Absolute noob - Cannot connect my domain to Caddy without Firefox complaining about insecure connection

1. Caddy version (v2.5.1):

2. How I run Caddy:

I have a Caddyfile and simply run sudo caddy run.

a. System environment:

Garuda Linux

b. Command:

sudo caddy run

d. My complete Caddyfile:

www.linuxas.gr{
encode gzip
respond "Hello World!"
tls webmaster@linuxas.gr
}

3. The problem I’m having:

Firefox complains that no secure connection could be established.

4. Error messages and/or full log output:

*   Trying 127.0.0.1:80...
* Connected to www.linuxas.gr (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: www.linuxas.gr
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://www.linuxas.gr/
< Server: Caddy
< Date: Sun, 29 May 2022 00:22:19 GMT
< Content-Length: 0
<
* Closing connection 0

5. What I already tried:

The page works fine on XAMPP (which is kind of insane since XAMPP doesn’t support https without n SSL certificate to my knowledge).

My aim is to set up an Owncast server, do I need a reverse proxy if no other server is in the middle and my own PC is the server or can this be done some way else?

1 Like

If I change the Caddyfile to:

https://www.linuxas.gr

respond "Hello, World!"

Curl gives me:

*   Trying 127.0.0.1:443...
* Connected to www.linuxas.gr (127.0.0.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

What’s in Caddy’s logs?

There’s no problem there, that’s just Caddy serving an HTTP->HTTPS redirect. Make sure to use the -L flag to follow redirects (L for the Location header).

1 Like

Thanks for the reply! Where can I find the logs?

curl -v -L https://www.linuxas.gr gives the following:

*   Trying 127.0.0.1:443...
* Connected to www.linuxas.gr (127.0.0.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Well you said you’re running Caddy with caddy run. The logs are emitted to stdout/stderr.

Oh perfect this is what I’m getting then:

2022/05/29 14:56:14.160	INFO	using adjacent Caddyfile
2022/05/29 14:56:14.160	WARN	Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies	{"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2022/05/29 14:56:14.161	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/05/29 14:56:14.161	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv1", "https_port": 443}
2022/05/29 14:56:14.161	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv1"}
2022/05/29 14:56:14.161	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc000465e30"}
2022/05/29 14:56:14.161	INFO	tls	cleaning storage unit	{"description": "FileStorage:/root/.local/share/caddy"}
2022/05/29 14:56:14.161	INFO	http	enabling automatic TLS certificate management	{"domains": ["www.linuxas.gr"]}
2022/05/29 14:56:14.161	INFO	autosaved config (load with --resume flag)	{"file": "/root/.config/caddy/autosave.json"}
2022/05/29 14:56:14.161	INFO	serving initial configuration
2022/05/29 14:56:14.161	INFO	tls	finished cleaning storage units
2022/05/29 14:56:14.161	INFO	tls.obtain	acquiring lock	{"identifier": "www.linuxas.gr"}
2022/05/29 14:56:14.162	INFO	tls.obtain	lock acquired	{"identifier": "www.linuxas.gr"}
2022/05/29 14:56:14.163	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["www.linuxas.gr"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "skokkineas@protonmail.com"}
2022/05/29 14:56:14.163	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["www.linuxas.gr"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "skokkineas@protonmail.com"}
2022/05/29 14:56:15.514	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "www.linuxas.gr", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/05/29 14:56:19.312	ERROR	tls.issuance.acme.acme_client	challenge failed	{"identifier": "www.linuxas.gr", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning", "instance": "", "subproblems": []}}
2022/05/29 14:56:19.312	ERROR	tls.issuance.acme.acme_client	validating authorization	{"identifier": "www.linuxas.gr", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/563952596/92974220956", "attempt": 1, "max_attempts": 3}
2022/05/29 14:56:21.041	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "www.linuxas.gr", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/05/29 14:56:23.987	ERROR	tls.issuance.acme.acme_client	challenge failed	{"identifier": "www.linuxas.gr", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning", "instance": "", "subproblems": []}}
2022/05/29 14:56:23.987	ERROR	tls.issuance.acme.acme_client	validating authorization	{"identifier": "www.linuxas.gr", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/563952596/92974238516", "attempt": 2, "max_attempts": 3}
2022/05/29 14:56:23.987	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "www.linuxas.gr", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: SERVFAIL looking up A for www.linuxas.gr - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.linuxas.gr - the domain's nameservers may be malfunctioning"}
2022/05/29 14:56:25.165	INFO	tls.issuance.zerossl	generated EAB credentials	{"key_id": "3JBFRg5tcMEEtDxm2Mty2A"}

So there you go, looks like your DNS isn’t correctly configured. Make sure you have A or AAAA records pointing to your server.

2 Likes

Any pointers on how to do that? Is FreeIPA related to this?

Do you own the www.linuxas.gr domain? Which domain registrar did you buy it from?

You need a public domain (not one that just resolves in your private network) for ACME, to get a publicly signed TLS certificate.

Yes, the domain is mine. I bought from here.
So if I get a Web Hosting Service from a provider and pay monthly it should work fine?