't load When disabling ssl, content shows up fine

How did you disable it ?
mine isn't disabling

[mixman68]

You can disable with SSL_CERT=none in the env fileLe 17 août 2023 à 04:33, Lucas ***@***.***> a écrit : When using letsencrypt cert directly, caddy starts on 443, but assets don't load When disabling ssl, content shows up fine How did you disable it ? mine isn't disabling —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[ccarney16]

My Pterodactyl image recently moved to almalinux and caddy, however I do not fully support the new methods that are built in (and scripted) due to certain issues with caddy and pterodactyl daemon unable to share certificates. I will also be advising to move to a reverse proxy configuration such as NGINX, Traefik, or an external caddy proxy.

In regards to asset loading, that is an issue I am currently looking into since I do notice that even on non http configurations.

[VozDeOuro]

i think the good way is to do by dns
https://caddyserver.com/docs/automatic-https

[VozDeOuro]

hey @ccarney16
do you think that the ssl problem will be fix on a next build ?
using ssl on the reverse proxy is giving some error on the panel

[ccarney16]

Hey, so I am currently recommending to set SSL parameters to none on panel and daemon containers and opt to use a reverse proxy to forward traffic. At the moment caddy's built in SSL system is considered experimental until I get it ironed out. I have already pushed this image to a few production deployments using traefik as the reverse proxy, I see no issues at this moment. However if anyone can verify that their current Let's Encrypt certificates are having issues, please let me know, as during testing, the only issues I've encountered have been in regards to out-of-tree patches to pterodactyl. If anyone can also confirm if the certbot container can still get certificates, that would be great.

[VozDeOuro]

I'm using exactly that on my setup, traefik and none as caddy config.
But on some forms, it's accusing that the page is not secure.

[VozDeOuro]

i can try some test on the certbot container
but can you give me more info on which container is that ?
i just those containers: panel, worker, daemon, cron.

[ccarney16]

Hm, might want to check your APP_URL in conf.d/panel.env if its using http:// or https://, I might also suggest seeing if TRUSTED_PROXIES is set correctly. If it is not, feel free to add on TRUSTED_PROXIES= or CIDR range.

[ccarney16]

@VozDeOuro Certbot does not look to be enabled on your project, you need to pass the letsencrypt profile using the default deployment configuration to enable certbot. This is a newer docker-compose v2 feature, more information about profiles can be found here.

[VozDeOuro]

Hm, might want to check your APP_URL in conf.d/panel.env if its using http:// or https://, I might also suggest seeing if TRUSTED_PROXIES is set correctly. If it is not, feel free to add on TRUSTED_PROXIES= or CIDR range.

its on http://
how can i add the TRUSTED_PROXIES=
on the traefik or on the .env file ?

[ccarney16]

@VozDeOuro Trusted proxies need to be set in conf.d/panel.env for the panel container, Not traefik.

[VozDeOuro]

Sorry for the noob question,
but what i need to input there ?

[ccarney16]

you need to set the variable to either the IP address of the proxy, or the CIDR range of the proxy. If traefik is on the same machine as the panel container, and using docker networking, you should be free to try out the CIDR range 172.16.0.0/12. However be aware this trusts all ip addresses in this range.

[VozDeOuro]

i fixed it adding this caddy config

https://panel.foo.com :81 {
        root * /var/www/html/public
        file_server

        tls {
                dns cloudflare xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        } 

        header {
                -Server
                -X-Powered-By
                Referrer-Policy "same-origin"
                X-Frame-Options "deny"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
        }

        encode gzip zstd

        php_fastcgi unix//var/lib/caddy/php/php-fpm.sock

        try_files {path} {path}/ /index.php?{query}
}

that need to install a module on the caddy and you need to build it

VOLUME [ "/var/lib/caddy" ]
WORKDIR /var/www/html
WORKDIR /var/

RUN rm -fr /usr/bin/caddy;\
    wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz ;\
    rm -rf /usr/local/go && tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz ;\
    export PATH=$PATH:/usr/local/go/bin ;\
    mkdir xcaddy_install ;\
    cd /var/xcaddy_install;\
    go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest ;\
    wget https://github.com/caddyserver/xcaddy/releases/download/v0.3.5/xcaddy_0.3.5_linux_amd64.tar.gz ;\
    tar -xzvf xcaddy_0.3.5_linux_amd64.tar.gz ;\
    chmod +x xcaddy ;\
    # here is the module that need to be installed 
    ./xcaddy build --with github.com/caddy-dns/cloudflare;\
    cp caddy /usr/bin/caddy;\
    chmod +x /usr/bin/caddy;\
    caddy list-modules | grep dns.;