Oh, that make sense…
I was already running other tests with the docker containers. It was easy to continue with that test setup.
Now I have 2 nodes that run Caddy nativly but I’m having more and more troubles. I moved back to the very basics but I’m still having mixed results.
Caddy 1: running at 192.168.2.2 (port 443/80 forwared in router)
#
# ACME Server
acme.localhost {
acme_server
}
# Reverse proxy
#
nextcloud.intrafit.nl {
reverse_proxy https://192.168.2.50
}
Caddy 2: running at 192.168.2.50
192.168.2.50:443
respond "Hello , this is your internal website talking!" {
tls robbert@intrafit.nl {
ca https://192.168.2.2/acme/local/directory
client_auth {
trusted_ca_cert_file /root/nextcloud/root.crt
}
}
}
When I browse with Firefox from a different Windows VM to https://192.168.2.50, I get
Secure Connection Failed
An error occurred during a connection to 192.168.2.50. Peer’s certificate has an invalid signature.
Error code: SEC_ERROR_BAD_SIGNATURE
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Also when I manually install the root certificate in Firefox.
It took me a while to discover that when use Chrome (from a Laptop), I do get a response! I cannot install the root certificate on that maching so I get a warning that the connection is insecure but I do get a reply.
Can this be a cache problem? I cleared the cache in Firefox without seeing a difference.
When on the same laptop I try to access from external through https://nextcloud.intrafit.nl I get HTTP ERROR 502.
The logs show this
2021/01/31 15:18:02.234 ERROR http.log.error x509: certificate signed by unknown authority (possibly because of “x509: ECDSA verification failure” while trying to verify candidate authority certificate “Caddy Local Authority - 2021 ECC Root”) {“request”: {“remote_addr”: “192.168.5.1:59373”, “proto”: “HTTP/2.0”, “method”: “GET”, “host”: “nextcloud.intrafit.nl”, “uri”: “/”, “headers”: {“Sec-Fetch-Site”: [“cross-site”], “Sec-Fetch-Mode”: [“navigate”], “Sec-Fetch-User”: [“?1”], “Upgrade-Insecure-Requests”: [“1”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36”], “Sec-Fetch-Dest”: [“document”], “Cookie”: [“__Host-nc_sameSiteCookielax=true”], “Accept”: [“text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9”], “Accept-Language”: [“en-US,en;q=0.9,nl;q=0.8”], “Cache-Control”: [“max-age=0”], “Accept-Encoding”: [“gzip, deflate, br”]}, “tls”: {“resumed”: false, “version”: 771, “cipher_suite”: 49196, “proto”: “h2”, “proto_mutual”: true, “server_name”: “nextcloud.intrafit.nl”}}, “duration”: 0.007132826, “status”: 502, “err_id”: “c0yywugsm”, “err_trace”: “reverseproxy.statusError (reverseproxy.go:783)”}
So I figured I need to add the root certificate:
nextcloud.intrafit.nl {
reverse_proxy https://192.168.2.50 {
transport http {
tls_trusted_ca_certs /root/.local/share/caddy/pki/authorities/local/root.crt
}
}
}
But this seems to give me the same results.
2021/01/31 15:22:11.516 ERROR http.log.error x509: certificate signed by unknown authority (possibly because of “x509: ECDSA verification failure” while trying to verify candidate authority certificate “Caddy Local Authority - 2021 ECC Root”) {“request”: {“remote_addr”: “192.168.5.1:52042”, “proto”: “HTTP/2.0”, “method”: “GET”, “host”: “nextcloud.intrafit.nl”, “uri”: “/”, “headers”: {“Upgrade-Insecure-Requests”: [“1”], “Sec-Fetch-User”: [“?1”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36”], “Accept”: [“text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9”], “Sec-Fetch-Dest”: [“document”], “Cache-Control”: [“max-age=0”], “Sec-Fetch-Mode”: [“navigate”], “Cookie”: [“__Host-nc_sameSiteCookielax=true”], “Accept-Encoding”: [“gzip, deflate, br”], “Accept-Language”: [“en-US,en;q=0.9,nl;q=0.8”], “Sec-Fetch-Site”: [“cross-site”]}, “tls”: {“resumed”: false, “version”: 771, “cipher_suite”: 49196, “proto”: “h2”, “proto_mutual”: true, “server_name”: “nextcloud.intrafit.nl”}}, “duration”: 0.014319558, “status”: 502, “err_id”: “3yi2scsht”, “err_trace”: “reverseproxy.statusError (reverseproxy.go:783)”}