Failling many times on HTTPS access

Jellyfin Version 10.5.5
Linux Ubuntu(not on docker)

Hello there!
Sorry for my stupid question , i am not very tech savvy in those things but i can hanndle myself to some other.
i am running a vps with Jellyfin , a chat program(rocket) and 10 docker images(rss,notepad,qbittorrent.etc)
i have followed a guide and gave https to my chat program
now i want to assign https to jellyfin also , but every guide i followed i failed…lately i tried the Caddy one from this site , but it gave me an error of 443 port already in use…

can anyone help me or point me to an easy solution?
Thanks for you time and sorry for my english.

How did you add https to Rocket Chat?

Running https for multiple services at the same time will either require separate ports for each service, or to run a reverse proxy. A reverse proxy will allow you to run multiple services on the same port and will direct them to the correct backend application using a technology called SNI

i used this guide step by step!
https://docs.rocket.chat/installation/snaps/autossl

I’m assuming you followed the first set of instructions, which seems to be using an integration between Caddy and RocketChat to do the work. It looks like their assumption is that you want Caddy associated with RocketChat, though if you go the second manual option it seems to give a raw config file.

I’ve never personally used Caddy, but from a glance at the docs and assuming you want to use subdomains for each service, I think this should get you closer to what you want. It’s likely to knock your rocket chat server offline temporarily while experimenting, so be warned about that.

  • Disable the auto Caddy config - sudo snap set rocketchat-server caddy=disable
  • Edit the Caddyfile at /var/snap/rocketchat-server/current/Caddyfile
chat.example.com { 
  proxy / localhost:3000 {
    websocket
    transparent
  }
}

jellyfin.example.com {
  reverse_proxy 127.0.0.1:8096
}
  • Start Caddy - sudo systemctl restart snap.rocketchat-server.rocketchat-caddy

just tried that but it is not working at all .i cant reach rocker.chat , and my jellyfin address is still http(not working)

do you propose another way(easier) except caddy to achieve both chat and jellyfin https?

@haunter Can you post an example of your current Caddyfile? Change the domain names of course.

the working caddyfile for my rocket.chat is

https://subdomain.domain.com
proxy / localhost:3000 {
websocket
transparent
}

and the not working one is

https://subdomain.domain.com
proxy / localhost:3000 {
websocket
transparent
}

domain.com {
reverse_proxy 127.0.0.1:8096
}

the 2nd domain is a totally different from the 1st

You need to ensure your other web server is not still active (nginx, apache, etc), so caddy can access port 443.
If problems still remain please paste the output of caddy version, caddy is between v1 and v2 right now and it’s a fair difference in configuration

my caddy version is v2.1.1

also , i will need to get offline my jellyfin server and my rocket.chat server and then run the new caddy config?

No you will not have to offline the other servers. Rocket’s documentation is still using v1. The correct caddy configuration would be

domain.com {
    reverse_proxy * 127.0.0.1:8096
}
subdomain.domain.com {
    reverse_proxy * 127.0.0.1:3000
}

unfortunately for my setup , the above config is not working. the rocket.chat https is gone , and the jellyfin server cant be reached from https
i am certain that the problem is on me , on my setup. possibly something simple , i just dont have it

ok i think i made a bit of a progress . i removed old version and installed v2 . i was able to replicate the successful use of my first domain . but i still cant assign https in my 2nd domain .
my config is :

https://1stdomain.com {
reverse_proxy * localhost:3000
}

https://2nddomain.com {
reverse_proxy * localhost:8096
}

i run

sudo caddy adapt --config ~/caddy/Caddyfile
sudo caddy run --config ~/caddy/Caddyfile

and i end up

2020/07/26 07:17:38.908 INFO using provided configuration {“config_file”: “/home/haunter1/caddy/Caddyfile”, “config_adapter”: “”}
2020/07/26 07:17:38.910 INFO admin admin endpoint started {“address”: “tcp/localhost:2019”, “enforce_origin”: false, “origins”: [“localhost:2019”, “[::1]:2019”, “127.0.0.1:2019”]}
2020/07/26 09:17:38 [INFO][cache:0xc000185f20] Started certificate maintenance routine
2020/07/26 07:17:38.911 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {“server_name”: “srv0”, “https_port”: 443}
2020/07/26 07:17:38.911 INFO http enabling automatic HTTP->HTTPS redirects {“server_name”: “srv0”}
2020/07/26 07:17:38.913 INFO tls cleaned up storage units
2020/07/26 07:17:38.913 INFO http enabling automatic TLS certificate management {“domains”: [“2nd_HIDDENDOMAIN”, “1st2nd_HIDDENDOMAIN”]}
2020/07/26 07:17:38.926 INFO autosaved config {“file”: “/home/haunter1/.config/caddy/autosave.json”}
2020/07/26 07:17:38.926 INFO serving initial configuration
2020/07/26 09:17:38 [INFO][2nd_HIDDENDOMAIN] Obtain certificate; acquiring lock…
2020/07/26 09:17:38 [INFO][2nd_HIDDENDOMAIN] Obtain: Lock acquired; proceeding…
2020/07/26 09:17:39 [INFO][2nd_HIDDENDOMAIN] Waiting on rate limiter…
2020/07/26 09:17:39 [INFO][2nd_HIDDENDOMAIN] Done waiting
2020/07/26 09:17:39 [INFO] [2nd_HIDDENDOMAIN] acme: Obtaining bundled SAN certificate given a CSR
2020/07/26 09:17:40 [INFO] [2nd_HIDDENDOMAIN] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6117966166
2020/07/26 09:17:40 [INFO] [2nd_HIDDENDOMAIN] acme: Could not find solver for: tls-alpn-01
2020/07/26 09:17:40 [INFO] [2nd_HIDDENDOMAIN] acme: use http-01 solver
2020/07/26 09:17:40 [INFO] [2nd_HIDDENDOMAIN] acme: Trying to solve HTTP-01
2020/07/26 09:17:45 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6117966166
2020/07/26 09:17:45 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6117966166
2020/07/26 09:17:45 [ERROR] error: one or more domains had a problem:
[2nd_HIDDENDOMAIN] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://2nd_HIDDENDOMAIN/.well-known/acme-challenge/lRrivlCpfNuDvwmGqbywBhvIMFaIlSuPl_eNnzxnjhw [2602:ff23:0:8888::206]: “\r\n\r\n<!-- WEB REDIRECT”, url:
(challenge=http-01 remaining=[tls-alpn-01])
2020/07/26 09:17:47 [INFO] [2nd_HIDDENDOMAIN] acme: Obtaining bundled SAN certificate given a CSR
2020/07/26 09:17:49 [INFO] [2nd_HIDDENDOMAIN] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6117967804
2020/07/26 09:17:49 [INFO] [2nd_HIDDENDOMAIN] acme: use tls-alpn-01 solver
2020/07/26 09:17:49 [INFO] [2nd_HIDDENDOMAIN] acme: Trying to solve TLS-ALPN-01
2020/07/26 09:17:49 http: TLS handshake error from 127.0.0.1:53640: EOF
2020/07/26 09:17:50 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6117967804
2020/07/26 09:17:50 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6117967804
2020/07/26 09:17:50 [ERROR] error: one or more domains had a problem:
[2nd_HIDDENDOMAIN] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url:
(challenge=tls-alpn-01 remaining=[])
2020/07/26 09:17:52 [ERROR] attempt 1: [2nd_HIDDENDOMAIN] Obtain: [2nd_HIDDENDOMAIN] error: one or more domains had a problem:
[2nd_HIDDENDOMAIN] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url:

  • retrying in 1m0s (13.967977412s/720h0m0s elapsed)…

Any hopes to eventually make this (https) easier for the lay person? I assume so, but would also assume it is not as high on the priority list as other things.

It’s… hard to do. The way Plex did it required an insane amount of work on their end and a central server.

It’s reasonably easy so far with Caddy v2, but it starts to get complicated when you run more than one service that way. We’ve got some ideas, but nothing yet. M

^^this
i am not complaining at all , i am trying to figured it out , since i prefer to solved my problems searching rather than taking a ready-up solution.
i will try to dockerize both rocker and jellyfin and try to implement https with this guide
https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion

i will let you know my findings just in case they are useful to someone

Good to know. I’ll get around to learning to do it then. I mainly didn’t want to do so then an update came out in a few months doing it for me :smile: