Automatic TLS not working with CNAME redirect

monodeep12 · February 3, 2021, 10:16pm

1. Caddy version (`caddy version`):

caddy:2.3.0-alpine

2. How I run Caddy:

docker-compose -f docker-compose-caddy.yml up -d --build

a. System environment:

b. Command:

paste command here

c. Service/unit/compose file:

version: "3"

services:
  caddy:
    image: caddy:2.3.0-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
      - $PWD/site:/srv
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
  caddy_config:

d. My complete Caddyfile or JSON config:

mono.mydomain.co {
    tls {
        on_demand
    }
    reverse_proxy 123.456.789.110:7050
}

3. The problem I’m having:

I have created the following entries in Route53 (AWS)

mono.mydomain.co           A	  123.456.789.110
test.customerdomain.com    CNAME  mono.mydomain.co

Now, navigating to mono.mydomain.co works fine and redirects to https. What I also want is when someone navigates to test.customerdomain.com it should also work with https

Instead, this is the error I see on the browser:

test.customerdomain.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

4. Error messages and/or full log output:

caddy_1  | {"level":"info","ts":1612388552.7430224,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy_1  | {"level":"info","ts":1612388552.7444458,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
caddy_1  | 2021/02/03 21:42:32 [INFO][cache:0xc0006e1c20] Started certificate maintenance routine
caddy_1  | {"level":"info","ts":1612388552.7465718,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy_1  | {"level":"info","ts":1612388552.749336,"logger":"tls","msg":"cleaned up storage units"}
caddy_1  | {"level":"info","ts":1612388552.7496638,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["mono.mydomain.co"]}
caddy_1  | {"level":"info","ts":1612388552.7499683,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
caddy_1  | {"level":"info","ts":1612388552.750061,"msg":"serving initial configuration"}
caddy_1  | 2021/02/03 21:42:50 http: TLS handshake error from 122.182.195.43:51484: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:42:50 http: TLS handshake error from 122.182.195.43:65133: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:42:56 http: TLS handshake error from 122.182.195.43:51486: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:42:56 http: TLS handshake error from 122.182.195.43:65135: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:44:33 http: TLS handshake error from 122.182.195.43:51494: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:44:33 http: TLS handshake error from 122.182.195.43:65143: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:44:33 http: TLS handshake error from 122.182.195.43:51496: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:44:34 http: TLS handshake error from 122.182.195.43:65145: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:44:42 http: TLS handshake error from 122.182.195.43:51498: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:44:42 http: TLS handshake error from 122.182.195.43:65147: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:44:49 http: TLS handshake error from 122.182.195.43:65149: no certificate available for 'test.customerdomain.com'
caddy_1  | 2021/02/03 21:44:49 http: TLS handshake error from 122.182.195.43:51502: no certificate available for 'test.customerdomain.com'

5. What I already tried:

I am new to Caddy. In fact, this is my first Caddyfile. Please help me understand if this is even possible?

6. Links to relevant resources:

francislavoie · February 3, 2021, 10:30pm

For On-Demand TLS, your config should look like this:

{
	on_demand_tls {
		ask https://example.com/ask
	}
}

mono.mydomain.co {
    reverse_proxy 123.456.789.110:7050
}

https:// {
	tls {
		on_demand
	}

	reverse_proxy 123.456.789.110:7050
}

The https:// site block is essentially your fallback for any hostnames that aren’t otherwise configured.

It’s very important that you make an API endpoint in your app that you can have Caddy make requests to (i.e. ask) if it should be allowed to issue a certificate for it.

What I find strange about your logs though, is that it looks like you’re not actually running Caddy v2.3.0, because those “TLS handshake error” messages have been wrapped in the zap logger a couple versions ago, and shouldn’t appear unless you turned on the debug global option. Make sure to run docker-compose pull and recreate your containers!

monodeep12 · February 3, 2021, 11:09pm

Thanks @francislavoie for the quick help. This is working now. While testing I had changed the version to 2.0.0. I have now updated it to 2.3.0

Also,

Is it possible to reverse_proxy to another nginx container running on the same host within the same network?
What is the request format for ask https://example.com/ask? Can you please point me to the documentation?

francislavoie · February 3, 2021, 11:29pm

Caddy sets the Host on proxied requests automatically, so yep.

It’s just a GET request with a query ?domain={hostname}. Respond with status 200 if , respond with anything else (4xx usually) for

system · March 5, 2021, 10:16pm

This topic was automatically closed after 30 days. New replies are no longer allowed.