Allowing http when visiting via IP instead of dns

1. The problem I’m having:

When I visit my website via its ip (not the dns name, just the numbers), using http, caddy still redirects to https, and as the certificate only allows the dns name, I get a secure connection failed error in the browser (firefox).

2. Error messages and/or full log output:

2024/02/04 12:05:27.293 INFO    using provided configuration    {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2024/02/04 12:05:27.296 WARN    Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 1}
2024/02/04 12:05:27.299 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/02/04 12:05:27.300 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/02/04 12:05:27.300 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/02/04 12:05:27.301 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0x32682a0"}
2024/02/04 12:05:27.302 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/02/04 12:05:27.302 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2024/02/04 12:05:27.304 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/02/04 12:05:27.304 WARN    tls     unable to get instance ID; storage clean stamps will be incomplete      {"error": "open /root/.local/share/caddy/instance.uuid: no such file or directory"}
2024/02/04 12:05:27.304 INFO    http    enabling automatic TLS certificate management   {"domains": ["disable_redirects", "vosjedev.pii.at", "auto_https"]}
2024/02/04 12:05:27.310 INFO    tls.obtain      acquiring lock  {"identifier": "disable_redirects"}
2024/02/04 12:05:27.311 INFO    tls.obtain      acquiring lock  {"identifier": "vosjedev.pii.at"}
2024/02/04 12:05:27.312 INFO    tls.obtain      acquiring lock  {"identifier": "auto_https"}
2024/02/04 12:05:27.312 INFO    tls     cleaning storage unit   {"storage": "FileStorage:/root/.local/share/caddy"}
2024/02/04 12:05:27.317 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2024/02/04 12:05:27.317 INFO    serving initial configuration
2024/02/04 12:05:27.317 INFO    tls.obtain      lock acquired   {"identifier": "auto_https"}
2024/02/04 12:05:27.318 INFO    tls     finished cleaning storage units
2024/02/04 12:05:27.318 INFO    tls.obtain      obtaining certificate   {"identifier": "auto_https"}
2024/02/04 12:05:27.322 INFO    tls.obtain      lock acquired   {"identifier": "disable_redirects"}
2024/02/04 12:05:27.323 INFO    tls.obtain      obtaining certificate   {"identifier": "disable_redirects"}
2024/02/04 12:05:27.323 INFO    tls.obtain      lock acquired   {"identifier": "vosjedev.pii.at"}
2024/02/04 12:05:27.324 INFO    tls.obtain      obtaining certificate   {"identifier": "vosjedev.pii.at"}
2024/02/04 12:05:28.152 INFO    http    waiting on internal rate limiter        {"identifiers": ["auto_https"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/04 12:05:28.152 INFO    http    done waiting on internal rate limiter   {"identifiers": ["auto_https"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/04 12:05:28.165 INFO    http    waiting on internal rate limiter        {"identifiers": ["disable_redirects"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/04 12:05:28.166 INFO    http    done waiting on internal rate limiter   {"identifiers": ["disable_redirects"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/04 12:05:28.175 INFO    http    waiting on internal rate limiter        {"identifiers": ["vosjedev.pii.at"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/04 12:05:28.175 INFO    http    done waiting on internal rate limiter   {"identifiers": ["vosjedev.pii.at"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/02/04 12:05:28.287 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "auto_https", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"auto_https\": Domain name contains an invalid character"}
2024/02/04 12:05:28.289 WARN    http    missing email address for ZeroSSL; it is strongly recommended to set one for next time
2024/02/04 12:05:28.303 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "disable_redirects", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"disable_redirects\": Domain name contains an invalid character"}
2024/02/04 12:05:28.615 INFO    http.acme_client        trying to solve challenge       {"identifier": "vosjedev.pii.at", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/02/04 12:05:29.109 INFO    http    served key authentication       {"identifier": "vosjedev.pii.at", "challenge": "http-01", "remote": "3.138.186.53:56476", "distributed": false}
2024/02/04 12:05:29.110 INFO    http    served key authentication       {"identifier": "vosjedev.pii.at", "challenge": "http-01", "remote": "34.219.50.209:44746", "distributed": false}
2024/02/04 12:05:29.132 INFO    http    served key authentication       {"identifier": "vosjedev.pii.at", "challenge": "http-01", "remote": "23.178.112.205:40793", "distributed": false}
2024/02/04 12:05:29.919 INFO    http.acme_client        authorization finalized {"identifier": "vosjedev.pii.at", "authz_status": "valid"}
2024/02/04 12:05:29.919 INFO    http.acme_client        validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/1552987267/241797145897"}
2024/02/04 12:05:31.153 INFO    http.acme_client        successfully downloaded available certificate chains    {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/0491c4a6304519465d9961b615606a3245b5"}
2024/02/04 12:05:31.154 INFO    tls.obtain      certificate obtained successfully       {"identifier": "vosjedev.pii.at"}
2024/02/04 12:05:31.154 INFO    tls.obtain      releasing lock  {"identifier": "vosjedev.pii.at"}
2024/02/04 12:05:31.983 INFO    http    generated EAB credentials       {"key_id": "C3KRFu77UCpLOtq912x7Bw"}
2024/02/04 12:05:37.659 INFO    http    waiting on internal rate limiter        {"identifiers": ["disable_redirects"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2024/02/04 12:05:37.659 INFO    http    done waiting on internal rate limiter   {"identifiers": ["disable_redirects"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2024/02/04 12:05:38.010 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "disable_redirects", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [disable_redirects]"}
2024/02/04 12:05:38.010 ERROR   tls.obtain      will retry      {"error": "[disable_redirects] Obtain: [disable_redirects] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [disable_redirects] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 10.687857509, "max_duration": 2592000}
2024/02/04 12:05:44.029 INFO    http    waiting on internal rate limiter        {"identifiers": ["auto_https"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2024/02/04 12:05:44.029 INFO    http    done waiting on internal rate limiter   {"identifiers": ["auto_https"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2024/02/04 12:05:44.197 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "auto_https", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [auto_https]"}
2024/02/04 12:05:44.197 ERROR   tls.obtain      will retry      {"error": "[auto_https] Obtain: [auto_https] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [auto_https] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 16.879751098, "max_duration": 2592000}
2024/02/04 12:06:38.012 INFO    tls.obtain      obtaining certificate   {"identifier": "disable_redirects"}
2024/02/04 12:06:39.031 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "disable_redirects", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"disable_redirects\": Domain name contains an invalid character"}
2024/02/04 12:06:40.366 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "disable_redirects", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [disable_redirects]"}
2024/02/04 12:06:40.366 ERROR   tls.obtain      will retry      {"error": "[disable_redirects] Obtain: [disable_redirects] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [disable_redirects] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 73.043634041, "max_duration": 2592000}
2024/02/04 12:06:44.199 INFO    tls.obtain      obtaining certificate   {"identifier": "auto_https"}
2024/02/04 12:06:44.714 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "auto_https", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"auto_https\": Domain name contains an invalid character"}
2024/02/04 12:06:46.700 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "auto_https", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [auto_https]"}
2024/02/04 12:06:46.700 ERROR   tls.obtain      will retry      {"error": "[auto_https] Obtain: [auto_https] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [auto_https] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 2, "retrying_in": 120, "elapsed": 79.382606893, "max_duration": 2592000}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

  1. installed using apt
  2. for testing as root from zsh.

a. System environment:

os: rasberrian 11 (based on debian bullseye)
I have symlinked /etc/caddy/Caddyfile to a local file in my homedir as that works better for me.

b. Command:

sudo caddy --config /etc/caddy/Caddyfile

d. My complete Caddy config:

vosjedev.pii.at {
    root * /home/vosje/https/httpssite
    fileserver {
        browse /home/vosje/https/httpsite/fileindex.html
    }
}
auto_https disable_redirects

You need to configure a site to handle that.

Make a site block with http:// as the address, and it will act as a catch-all for all HTTP requests, including IPs.

Also, auto_https is a global option, it must go within the global options block. See the structure:

Hi, thank you very much for pointing me in the right direction.

My caddyfile now looks like:

{
        auto_https disable_redirects
        debug
}

(mainconf) {
        root * /home/vosje/https/httpssite
        file_server {
                browse /home/vosje/https/httpssite/fileindex.html
        }
}

vosjedev.pii.at {
        import mainconf
}

http:// {
        import mainconf
}

But I still get redirected to https. The log now shows some relevant information at the end (after 15:06:27.086):

2024/02/09 15:06:22.099 INFO    using provided configuration    {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2024/02/09 15:06:22.104 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/02/09 15:06:22.105 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/02/09 15:06:22.105 WARN    http.auto_https automatic HTTP->HTTPS redirects are disabled    {"server_name": "srv0"}
2024/02/09 15:06:22.105 WARN    http.auto_https server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv1", "http_port": 80}
2024/02/09 15:06:22.105 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0x470d680"}
2024/02/09 15:06:22.106 DEBUG   http.auto_https adjusted config {"tls": {"automation":{"policies":[{}]}}, "http": {"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"vars","root":"/home/vosje/https/httpssite"},{"browse":{"template_file":"/home/vosje/https/httpssite/fileindex.html"},"handler":"file_server","hide":["/etc/caddy/Caddyfile"]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{"disable_redirects":true}},"srv1":{"listen":[":80"],"routes":[{"handle":[{"handler":"vars","root":"/home/vosje/https/httpssite"},{"browse":{"template_file":"/home/vosje/https/httpssite/fileindex.html"},"handler":"file_server","hide":["/etc/caddy/Caddyfile"]}]}],"automatic_https":{"disable":true,"disable_redirects":true}}}}}
2024/02/09 15:06:22.107 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2024/02/09 15:06:22.109 DEBUG   http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2024/02/09 15:06:22.110 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/02/09 15:06:22.110 DEBUG   http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2024/02/09 15:06:22.110 INFO    http.log        server running  {"name": "srv1", "protocols": ["h1", "h2", "h3"]}
2024/02/09 15:06:22.110 INFO    http    enabling automatic TLS certificate management   {"domains": ["vosjedev.pii.at"]}
2024/02/09 15:06:22.113 DEBUG   tls     loading managed certificate     {"domain": "vosjedev.pii.at", "expiration": "2024/05/04 11:05:30.000", "issuer_key": "acme-v02.api.letsencrypt.org-directory", "storage": "FileStorage:/root/.local/share/caddy"}
2024/02/09 15:06:22.115 WARN    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:/root/.local/share/caddy", "instance": "80259a6e-2c25-433e-b247-ea5eca45a8fb", "try_again": "2024/02/10 15:06:22.115", "try_again_in": 86399.999995351}
2024/02/09 15:06:22.115 INFO    tls     finished cleaning storage units
2024/02/09 15:06:22.128 DEBUG   tls.cache       added certificate to cache      {"subjects": ["vosjedev.pii.at"], "expiration": "2024/05/04 11:05:30.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "6b88de912757359005c037e80834da4d210af18ae756da9f3c78742e78e14121", "cache_size": 1, "cache_capacity": 10000}
2024/02/09 15:06:22.128 DEBUG   events  event   {"name": "cached_managed_cert", "id": "f6998d40-6439-4bc4-8918-e08df9da7727", "origin": "tls", "data": {"sans":["vosjedev.pii.at"]}}
2024/02/09 15:06:22.129 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2024/02/09 15:06:22.129 INFO    serving initial configuration
2024/02/09 15:06:27.085 DEBUG   events  event   {"name": "tls_get_certificate", "id": "af529b5c-29ef-477f-8eb3-976bf882b621", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"195.240.107.128","Port":35770,"Zone":""},"LocalAddr":{"IP":"192.168.178.125","Port":443,"Zone":""}}}}
2024/02/09 15:06:27.086 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "192.168.178.125"}
2024/02/09 15:06:27.086 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "195.240.107.128", "remote_port": "35770", "server_name": "", "remote": "195.240.107.128:35770", "identifier": "192.168.178.125", "cipher_suites": [4865, 4867, 4866, 49195, 49199, 52393, 52392, 49196, 49200, 49162, 49161, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2024/02/09 15:06:27.086 DEBUG   http.stdlib     http: TLS handshake error from 195.240.107.128:35770: no certificate available for '192.168.178.125'
2024/02/09 15:06:33.925 DEBUG   events  event   {"name": "tls_get_certificate", "id": "ea233674-1921-45a3-b1cd-edb806151894", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"195.240.107.128","Port":38094,"Zone":""},"LocalAddr":{"IP":"192.168.178.125","Port":443,"Zone":""}}}}
2024/02/09 15:06:33.926 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "192.168.178.125"}
2024/02/09 15:06:33.926 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "195.240.107.128", "remote_port": "38094", "server_name": "", "remote": "195.240.107.128:38094", "identifier": "192.168.178.125", "cipher_suites": [4865, 4867, 4866, 49195, 49199, 52393, 52392, 49196, 49200, 49162, 49161, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false

But I have no idea what to do about it. Sorry for me being to dumb to properly run my own server, but I am kinda confused right now. I followed the instructions, right?

Sorry for the slow response (Feel free to give a slow response back :D).

Are you sure? Show an example request with curl -v.

If you used a browser to test, it may have cached the redirect.

Ah, that acually shows no redirect. I guess it is indeed firefox who has cached the redirect. I will try stuff with other browser instances/other computers/other people, and report back later.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.