For a couple weeks I’ve been struggling to get TLS over Caddy with DNS challenges. My ISP blocks incoming data on ports 80/443 and I was looking to use an uncommon port (5050) for my personal needs.
I’ve followed the instructions here and I’ve made sure to use the proper DeSEC.io module in my docker build.
When I start my docker container and check the logs, I get an error that says the challenge failed because of an incorrect TXT record. However when I check DeSEC.io’s website, the TXT record that was created matches the Caddy log error message and even shows that the TXT record has been last touched “less than a minute ago.”
I’ve tried minimizing my Caddyfile to the bare minimum and I still can’t seem to get TLS working.
Dockerfile
FROM caddy:2.10.0-builder AS builder
RUN xcaddy build \
    --with github.com/caddy-dns/desec
FROM caddy:2.10.0
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
docker-compose.yml
services:
  caddy:
    container_name: caddy
    build: .
    restart: always
    ports:
      - 80:80
      - 5050:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
      - /home/sxc-pi/shared/:/srv:Z
    networks:
      - reverse_proxy
volumes:
  caddy_data:
  caddy_config:
networks:
  reverse_proxy:
    external: true
Caddyfile
{
        acme_dns desec {
                token "<DeSEC.io Token Number>"
        }
}
files.samplesite.com {
        root * /srv
        file_server {
                hide misc
                browse
        }
}
At this point I do not know what else I can try to get TLS working with Caddy. If I can’t get this to work, I can use Nginx Proxy Manager as a tried and tested backup plan, although I prefer to use something that is terminal based because I don’t want to use the Web UI that NPM uses.
Any insight or help would be greatly appreciated. I’m also not looking to use any tunnel services at the moment. I’d like to figure this way out so I have a fall back plan if I decide to use a tunnel in the future.
- Just as an aside, you’re half way to being able to use wildcard certs, you might as well just do the last bit of work so the domain names you’re using are a little less public. Let’s Encrypt puts every domain name on every cert in a public database. I’ve seen much less random probing of my services since moving to wildcards - I sat down and managed to get wildcard certs working. - I figured I would leave my Caddyfile here in case anyone in the future needs a working reference. This is based off the Caddyfile mentioned in the original post. - Caddyfile- # GLOBAL ENCRYPTION - DESEC.IO { acme_dns desec { token "DeSEC.io Token Number" } } *.samplesite.ca { # SITE WIDE ENCRYPTION tls { dns desec { token "DeSEC.io Token Number" } } # SUB DOMAIN #1 @files host files.samplesite.ca handle @files { root * /srv file_server { hide misc browse } } # FALLBACK FOR UNHANDLED DOMAINS handle { abort } }
- Oh no, I was just about to move forward and then you gave me another rabbit hole. - I didn’t know Let’s Encrypt had a public database, that does sound like a good idea to use wildcard certs instead. - I assume this is what I can use as a reference for wildcard certs. - How do you keep track of probing? I’ve been curious about that but haven’t put much effort into that as I’ve been focused on getting things working. - it’s not just Let’s Encrypt, it’s because of https://certificate.transparency.dev/ - Thanks for sharing that. - It’s nice to get extra context, it helps me understand how I can protect my devices and myself a bit better as I learn more about self hosting. 
 
 
 
- I’m also using Caddy with desec and get the same result when adding a new subdomain. It fixes itself after a while though (10+ minutes). Maybe try waiting a little longer. - That worked. I can finally see the padlock that says Verified by Let’s Encrypt. - I can’t believe all I had to do was wait. Thanks so much for sharing your experience. - Any changes you make to the DNS records will take a little while to take effect because the information needs to propagate, just FYI. This is the case whether you’re using your own domain or one of theirs. - I think my confusion came from starting with NPM. The process took less than 2 minutes and everything worked as intended as soon as it was successful. That set me up with high expectations. - With Caddy, it kept adding multiple entries to the TXT record and reporting that the records didn’t match. - I think NPM uses certbot under the hood and I wasn’t sure if Caddy used something different (certmagic maybe?) since I had to build Caddy with a custom module. - In any case, it works and I now know I just have to wait a little longer. 
 
 
 
- You might need to define a specific DNS server for caddy to use in the Caddyfile, ideally the same DNS server as your domain is hosted with if possible. Sounds like your default DNS server is slow to update and not seeing the changed record in time. 




