Access my site via domain name and ip address with https

1. Caddy version (caddy version):

v2.3.0

2. How I run Caddy:

I am using caddy docker image: caddy:2.3.0

a. System environment:

Docker version 20.10.7

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: "3.7"

services:
  caddy:
    image: caddy:2.3.0
    restart: unless-stopped
    ports:
      - 80:80
      - 8080:8080
      - 443:443
      - 4430:4430
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - wazuh-docker_default

volumes:
  caddy_data:
  caddy_config:

networks:
  wazuh-docker_default:
    external: true

d. My complete Caddyfile or JSON config:

monitoring.eyelab.kz {
	reverse_proxy kibana:5601
}

95.58.194.34:8080 {
	tls internal {
		on_demand
	}
	respond "Hello"
}

3. The problem I’m having:

I have a site on domain monitoring.eyelab.kz which works perfectly fine. And now I need to be able to access the site via its ip address, because of a device that can only use ip address. I also want the communication to be encrypted, but the ip part does not seem to work. The error I get is This site can’t provide a secure connection when trying https://95.58.194.34:8080 or https://95.58.194.34 on my browser.

4. Error messages and/or full log output:

* Rebuilt URL to: https://95.58.194.34:8080/
*   Trying 95.58.194.34...
* TCP_NODELAY set
* Connected to 95.58.194.34 (95.58.194.34) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, Server hello (2):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

5. What I already tried:

When remove domain name part in Caddyfile and leave it as

:443 {
	tls internal {
		on_demand
	}
	respond "Hello"
}

or

{
	https_port 8080
}
:8080 {
	tls internal {
		on_demand
	}
	respond "Hello"
}

it works for ip address

6. Links to relevant resources:

Please upgrade to the latest version, v2.4.3

When you use tls internal, you’re having Caddy issue a certificate from its locally managed CA, which is not publicly trusted. For HTTPS to work, you need to establish trust. To do this, you need to install Caddy’s root CA certificate into the trust stores of the systems/browsers that you will be using to connect. You can find the root CA certificate in Caddy’s data storage, at /data/pki/authorities/local/root.crt I think (since you’re running in Docker).

@francislavoie Thanks for reaching out!

I upgraded to the latest version :heavy_check_mark:

I understood. Problem is that the system I am trying to do request from is pretty closed, so I cannot install certificate in it. I was able to generate openssl keys and use them in Caddyfile. Which seems to work, but I am little worried that:

  1. It will not automatically renew.
  2. I have a feeling, that it is not right way to go, because I thought tls internal does exactly that under the hood.
1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.