Openbalena setup behind a caddy proxy.

Hi all,

To start with, just want to say thank you all the hard work regarding the balena suite. Everything here is an absolute dream for distributed systems.

I have been using balena cloud and wanted to try to self host. Following step for step on the article and I keep hitting a wall. Hoping to get some guidance through the forums here.

I have setup my base domain as openbalena.example.com (this is a real domain but just for example purpose I am using “example.com”).

I have an A record for openbalena.example.com → 123.123.123.12
I have a CNAME record for *.openbalena.example.com → openbalena.example.com

These records come through my firewall and into a caddy reverse proxy which has auto SSL capabilities. This might be the issue but I am not sure quite just yet. So this proxy is sending off traffic to my local server (192.168.100.31).

When trying to verify my connection using curl to the api.openbalena.example.com I keep hitting:
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Is there any way to get this to work behind a caddy proxy that already handles the SSL connection? Also, not sure what else I should add in terms of my env so I am keeping it fairly open ended for now until I am asked to include more information as I am not sure what info I should include.

also, here are the tutorials/setups I have followed and tried this far:

Anyone?

Hi @jordan-lumley,

Sorry for the late reply. Great to hear you like balena and giving a try to the openBalena solution. tlsv1 alert internal error is likely related handshake error via Caddy.

Caddy tries to issue a certificate from Let’s Encrypt or ZeroSSL for any domain that doesn’t look like localhost or *.localhost. With local balena hostname, it will fail to get a publicly trusted certificate. So you’ll need to change config on Caddy tls internal in your site to tell Caddy to issue a certificate from its own internal CA instead.

If you still face something similar, it would be good to try a -v verbose option with curl to check what exactly might be causing internal error. Let us know how it goes.

Regards,
Nitish

Thanks for the response @nitish! So after knocking my head of a wall for a couple weeks, I think that I got the open balena setup done but now my device just indefinitely stays as a status of “Idle” and the IS ONLINE flag is just false. Any ideas on where to dig into this?

The command for curl -k https://api.blah.hi.com/ping returns an OK by the way. But the device is in the offline state according to the balena devices command.

Also my quickstart command, I have been using the “-c” flag as found from other posts.

So if you probably have something that looks like:

client:443 => caddy (123.123.123.12:443) => openBalena HAProxy (192.168.100.31:80) -> api (service:80)

Which means you are offloading SSL at the caddy endpoint and passing traffic to HAProxy over HTTP (open-balena/haproxy.cfg at master · balena-io/open-balena · GitHub).

What domains (SANs) does you Caddy issued SSL certificate cover?