Caddy can't find the certs it just got from LE

I’m trying to set up a quick test instance on Fedora 29 using Caddy from the repos. I’ve got 0.11.1 installed. my caddy file reads:

caddy.somedomain.com {
    gzip
    root /usr/share/caddy
    tls load /var/lib/caddy/acme/acme-v02.api.letsencrypt.org/sites/caddy.somedomain.com
}

import conf.d/*.conf`

conf.d is empty.

I can see in the logs that caddy goes to LE and gets the cert (love how slick this is). This worked perfectly after I got the caddy file right and I could browse the site with https. About 1/2 hour later the site started reporting errors like:

Feb 13 11:07:50 dev caddy[14215]: 2019/02/13 11:07:50 http: TLS handshake error from 184.105.139.67:1600: tls: no certificates configured`

and I was no longer able to browse to the site, instead getting:

dev:~$ curl -H “Host: caddy.somedomain.comhttps://localhost
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error`

I checked the logs and saw that a cert had been acquired from LE and verified it was the right cert with openssl. I verified rights from the certs down to /var/lib and they all look good. I checked selinux permissions and did find an issue with a mounton failing, but a quick audit2allow fixed that and there are no selinux errors (even tried running in permissive to be sure). When I added the explicit tls line above I got something useful and caddy will not start:

Feb 13 13:55:18 dev caddy[18922]: 2019/02/13 13:55:18 /etc/caddy/caddy.conf:4 - Error during parsing: Unable to load certificate and key files for 'caddy.somedomain.com': open load: no such file or directory

A quick sudo -u caddy ls /var/lib/caddy/acme/acme-v02.api.letsencrypt.org/sites/caddy.somedomain.com/ works fine.

So, it seems like a permissions problem, but it has the permissions to read that file. I mean, it put the files there in the first place and they’re owned by caddy so unless it’s trying to read them as a user other than caddy I can’t see a permissions issue.

It also worked briefly and I changed nothing, not even editing a file, in the time it took to become broken. Ideas?

Okay, error in my usage of the tls directive, this caddy.conf works:

caddy.somedomain.com {
    gzip
    root /usr/share/caddy
    tls {
        load /var/lib/caddy/acme/acme-v02.api.letsencrypt.org/sites/caddy.somedomain.com/
    }
}

import conf.d/*.conf

And it successfully loads the certs, but now it’s overriding the default HTTPS settings and using port 2015 unless I specify https://caddy.somedomain.com. Unfortunately, now that it finds the certs I get the same error message from curl (on port 2015 or 443). So, my misuse of the tls directive was just a goose chase and I’m back to just:

caddy.somedomain.com {
    gzip
    root /usr/share/caddy
}

import conf.d/*.conf

Hmmm, I switched to overriding using /etc/hosts instead of -H "host: caddy.somedomain.com" and it works. I’ll keep working on my own, we can consider this closed.

Edit: Just to help out any later searchers, including myself, SSL/TLS and possibly SNI aren’t reading the Host header. To override DNS with curl in these cases use --resolve like this:

curl -v --resolve ‘caddy.somedomain.com:443:127.0.0.1’ -o /dev/null https://caddy.somedomain.com/

Wonder if this was related to https://github.com/mholt/caddy/issues/2465 at all. (Just fixed)

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.