gotify
GOTIFY_SERVER_SSL_LETSENCRYPT_HOSTS: environment variable not working
Have you read the documentation?
- [ × ] Yes, but it does not include related information regarding my question.
- [ ] Yes, but the steps described in the documentation do not work on my machine.
- [ ] Yes, but I am having difficulty understanding it and want clarification.
You are setting up gotify in
- [ × ] Docker
- [ ] Linux native platform
- [ ] Windows native platform
Describe your problem Trying to set up SSL for gotify, running in a container, set up with docker compose. Relevant compose.yaml file:
services:
gotify:
image: gotify/server
container_name: gotify
restart: always
ports:
- "32768:80"
- "42768:443"
environment:
GOTIFY_DEFAULTUSER_PASS: admin
GOTIFY_SERVER_SSL_ENABLED: "true"
GOTIFY_SERVER_SSL_LETSENCRYPT_HOSTS: gotify.url.xyz
GOTIFY_SERVER_SSL_PORT: 443
GOTIFY_SERVER_SSL_LETSENCRYPT_ENABLED: "true"
GOTIFY_SERVER_SSL_LETSENCRYPT_ACCEPTTOS: "true"
GOTIFY_SERVER_SSL_LETSENCRYPT_CACHE: /app/data/certs
GOTIFY_SERVER_SSL_REDIRECTTOHTTPS: "true"
volumes:
- './gotify_data:/app/data'
I get this error when starting the container
gotify | Starting Gotify version 2.6.3@2025-04-27-09:10:38
gotify | panic: yaml: unmarshal errors:
gotify | line 1: cannot unmarshal !!str `gotify....` into []string
gotify |
gotify | goroutine 1 [running]:
gotify | github.com/gotify/server/v2/config.Get()
gotify | /src/gotify/config/config.go:71 +0x1e6
gotify | main.main()
gotify | /src/gotify/app.go:31 +0x18f
gotify exited with code 2
You need to wrap the hosts into an array. E.g.
GOTIFY_SERVER_SSL_LETSENCRYPT_HOSTS: '[gotify.url.xyz]'
You need to wrap the hosts into an array. E.g.
GOTIFY_SERVER_SSL_LETSENCRYPT_HOSTS: '[gotify.url.xyz]'
ok, that fixed that, but now if i try to open the site via https, i get an "connection was unexpectedly terminated", with nothing in the logs..
Hi, can you share some more details about your setup? (Where does the port 32768 and 42768 wire to?)
My intuitive understanding of what went wrong is Obviously let's encrypt have to verify you actually control that server, so http://gotify.example.com/ has to hit your gotify instance for it to work (so gotify can get a certificate issued and then https to work)
Hi, can you share some more details about your setup? (Where does the port 32768 and 42768 wire to?)
My intuitive understanding of what went wrong is Obviously let's encrypt have to verify you actually control that server, so http://gotify.example.com/ has to hit your gotify instance for it to work (so gotify can get a certificate issued and then https to work)
just the mapped ports gotify listens on, I did change them out to be 80 and 443 to see if that would make a difference, I wasnt sure yet if i could use the standard ports for the container when i set up the instance.
Hmmm... You changed it to 80 and 443 , did it work? (It feels to me it should but it seems like you didn't say it worked..
A quick sanity check is to DISABLE SSL then curl -v http://gotify.example.com , you should see a proper response. If so then enabling ssl should work. (If you have attempted to many restarts let's encrypt might have rate limited you and you might have to wait a couple hours)
To be honest this auto https feature is only useful if you use this server exclusively for Gotify, to me it seems it isn't that case since you decided to use high ports initially.., if you don't intend on doing that you should just follow a reverse proxy setup guide on https://gotify.net
it works fine without SSL, even if i turn SSL on and explicitly open it via http://, just not https
What does https:// give you? the "unexpectedly terminated"?
If so can you try locally do curl --insecure -H "Host: gotify.example.com" https://localhost and see if it shows up?
If it shows up can you try the same thing from another computer? curl --insecure -H "Host: gotify.example.com" https://gotify.example.com?
from the server it gives me: curl: (35) OpenSSL/3.0.17: error:0A000438:SSL routines::tlsv1 alert internal error
from a different computer it shows curl: (52) Empty reply from server
Okay.. it is certainly abnormal as if you set GOTIFY_SERVER_SSL_REDIRECTTOHTTPS afaik http port should give you a 301..
To be honest I still suggest it might be more flexible if you just use a reverse proxy like Caddy where you just install the package write I want this port to be on https://mydomain and it does all these for you.
But if you want to go this gotify only route can you give me a docker inspect gotify for me?
I'm considering it.. but here's the output of that:
[
{
"Id": "7a8aa7ff25462f015494ac1cea9d5d7c4ea9d1fab14915d253b9f96e19d42036",
"Created": "2025-09-15T11:19:20.51161539Z",
"Path": "./gotify-app",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 435250,
"ExitCode": 0,
"Error": "",
"StartedAt": "2025-09-15T11:19:20.998114624Z",
"FinishedAt": "0001-01-01T00:00:00Z",
"Health": {
"Status": "healthy",
"FailingStreak": 0,
"Log": [
{
"Start": "2025-09-16T11:28:46.638586927+02:00",
"End": "2025-09-16T11:28:46.8101988+02:00",
"ExitCode": 0,
"Output": " % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 37 100 37 0 0 3253 0 --:--:-- --:--:-- --:--:-- 3363\n{\"health\":\"green\",\"database\":\"green\"}"
},
{
"Start": "2025-09-16T11:29:16.811830578+02:00",
"End": "2025-09-16T11:29:16.966863273+02:00",
"ExitCode": 0,
"Output": " % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 37 100 37 0 0 25801 0 --:--:-- --:--:-- --:--:-- 37000\n{\"health\":\"green\",\"database\":\"green\"}"
},
{
"Start": "2025-09-16T11:29:46.968636078+02:00",
"End": "2025-09-16T11:29:47.125368513+02:00",
"ExitCode": 0,
"Output": " % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 37 100 37 0 0 16285 0 --:--:-- --:--:-- --:--:-- 18500\n{\"health\":\"green\",\"database\":\"green\"}"
},
{
"Start": "2025-09-16T11:30:17.126479575+02:00",
"End": "2025-09-16T11:30:17.27153572+02:00",
"ExitCode": 0,
"Output": " % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 37 100 37 0 0 23299 0 --:--:-- --:--:-- --:--:-- 37000\n{\"health\":\"green\",\"database\":\"green\"}"
},
{
"Start": "2025-09-16T11:30:47.273852892+02:00",
"End": "2025-09-16T11:30:47.417164001+02:00",
"ExitCode": 0,
"Output": " % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 37 100 37 0 0 24374 0 --:--:-- --:--:-- --:--:-- 37000\n{\"health\":\"green\",\"database\":\"green\"}"
}
]
}
},
"Image": "sha256:a04df96d3f8888b70877ee865d7a90f4814787a8112374ee32abba745c735dd9",
"ResolvConfPath": "/var/lib/docker/containers/7a8aa7ff25462f015494ac1cea9d5d7c4ea9d1fab14915d253b9f96e19d42036/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/7a8aa7ff25462f015494ac1cea9d5d7c4ea9d1fab14915d253b9f96e19d42036/hostname",
"HostsPath": "/var/lib/docker/containers/7a8aa7ff25462f015494ac1cea9d5d7c4ea9d1fab14915d253b9f96e19d42036/hosts",
"LogPath": "/var/lib/docker/containers/7a8aa7ff25462f015494ac1cea9d5d7c4ea9d1fab14915d253b9f96e19d42036/7a8aa7ff25462f015494ac1cea9d5d7c4ea9d1fab14915d253b9f96e19d42036-json.log",
"Name": "/gotify",
"RestartCount": 0,
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "docker-default",
"ExecIDs": null,
"HostConfig": {
"Binds": [
"/root/compose-notifsys/gotify_data:/app/data:rw"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "compose-notifsys_default",
"PortBindings": {
"443/tcp": [
{
"HostIp": "",
"HostPort": "443"
}
],
"80/tcp": [
{
"HostIp": "",
"HostPort": "80"
}
]
},
"RestartPolicy": {
"Name": "always",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"ConsoleSize": [
0,
0
],
"CapAdd": null,
"CapDrop": null,
"CgroupnsMode": "private",
"Dns": null,
"DnsOptions": null,
"DnsSearch": null,
"ExtraHosts": [],
"GroupAdd": null,
"IpcMode": "private",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": null,
"DeviceCgroupRules": null,
"DeviceRequests": null,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": null,
"PidsLimit": null,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/interrupts",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/devices/virtual/powercap"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"GraphDriver": {
"Data": {
"ID": "7a8aa7ff25462f015494ac1cea9d5d7c4ea9d1fab14915d253b9f96e19d42036",
"LowerDir": "/var/lib/docker/overlay2/9bd4194242037da5d26d74a7b57b9178152aa4ea6cc9e6b8f210abd954b5ca77-init/diff:/var/lib/docker/overlay2/c45cb237e75a1988e948a2f1d787dc7af736ffad60d07a5eed408653fd9e5cbf/diff:/var/lib/docker/overlay2/7702287ace1a048d8ac0792c337a87cb46d59b6fe20d12b86ec7e5be38ed8557/diff:/var/lib/docker/overlay2/960eacaf9c0fbdc04b7ab6a37627ebe907caad0b03cad5137bfeac4be436fde9/diff:/var/lib/docker/overlay2/975703ca3deef74dc13ed77f0ad8b8de17299c80d7cd8210570ae90beb62a7ef/diff",
"MergedDir": "/var/lib/docker/overlay2/9bd4194242037da5d26d74a7b57b9178152aa4ea6cc9e6b8f210abd954b5ca77/merged",
"UpperDir": "/var/lib/docker/overlay2/9bd4194242037da5d26d74a7b57b9178152aa4ea6cc9e6b8f210abd954b5ca77/diff",
"WorkDir": "/var/lib/docker/overlay2/9bd4194242037da5d26d74a7b57b9178152aa4ea6cc9e6b8f210abd954b5ca77/work"
},
"Name": "overlay2"
},
"Mounts": [
{
"Type": "bind",
"Source": "/root/compose-notifsys/gotify_data",
"Destination": "/app/data",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
}
],
"Config": {
"Hostname": "gotify",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": true,
"AttachStderr": true,
"ExposedPorts": {
"443/tcp": {},
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"GOTIFY_SERVER_SSL_ENABLED=true",
"GOTIFY_SERVER_SSL_PORT=443",
"GOTIFY_SERVER_SSL_REDIRECTTOHTTPS=false",
"GOTIFY_SERVER_SSL_LETSENCRYPT_CACHE=/app/data/certs",
"GOTIFY_SERVER_SSL_LETSENCRYPT_ENABLED=true",
"GOTIFY_DEFAULTUSER_PASS=admin",
"GOTIFY_SERVER_SSL_LETSENCRYPT_ACCEPTTOS=true",
"GOTIFY_SERVER_SSL_LETSENCRYPT_HOSTS=[gotify.url]",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOTIFY_SERVER_PORT=80"
],
"Cmd": null,
"Healthcheck": {
"Test": [
"CMD-SHELL",
"curl --fail http://localhost:$GOTIFY_SERVER_PORT/health || exit 1"
],
"Interval": 30000000000,
"Timeout": 5000000000,
"StartPeriod": 5000000000
},
"Image": "gotify/server",
"Volumes": null,
"WorkingDir": "/app",
"Entrypoint": [
"./gotify-app"
],
"OnBuild": null,
"Labels": {
"com.docker.compose.config-hash": "9b7a8b29087b4c7833cf0ff52183333bd32304cfa4ce332ce25152ff036b70b4",
"com.docker.compose.container-number": "1",
"com.docker.compose.depends_on": "",
"com.docker.compose.image": "sha256:a04df96d3f8888b70877ee865d7a90f4814787a8112374ee32abba745c735dd9",
"com.docker.compose.oneoff": "False",
"com.docker.compose.project": "compose-notifsys",
"com.docker.compose.project.config_files": "/root/compose-notifsys/compose.yaml",
"com.docker.compose.project.working_dir": "/root/compose-notifsys",
"com.docker.compose.service": "gotify",
"com.docker.compose.version": "2.39.2"
}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "64f92a6eac7a50c4a2afb354b7fa643812486da2e518002489952c48f67108ec",
"SandboxKey": "/var/run/docker/netns/64f92a6eac7a",
"Ports": {
"443/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "443"
},
{
"HostIp": "::",
"HostPort": "443"
}
],
"80/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "80"
},
{
"HostIp": "::",
"HostPort": "80"
}
]
},
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {
"compose-notifsys_default": {
"IPAMConfig": null,
"Links": null,
"Aliases": [
"gotify",
"gotify"
],
"MacAddress": "92:c6:56:18:d8:5f",
"DriverOpts": null,
"GwPriority": 0,
"NetworkID": "4b1ee231319bb016dc5d9f8afb5d4245f1c9a473fa6db6bb47703959f37a3906",
"EndpointID": "ad67b83c41b928076cac1b8dfe3306a768dadab482f6dff645e129e0fd23fd2f",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"DNSNames": [
"gotify",
"7a8aa7ff2546"
]
}
}
}
}
]
Okay this looks okay to me.. three things to check:
- Does this data/certs directory exist? Is there anything in it?
- Did you see this "[started listening for] TLS connections log message?" Check with
docker logs gotify - Make sure your DNS is actually resolving correctly to the URL you configured on the environment variables..
https://github.com/gotify/server/blob/9e1455ff7d3046c0f17ca294e8497de46698bcac/runner/runner.go#L36
Note to self: I was thinking maybe we can have a tiny CLI verb to dump the current effective configuration.. it seems this environment variable thing is making hard to isolation the reason why something isn't working .
- the directory is in the container, invisible to me afaik
- yeah, it always starts with
Started listening for plain connection on tcp [::]:80
Started listening for TLS connection on tcp [::]:443
- yeah DNS works, i can get to the server via http using the URL
the directory is in the container, invisible to me afaik
From your docker compose file it should be in "./gotify_data/certs"?
If that doesn't exist that might explain things no server certificate means no TLS handshake can possibly happen and the "empty reply" prob come from that..
Do you have a go toolchain and can build your self? I am pushing a PR to try to make any autocert internal errors show up today. Sorry it is really frustrating for you.
btw in case you have not tried, A trivial fix might be just shut down the service for a couple hours , it is possible you somehow exceeded LE's ratelimit and autocert is stuck in a loop of trying and get ratelimited harder ...
I tried the workflow on my end, it seems like if you visit the port 443 from the public URL, docker logs gotify should tell you the error?
This is what I get (seems very similar to your curl output but I see a log entry on Gotify after I requested it:
curl ...
* TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error
* closing connection #0
curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error
2025/09/16 11:37:04 http: TLS handshake error from 127.0.0.1:38316: acme/autocert: unable to satisfy "https://acme-staging-v02.api.letsencrypt.org/acme/authz/228446964/19360740614" for domain "test.yumechi.jp": no viable challenge type found
afaik acme via http challenge will only work if the service is exposed on 80/443 to the public internet.
Thanks for the addition, there was a bug (I think?) preventing ALPN challenges to work (I fixed it in #843), so currently on the latest release probably the only way to get the certificate is port 80 (http-01 challenge), but since they mentioned visiting over http:// shows up normally I don't think this alone explains it ..
Trying to ask them for any server side indication when https port is hit and autocert might dump some error like what I shown.
I tried the workflow on my end, it seems like if you visit the port 443 from the public URL,
docker logs gotify should tell you the error?This is what I get (seems very similar to your curl output but I see a log entry on Gotify after I requested it:
curl ... * TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error * closing connection #0 curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error 2025/09/16 11:37:04 http: TLS handshake error from 127.0.0.1:38316: acme/autocert: unable to satisfy "https://acme-staging-v02.api.letsencrypt.org/acme/authz/228446964/19360740614" for domain "test.yumechi.jp": no viable challenge type found
If I send curl --insecure -H "Host: gotify.example.com" https://localhost from the server, i get this log entry:
2025/09/17 07:00:30 http: TLS handshake error from 172.18.0.1:53204: acme/autocert: server name component count invalid
If i send curl --insecure -H "Host: gotify.example.com" https://gotify.example.com from another machine, I get no log entry
Okay I am pretty sure I know the this error, this is your SNI not matching.
If I send curl --insecure -H "Host: gotify.example.com" https://localhost from the server, i get this log entry:
Do this exact thing again, except:
curl --resolve gotify.example.com:443:127.0.0.1 -v https://gotify.example.com
It should work (and give you the Gotify page) if your port 80 is accessible from the Internet. Then let's figure out why from another machine isn't working.
Okay I am pretty sure I know the this error, this is your SNI not matching.
If I send curl --insecure -H "Host: gotify.example.com" https://localhost from the server, i get this log entry:
Do this exact thing again, except:
curl --resolve gotify.example.com:443:127.0.0.1 -v https://gotify.example.com It should work (and give you the Gotify page) if your port 80 is accessible from the Internet. Then let's figure out why from another machine isn't working.
* Added gotify.mmc.at:443:127.0.0.1 to DNS cache
* Hostname gotify.mmc.at was found in DNS cache
* Trying 127.0.0.1:443...
* Connected to gotify.mmc.at (127.0.0.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=gotify.mmc.at
* start date: Sep 15 10:02:43 2025 GMT
* expire date: Dec 14 10:02:42 2025 GMT
* subjectAltName: host "gotify.mmc.at" matched cert's "gotify.mmc.at"
* issuer: C=US; O=Let's Encrypt; CN=E7
* SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: gotify.mmc.at]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5584c34257a0)
> GET / HTTP/2
> Host: gotify.mmc.at
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS alert, close notify (256):
* HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
* Closing connection 0
curl: (18) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
It looks like it works but then it just closes connection..?
Can you try --http1.1 and see what it does (and are there server log entries)? (to isolate the issue). If you are okay with it I can try hit your server as well to see if I can see something ..
It seems there are some issues with ALPN on the current version (on my referenced PR) which may affect bare-bones setup like this.
* Added gotify.example.com:443:127.0.0.1 to DNS cache
* Hostname gotify.example.com was found in DNS cache
* Trying 127.0.0.1:443...
* Connected to gotify.example.com (127.0.0.1) port 443 (#0)
* ALPN: offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=gotify.example.com
* start date: Sep 15 10:02:43 2025 GMT
* expire date: Dec 14 10:02:42 2025 GMT
* subjectAltName: host "gotify.example.com" matched cert's "gotify.example.com"
* issuer: C=US; O=Let's Encrypt; CN=E7
* SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: gotify.example.com
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Content-Type: text/html
< Date: Wed, 17 Sep 2025 07:21:48 GMT
< Transfer-Encoding: chunked
<
<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#3f51b5"><link rel="manifest" href="./manifest.json"><title>Gotify</title><link rel="apple-touch-icon-precomposed" sizes="57x57" href="static/apple-touch-icon-57x57.png"/><link rel="apple-touch-icon-precomposed" sizes="114x114" href="static/apple-touch-icon-114x114.png"/><link rel="apple-touch-icon-precomposed" sizes="72x72" href="static/apple-touch-icon-72x72.png"/><link rel="apple-touch-icon-precomposed" sizes="144x144" href="static/apple-touch-icon-144x144.png"/><link rel="apple-touch-icon-precomposed" sizes="60x60" href="static/apple-touch-icon-60x60.png"/><link rel="apple-touch-icon-precomposed" sizes="120x120" href="static/apple-touch-icon-120x120.png"/><link rel="apple-touch-icon-precomposed" sizes="76x76" href="static/apple-touch-icon-76x76.png"/><link rel="apple-touch-icon-precomposed" sizes="152x152" href="static/apple-touch-icon-152x152.png"/><link rel="icon" type="image/png" href="static/favicon-196x196.png" sizes="196x196"/><link rel="icon" type="image/png" href="static/favicon-96x96.png" sizes="96x96"/><link rel="icon" type="image/png" href="static/favicon-32x32.png" sizes="32x32"/><link rel="icon" type="image/png" href="static/favicon-16x16.png" sizes="16x16"/><link rel="icon" type="image/png" href="static/favicon-128.png" sizes="128x128"/><link rel="icon" href="static/favicon.ico"><meta name="application-name" content="Gotify"/><meta name="msapplication-TileColor" content="#FFFFFF"/><meta name="msapplication-TileImage" content="static/mstile-144x144.png"/><meta name="msapplication-square70x70logo" content="static/mstile-70x70.png"/><meta name="msapplication-square150x150logo" content="static/mstile-150x150.png"/><meta name="msapplication-wide310x150logo" content="static/mstile-310x150.png"/><meta name="msapplication-square310x310logo" content="static/mstile-310x310.png"/><link href="./static/css/2.0f3898ba.chunk.css" rel="stylesheet"></head><body><noscript>Gotify requires JavaScript.</noscript><div id="root"></div><script>window.config = {"register":false,"version":{"version":"2.6.3","commit":"f11755d706bdb089000cbbd8dcaaf56040802652","buildDate":"2025-04-27-09:10:38"}};</script><script>!function(e){function t(t){for(var n,i,f=t[0],l=t[1],a=t[2],c=0,s=[];c<f.length;c++)i=f[c],Object.prototype.hasOwnProperty.call(o,i)&&o[i]&&s.push(o[i][0]),o[i]=0;for(n in l)Object.prototype.hasOwnProperty.call(l,n)&&(e[n]=l[n]);for(p&&p(t);s.length;)s.shift()();return u.push.apply(u,a||[]),r()}function r(){for(var e,t=0;t<u.length;t++){for(var r=u[t],n=!0,f=1;f<r.length;f++){var l=r[f];0!==o[l]&&(n=!1)}n&&(u.splice(t--,1),e=i(i.s=r[0]))}return e}var n={},o={1:0},u=[];function i(t){if(n[t])return n[t].exports;var r=n[t]={i:t,l:!1,exports:{}};return e[t].call(r.exports,r,r.exports,i),r.l=!0,r.exports}i.m=e,i.c=n,i.d=function(e,t,r){i.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:r})},i.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStr* Connection #0 to host gotify.example.com left intact
ingTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.t=function(e,t){if(1&t&&(e=i(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var r=Object.create(null);if(i.r(r),Object.defineProperty(r,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var n in e)i.d(r,n,function(t){return e[t]}.bind(null,n));return r},i.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return i.d(t,"a",t),t},i.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},i.p="./";var f=this["webpackJsonpgotify-ui"]=this["webpackJsonpgotify-ui"]||[],l=f.push.bind(f);f.push=t,f=f.slice();for(var a=0;a<f.length;a++)t(f[a]);var p=l;r()}([])</script><script src="./static/js/2.64bfa034.chunk.js"></script><script src="./static/js/main.ca03a2c1.chunk.js"></script></body></html>
this seems to work, the logs only show this at the time:
2025-09-17T07:27:15Z | 200 | 66.843µs | 172.18.0.1 | GET "/"
Is it okay if I hit your server myself to try see what's going on?
I tried using a local SSL certificate and key, HTTP2 seems to work fine on my end on the main branch.
Can you update to the latest version? it seems like you are not on the latest version (it should be 2.7.2) I think that should solve the issue..
Next time please highlight you are not using the latest version .. it is very important information ,
oh, I've been pulling from docker, do you mean the github version with latest?
No, docker.io latest is 2.7.2, not 2.6.3, please pull latest containers (docker compose up [..] --pull always).
https://hub.docker.com/r/gotify/server/tags
ok, running 2.7.2 now, logs are weird tho, it only says it's listening on port 80 now..
does docker inspect gotify still shows the correct environment variables in "Env"?
I tried locally, it shouldn't be :
docker run -it --rm -p 8000:80 -p 8443:443 -v ./data:/app/data -e GOTIFY_SERVER_SSL_LETSENCRYPT_ENABLED=true -e GOTIFY_SERVER_SSL_ENABLED=true docker.io/gotify/server:2.7.2
Starting Gotify version 2.7.2@2025-09-13-12:32:36
Started listening for plain connection on tcp [::]:80
Started listening for TLS connection on tcp [::]:443
my mistake, i had previously commented out the SSL environment variables without restarting the containers, i do not remember why.. fixed it now