Absolute noob - Cannot connect my domain to Caddy without Firefox complaining about insecure connection

1. Caddy version (v2.5.1):

2. How I run Caddy:

I have a Caddyfile and simply run sudo caddy run.

a. System environment:

Garuda Linux

b. Command:

sudo caddy run

d. My complete Caddyfile:

www.linuxas.gr{
encode gzip
respond "Hello World!"
tls webmaster@linuxas.gr
}

3. The problem I’m having:

Firefox complains that no secure connection could be established.

4. Error messages and/or full log output:

*   Trying 127.0.0.1:80...
* Connected to www.linuxas.gr (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: www.linuxas.gr
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://www.linuxas.gr/
< Server: Caddy
< Date: Sun, 29 May 2022 00:22:19 GMT
< Content-Length: 0
<
* Closing connection 0

5. What I already tried:

The page works fine on XAMPP (which is kind of insane since XAMPP doesn’t support https without n SSL certificate to my knowledge).

My aim is to set up an Owncast server, do I need a reverse proxy if no other server is in the middle and my own PC is the server or can this be done some way else?

If I change the Caddyfile to:

https://www.linuxas.gr

respond "Hello, World!"

Curl gives me:

*   Trying 127.0.0.1:443...
* Connected to www.linuxas.gr (127.0.0.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

What’s in Caddy’s logs?

There’s no problem there, that’s just Caddy serving an HTTP->HTTPS redirect. Make sure to use the -L flag to follow redirects (L for the Location header).

Thanks for the reply! Where can I find the logs?

curl -v -L https://www.linuxas.gr gives the following:

*   Trying 127.0.0.1:443...
* Connected to www.linuxas.gr (127.0.0.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Well you said you’re running Caddy with caddy run. The logs are emitted to stdout/stderr.

Oh perfect this is what I’m getting then:

2022/05/29 14:56:14.160	INFO	using adjacent Caddyfile
2022/05/29 14:56:14.160	WARN	Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies	{"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2022/05/29 14:56:14.161	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/05/29 14:56:14.161	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv1", "https_port": 443}
2022/05/29 14:56:14.161	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv1"}
2022/05/29 14:56:14.161	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc000465e30"}
2022/05/29 14:56:14.161	INFO	tls	cleaning storage unit	{"description": "FileStorage:/root/.local/share/caddy"}
2022/05/29 14:56:14.161	INFO	http	enabling automatic TLS certificate management	{"domains": ["www.linuxas.gr"]}
2022/05/29 14:56:14.161	INFO	autosaved config (load with --resume flag)	{"file": "/root/.config/caddy/autosave.json"}
2022/05/29 14:56:14.161	INFO	serving initial configuration
2022/05/29 14:56:14.161	INFO	tls	finished cleaning storage units
2022/05/29 14:56:14.161	INFO	tls.obtain	acquiring lock	{"identifier": "www.linuxas.gr"}
2022/05/29 14:56:14.162	INFO	tls.obtain	lock acquired	{"identifier": "www.linuxas.gr"}
2022/05/29 14:56:14.163	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["www.linuxas.gr"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "skokkineas@protonmail.com"}
2022/05/29 14:56:14.163	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["www.linuxas.gr"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "skokkineas@protonmail.com"}
2022/05/29 14:56:15.514	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "www.linuxas.gr", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/05/29 14:56:19.312	ERROR	tls.issuance.acme.acme_client	challenge failed	{"identifier": "www.linuxas.gr", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning", "instance": "", "subproblems": []}}
2022/05/29 14:56:19.312	ERROR	tls.issuance.acme.acme_client	validating authorization	{"identifier": "www.linuxas.gr", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/563952596/92974220956", "attempt": 1, "max_attempts": 3}
2022/05/29 14:56:21.041	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "www.linuxas.gr", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/05/29 14:56:23.987	ERROR	tls.issuance.acme.acme_client	challenge failed	{"identifier": "www.linuxas.gr", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning", "instance": "", "subproblems": []}}
2022/05/29 14:56:23.987	ERROR	tls.issuance.acme.acme_client	validating authorization	{"identifier": "www.linuxas.gr", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/563952596/92974238516", "attempt": 2, "max_attempts": 3}
2022/05/29 14:56:23.987	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "www.linuxas.gr", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning"}
2022/05/29 14:56:25.165	INFO	tls.issuance.zerossl	generated EAB credentials	{"key_id": "3JBFRg5tcMEEtDxm2Mty2A"}

So there you go, looks like your DNS isn’t correctly configured. Make sure you have A or AAAA records pointing to your server.

Any pointers on how to do that? Is FreeIPA related to this?

Do you own the www.linuxas.gr domain? Which domain registrar did you buy it from?

You need a public domain (not one that just resolves in your private network) for ACME, to get a publicly signed TLS certificate.

Yes, the domain is mine. I bought from here.
So if I get a Web Hosting Service from a provider and pay monthly it should work fine?

This topic was automatically closed after 30 days. New replies are no longer allowed.