Caddy does not try to obtain tls certificate

Help
1

1. The problem I’m having:

Caddy does not try to get tls certificates and request failing with tlsv1 alert internal error

NOTE The domain in use has only a ipv6 address (i.e. only AAAA record).

[root@localhost bin]# journalctl -u caddy | grep tls.obtain
[root@localhost bin]# 

❯ curl -vL http://foo.example.com
*   Trying [YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY]:80...
* Connected to foo.example.com (YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY) port 80 (#0)
> GET / HTTP/1.1
> Host: foo.example.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://foo.example.com/
< Server: Caddy
< Date: Sun, 07 May 2023 22:20:26 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://foo.example.com/'
*   Trying [YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY]:443...
* Connected to foo.example.com (YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY) port 443 (#1)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.8: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 1
curl: (35) OpenSSL/3.0.8: error:0A000438:SSL routines::tlsv1 alert internal error

2. Error messages and/or full log output:

May 07 21:57:16 localhost systemd[1]: Started /var/admin/foo/bin/caddy run --config /var/admin/foo/Caddyfile.
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5363884,"msg":"using provided configuration","config_file":"/var/admin/foo/Caddyfile","config_adapter":""}
May 07 21:57:16 localhost caddy[13915]: {"level":"warn","ts":1683496636.5377803,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/var/admin/foo/Caddyfile","line":2}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5397632,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.539986,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5400634,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5404432,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.540569,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
May 07 21:57:16 localhost caddy[13915]: {"level":"debug","ts":1683496636.540688,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5407517,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
May 07 21:57:16 localhost caddy[13915]: {"level":"debug","ts":1683496636.5408647,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5409288,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.540984,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["foo.example.com"]}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.541242,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/envhome/.config/caddy/autosave.json"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.541308,"msg":"serving initial configuration"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5415487,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000255420"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5415788,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/envhome/.local/share/caddy"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.541597,"logger":"tls","msg":"finished cleaning storage units"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6722271,"logger":"events","msg":"event","name":"tls_get_certificate","id":"b07484cd-46b6-45ca-956e-4100211b2d3c","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"foo.example.com","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6732764,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"foo.example.com"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6733017,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.example.com"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6733093,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6735353,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6735535,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"zzzz:zzzz:zzzz:zzzz::zzzz","remote_port":"49792","sni":"foo.example.com"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6735659,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"zzzz:zzzz:zzzz:zzzz::zzzz","remote_port":"49792","server_name":"foo.example.com","remote":"[zzzz:zzzz:zzzz:zzzz::zzzz]:49792","identifier":"foo.example.com","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6737633,"logger":"http.stdlib","msg":"http: TLS handshake error from [YYYYYYYYYYYYYYYYYYYYYYYYX]:49792: no certificate available for 'foo.example.com'"}

3. Caddy version:

774f2288682c117763a42de17b592200469ebaac (06 May 23 17:30 UTC)

4. How I installed and ran Caddy:

binary

a. System environment:

Arch linux

b. Command:

caddy run --config /path/to/Caddyfile

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

{
debug
}

foo.example.com {
    root * /var/www
    file_server browse
    log {
        output file /var/log/caddy/foo.log
    }

}

5. Links to relevant resources:

2

You’re using the latest commit from the master branch. We provide no guarantees that this will work.

In this case, there’s a bug in the latest commit which upgraded CertMagic to a broken version of CertMagic.

Use an older commit for now, or better, use a tagged release for stability.

1 Like
3

Thank you! works with previous commit (b19946f). Using master for now for the new file_server template.

1 Like
4

I just pushed an update to Caddy master that uses the fixed version of CertMagic. (Sorry.)

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.