Caddy + Docker Swarm - "TLS handshake error"

I’m deploying Caddy to a Docker Swarm - single node.

Everything works, but when checking the Caddy logs I see a lot of these entries:

test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:09:38 http: TLS handshake error from 10.255.0.2:34087: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:09:38 http: TLS handshake error from 10.255.0.2:34088: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:01 http: TLS handshake error from 10.255.0.2:35570: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:02 http: TLS handshake error from 10.255.0.2:35572: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:02 http: TLS handshake error from 10.255.0.2:35576: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:02 http: TLS handshake error from 10.255.0.2:35578: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:04 http: TLS handshake error from 10.255.0.2:63630: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:04 http: TLS handshake error from 10.255.0.2:63632: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:04 http: TLS handshake error from 10.255.0.2:63634: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:04 http: TLS handshake error from 10.255.0.2:63636: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:14 http: TLS handshake error from 10.255.0.2:57721: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:10:14 http: TLS handshake error from 10.255.0.2:57722: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:11:02 http: TLS handshake error from 10.255.0.2:35626: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:11:02 http: TLS handshake error from 10.255.0.2:35628: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:11:31 http: TLS handshake error from 10.255.0.2:58156: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:11:31 http: TLS handshake error from 10.255.0.2:58158: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:12:03 http: TLS handshake error from 10.255.0.2:35660: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:12:03 http: TLS handshake error from 10.255.0.2:35662: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:12:23 http: TLS handshake error from 10.255.0.2:58430: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:12:23 http: TLS handshake error from 10.255.0.2:58434: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:13:04 http: TLS handshake error from 10.255.0.2:35694: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:13:04 http: TLS handshake error from 10.255.0.2:35696: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:14:05 http: TLS handshake error from 10.255.0.2:35732: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:14:05 http: TLS handshake error from 10.255.0.2:35734: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:15:07 http: TLS handshake error from 10.255.0.2:35762: tls: no certificates configured
test_caddy.1.b8wtwtd6r0d5@REDACTED-DOMAIN.sh    | 2018/12/07 06:15:07 http: TLS handshake error from 10.255.0.2:35764: tls: no certificates configured

My Caddyfile:

https://subdomain.domain.sh {
	root /var/www
	ext .html
	log stdout
	errors stdout
	gzip
	browse
	tls {
		dns cloudflare
	}
	# header / Strict-Transport-Security "max-age=31536000;"
}

My docker-stack.yml is pretty simple:

services:
  caddy:
    image: ...
    volumes:
      - caddy-cloudflare:/home/caddy/.caddy
      - ./caddy/:/etc/caddy/
    environment:
      CLOUDFLARE_EMAIL: ...
      CLOUDFLARE_API_KEY: ...
    ports:
      - "80:80"
      - "443:443"

volumes:
  caddy-cloudflare: {}

Looks like Caddy’s just fielding requests for websites you don’t serve.

Since Caddy doesn’t serve them, it hasn’t got certificates for them, hence the handshake error.

Connection spam isn’t an unexpected behaviour, generally speaking, for a public-facing HTTP(S) service.

Ohhh now I understand. Since Docker Swarm will override the origin IP, all the requests seem like it’s coming from 10.255.0.2 and that’s what was confusing.

Related:

1 Like