I’m trying to set up a quick test instance on Fedora 29 using Caddy from the repos. I’ve got 0.11.1 installed. my caddy file reads:
caddy.somedomain.com {
gzip
root /usr/share/caddy
tls load /var/lib/caddy/acme/acme-v02.api.letsencrypt.org/sites/caddy.somedomain.com
}
import conf.d/*.conf`
conf.d is empty.
I can see in the logs that caddy goes to LE and gets the cert (love how slick this is). This worked perfectly after I got the caddy file right and I could browse the site with https. About 1/2 hour later the site started reporting errors like:
Feb 13 11:07:50 dev caddy[14215]: 2019/02/13 11:07:50 http: TLS handshake error from 184.105.139.67:1600: tls: no certificates configured`
and I was no longer able to browse to the site, instead getting:
dev:~$ curl -H “Host: caddy.somedomain.com” https://localhost
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error`
I checked the logs and saw that a cert had been acquired from LE and verified it was the right cert with openssl. I verified rights from the certs down to /var/lib and they all look good. I checked selinux permissions and did find an issue with a mounton failing, but a quick audit2allow fixed that and there are no selinux errors (even tried running in permissive to be sure). When I added the explicit tls line above I got something useful and caddy will not start:
Feb 13 13:55:18 dev caddy[18922]: 2019/02/13 13:55:18 /etc/caddy/caddy.conf:4 - Error during parsing: Unable to load certificate and key files for 'caddy.somedomain.com': open load: no such file or directory
A quick sudo -u caddy ls /var/lib/caddy/acme/acme-v02.api.letsencrypt.org/sites/caddy.somedomain.com/
works fine.
So, it seems like a permissions problem, but it has the permissions to read that file. I mean, it put the files there in the first place and they’re owned by caddy so unless it’s trying to read them as a user other than caddy I can’t see a permissions issue.
It also worked briefly and I changed nothing, not even editing a file, in the time it took to become broken. Ideas?