Automated TLS not working on Caddy proxy server

pstephan1187 · September 23, 2016, 2:46pm

I have a multi-server setup where my app lies on one set of servers, my database on one server and a load balancer on another server. I am using Caddy as the web server on both the app servers and the load balancer.

Accessing the app server directly works fine and accessing the load balancer server over HTTP works great as well. I run into problems when trying to access the load balancer over HTTPS. If I set the tls directive to self_signed it works great (minus the big warning in the browser), but when I change the directive to an email address, I get the following error in Chrome: This site can’t provide a secure connection. However, no errors display in the load balancer’s error logs. I have manually created the .caddy directory in the $HOME directory and chowned it to the proper user and group (www-data). Not sure what else to do.

Here is the Caddyfile:

:80 {
	log      /var/www/html/access.log
	errors   /var/www/html/errors.log
	tls off
	# tls development@blusolutions.com

	proxy / 159.203.66.146 {
		policy least_conn
		transparent
		insecure_skip_verify
	}
}

:443 {
	log      /var/www/html/access.log
	errors   /var/www/html/errors.log
	# tls self_signed #this works
	tls redacted@redacted.com #this does not work

	proxy / https://159.203.66.146 {
		policy least_conn
		transparent
		insecure_skip_verify
	}
}

I am running caddy with the following command:
"/usr/bin/caddy --conf /etc/Caddyfile --agree"

Below is the entire docker file for the load balancer if that helps:

FROM phusion/baseimage
MAINTAINER redacted

RUN apt-get update -y
RUN apt-get upgrade -y



## Install add-apt-repository
RUN apt-get install -y \
	software-properties-common \
	python-software-properties



## Install prerequisites
RUN apt-get install -y \
	curl \
	vim



## Install Caddy
RUN curl --silent --show-error --fail --location \
    --header "Accept: application/tar+gzip, application/x-gzip, application/octet-stream" \
    -o - "https://github.com/mholt/caddy/releases/download/v0.9.1/caddy_linux_amd64.tar.gz" \
    | tar --no-same-owner -xz caddy_linux_amd64 \
    && mv caddy_linux_amd64 /usr/bin/caddy

RUN chmod 0755 /usr/bin/caddy && \
	setcap cap_net_bind_service=+ep /usr/bin/caddy



## Run Some Setup
EXPOSE 80 443
WORKDIR /var/www/html
RUN mkdir /var/www/.caddy && \
	chown www-data:www-data /var/www/.caddy && \
	chown www-data:www-data /var/www/html



USER www-data
COPY Caddyfile /etc/Caddyfile



CMD ["/usr/bin/caddy", "--conf", "/etc/Caddyfile", "--agree"]

matt · September 23, 2016, 3:13pm

Caddy can’t provide a secure TLS connection when your Caddyfile doesn’t have a hostname without on-demand TLS. If you know the hostname, just specify that in the Caddyfile.

But yes, self-signed certificates will work (despite warnings).

pstephan1187 · September 23, 2016, 3:44pm

updating the tls directive results in the same error from Chrome and no errors in the log file:

tls {
	max_certs 10
}

Do I need to specify a host still? I was hoping that I wouldn’t have to specify hostnames because the app is a multi-site CMS. Sites could be added at any time and it would be nice if we could support configure-less, automated SSL.

matt · September 23, 2016, 4:15pm

I’m suspicious that your config wasn’t applied like you think it is, either that or try a different browser/agent like curl.

pstephan1187 · September 23, 2016, 4:28pm

Getting error from firefox as well: An error occurred during a connection to staging.webtorch.com. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

The app servers also implement SSL but those servers are self_signed. I figured that would work with the load balancer having the insecure_skip_verify directive. That wouldn’t be a problem would it?

Here is the caddyfile for the app servers if that makes a difference:

:80, :443 {
	log      /var/www/html/storage/logs/access.log
	errors   /var/www/html/storage/logs/errors.log
	tls      self_signed
	root     /var/www/html/public
	startup  php-fpm7.0 -D
	fastcgi  / 127.0.0.1:9000 php
	gzip

	rewrite {
        r .*
        to /index.php?{query}
    }
}

Here is the updated load balance caddy file as well:

:80 {
	log      /var/www/html/access.log
	errors   /var/www/html/errors.log
	tls off

	proxy / 159.203.66.146 {
		policy least_conn
		transparent
		insecure_skip_verify
	}
}

:443 {
	log      /var/www/html/access.log
	errors   /var/www/html/errors.log
	tls {
		max_certs 10
	}

	proxy / https://159.203.66.146 {
		policy least_conn
		transparent
		insecure_skip_verify
	}
}

matt · September 23, 2016, 5:30pm

That should work fine. Is there really nothing in the process log?

pstephan1187 · September 23, 2016, 5:36pm

Interesting… I went to lunch and came back and now it works. Maybe Let’s Encrypt was having issues or something

pstephan1187 · September 23, 2016, 5:43pm

Interesting again… Works on one site, there is an entry for it in the .caddy folder, but not working for another site. Still not getting any kind of errors from caddy though.

matt · September 23, 2016, 10:06pm

What does your process log show?

system · December 22, 2016, 10:06pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.