SOLVED: Cannot get caddy working at all, no conections go through

[aeternalis]

Hello. I gotta say that I'm very new to anything networking. it's possible I am missing something very obvious. I've tried a few tutorials and can't seem to find a solution that actually works.

My setup is an entire machine dedicated to running the jellyfin server directly plugged into my home network running Ubuntu Server headless. I use SSH to connect to it and do configuration. When outside the network, I connect to jellyfin by using my public IP with port 8096.

I'm trying to set up a reverse proxy so that the connections are over https and so that I can just point my device to a URL instead of an IP address if I'm using my server outside of home.

I've purchased a domain off namecheap and am trying to use cloudflare as my dns. On cloudflare, I have my "A" dns record set up to point to "jellyfin.domain.com" and pointed that to the machine's public IP. I cannot attempt to point it to the 8096 port, as cloudflare just complains that it's not a valid IPv4 address.

My caddyfile is set up as below:

Code:

(my domain) {

        reverse_proxy (machine's local IP:8096)
}

This is the only uncommented portion of my caddyfile. I've tried different variations of this, including:

1. Replacing just domain.com in the "my domain" field with jellyfin.mydomain.com.

2. Replacing "machine's local IP:8096 to localhost, localhost:8096, the public IP with and without port.

No combinations have resulted in success. I left this issue for a couple weeks but coming back to it, I'm having the same issues after about an hour of troubleshooting on top of the time before today. I have verified that the caddy service is running on the machine. I've googled a good bit, and nothing I can find seems to work either or offer troubleshooting steps.


Many thanks for help.

[TheDreadPirate]

In cloudflare, you do not include the port for the A record. Just the IP. Also make sure you are set for "DNS Only".

On your server, did you open ports 443 and 80?

Code:

sudo ufw status

[aeternalis]

I have it set to DNS only, though I have tried both methods. I saw that you told someone else on this forum to set to DNS only.

I opened 443 and 80 on my router.

ufw status returns as "inactive".

[TheDreadPirate]

UFW is a firewall frontend. It is not the firewall itself. UFW being inactive just means that any rules added in it are not applied to the actual firewall.

Code:

sudo ufw enable
sudo ufw allow 8096
sudo ufw allow 443
sudo ufw allow 80

[aeternalis]

Done, still not able to access the server through the domain though. Outside connections and local connections seem to work as expected though.

[TheDreadPirate]

Is caddy running?

Code:

sudo systemctl status caddy

[aeternalis]

Yes, but there seems to be errors about it not finding A records on my domain. I get something like this from journalctl:

Code:

Nov 22 20:07:27 jellyfin-server caddy[2653]: {"level":"info","ts":1732306047.0105007,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"MYDOMAIN.COM"}
Nov 22 20:07:27 jellyfin-server caddy[2653]: {"level":"info","ts":1732306047.012306,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/170413763","account_contact":[]}
Nov 22 20:07:27 jellyfin-server caddy[2653]: {"level":"info","ts":1732306047.2888756,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"MYDOMAIN.COM","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Nov 22 20:07:27 jellyfin-server caddy[2653]: {"level":"error","ts":1732306047.7276082,"logger":"http.acme_client","msg":"challenge failed","identifier":"MYDOMAIN.COM","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for MYDOMAIN.COM; no valid AAAA records found for MYDOMAIN.COM","instance":"","subproblems":[]}}
Nov 22 20:07:27 jellyfin-server caddy[2653]: {"level":"error","ts":1732306047.727677,"logger":"http.acme_client","msg":"validating authorization","identifier":"MYDOMAIN.COM","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for MYDOMAIN.COM; no valid AAAA records found for MYDOMAIN.COM","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/170413763/20709731264","attempt":1,"max_attempts":3}
Nov 22 20:07:28 jellyfin-server caddy[2653]: {"level":"info","ts":1732306048.9321656,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"MYDOMAIN.COM","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Nov 22 20:07:29 jellyfin-server caddy[2653]: {"level":"error","ts":1732306049.3690004,"logger":"http.acme_client","msg":"challenge failed","identifier":"MYDOMAIN.COM","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for MYDOMAIN.COM; no valid AAAA records found for MYDOMAIN.COM","instance":"","subproblems":[]}}
Nov 22 20:07:29 jellyfin-server caddy[2653]: {"level":"error","ts":1732306049.369077,"logger":"http.acme_client","msg":"validating authorization","identifier":"MYDOMAIN.COM","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for MYDOMAIN.COM; no valid AAAA records found for MYDOMAIN.COM","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/170413763/20709731644","attempt":2,"max_attempts":3}
Nov 22 20:07:29 jellyfin-server caddy[2653]: {"level":"error","ts":1732306049.3691368,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"MYDOMAIN.COM","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for MYDOMAIN.COM; no valid AAAA records found for MYDOMAIN.COM"}
Nov 22 20:07:29 jellyfin-server caddy[2653]: {"level":"error","ts":1732306049.3692284,"logger":"tls.obtain","msg":"will retry","error":"[MYDOMAIN.COM] Obtain: [MYDOMAIN.COM] solving challenge: MYDOMAIN.COM: [MYDOMAIN.COM] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for MYDOMAIN.COM; no valid AAAA records found for MYDOMAIN.COM (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":310.083103484,"max_duration":2592000}
Nov 22 20:07:43 jellyfin-server kernel: [UFW BLOCK] IN=eno1 OUT= MAC=[remove] SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=39018 DF PROTO=2

I replaced my domain with "MYDOMAIN.COM".

[TheDreadPirate]

Ok. Backed tracked a bit and realized something. You need to setup your A record to be domain.com. THEN you create a CNAME that points to domain.com for your subdomain. jellyfin.domain.com.

domain.com ---> A Record
jellyfin.domain.com ---> CNAME ---> domain.com

[aeternalis]

That worked, but partially. Unless the app you're using automatically tries variations of the target (like adding prefixes like http and the port to attempt a connection) it works, but video is still http only. When attempting to visit it through a web browser, I get SSL_ERROR_INTERNAL_ERROR_ALERT. If it's a browser or an app that doesn't automatically try new things, you must specify http and the 8096 port. If that falls outside of the purview of this forum, thanks in advance for your great help.

[TheDreadPirate]

Most of our apps will cycle through various port and protocol combinations if the provided URL doesn't work.

http+8096
http+80
https+8920
https+443

"https://jellyfin.domain.tld", with no port specified, should first try port 443, the default https port that caddy should be listening on, before trying 8920. "http://jellyfin.domain.tld" should try port 80 first before trying port 80.

And, no, browsers do not try other ports. That would be a security issue.

The error you are getting SOUNDS like you are typing in "https://jellyfin.domain.tld:8096". Don't do that. Just type in "https://jellyfin.domain.tld". Caddy handles forwarding it to port 8096 internally.