Caddy hasn't made a valid SSL certificate after migration

I used the migration script and things seemed to have worked apart from caddy not taking a valid cert so I can’t visit the firezone interface yet. Firefox just shows

Secure Connection Failed
An error occurred during a connection to wg.mysite.com.Peer reports it experienced an internal error.
Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

I saw mentions of needing --internal-certs to be added to CADDY_OPTS, currently in my .firezone/.env CADDY_OPTS= is empty.

I added this and restarted docker but nothing changed, is a restart sufficient or is something more needed?

the .env seems one-off setting during initalize, and change it manually afterwards seems won’t overwrite the setting.

for quick check and fix, I usually rebuild a new container if any change is required.

here is an example for my setting, this is for podman but I assume docker should work well also.
(keep in mind you will require to remove existing caddy container before the script)

Remark: you should provide the default installation location as well into variable FZ_INSTALL_DIR

declare the caddy config and FZ_INSTALL_DIR

tlsOpts=" tls { on_demand }"
FZ_INSTALL_DIR=

once you have declare both variable , you can then execute the command:

docker run --name caddy -dt --network=host --privileged --entrypoint “/bin/sh” -v ${FZ_INSTALL_DIR:-.}/caddy:/data/caddy:Z Docker Hub -c "cat <<@EOF > /etc/caddy/Caddyfile && ( cd /etc/caddy; caddy fmt --overwrite; caddy run --config /etc/caddy/Caddyfile --adapter caddyfile )

https:// {
log
reverse_proxy 172.25.0.100:13000
${tlsOpts:-}
}
"@EOF

you may then able to restart caddy container, the config is saved.

@Brendan Try adding this to your $HOME/.firezone/.env

TLS_OPTS="tls {
  on_demand
}"

then docker compose -f $HOME/.firezone/docker-compose.yml up -d to pickup the changes.

Boom and it worked after following Jamil’s post. Thank you everyone :slight_smile:

People facing something similar - For some reason even for a fresh install it was not picking up the file $HOME/.firezone/.env, I had to place the docker-compose.yaml and .env file in the $HOME directory from where I was running these docker commands.