1. The problem I’m having:
Caddy does not try to get tls certificates and request failing with tlsv1 alert internal error
NOTE The domain in use has only a ipv6 address (i.e. only AAAA record).
[root@localhost bin]# journalctl -u caddy | grep tls.obtain
[root@localhost bin]#
❯ curl -vL http://foo.example.com
* Trying [YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY]:80...
* Connected to foo.example.com (YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY) port 80 (#0)
> GET / HTTP/1.1
> Host: foo.example.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://foo.example.com/
< Server: Caddy
< Date: Sun, 07 May 2023 22:20:26 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://foo.example.com/'
* Trying [YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY]:443...
* Connected to foo.example.com (YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY) port 443 (#1)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.8: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 1
curl: (35) OpenSSL/3.0.8: error:0A000438:SSL routines::tlsv1 alert internal error
2. Error messages and/or full log output:
May 07 21:57:16 localhost systemd[1]: Started /var/admin/foo/bin/caddy run --config /var/admin/foo/Caddyfile.
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5363884,"msg":"using provided configuration","config_file":"/var/admin/foo/Caddyfile","config_adapter":""}
May 07 21:57:16 localhost caddy[13915]: {"level":"warn","ts":1683496636.5377803,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/var/admin/foo/Caddyfile","line":2}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5397632,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.539986,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5400634,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5404432,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.540569,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
May 07 21:57:16 localhost caddy[13915]: {"level":"debug","ts":1683496636.540688,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5407517,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
May 07 21:57:16 localhost caddy[13915]: {"level":"debug","ts":1683496636.5408647,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5409288,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.540984,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["foo.example.com"]}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.541242,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/envhome/.config/caddy/autosave.json"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.541308,"msg":"serving initial configuration"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5415487,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000255420"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.5415788,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/envhome/.local/share/caddy"}
May 07 21:57:16 localhost caddy[13915]: {"level":"info","ts":1683496636.541597,"logger":"tls","msg":"finished cleaning storage units"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6722271,"logger":"events","msg":"event","name":"tls_get_certificate","id":"b07484cd-46b6-45ca-956e-4100211b2d3c","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"foo.example.com","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6732764,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"foo.example.com"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6733017,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.example.com"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6733093,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6735353,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6735535,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"zzzz:zzzz:zzzz:zzzz::zzzz","remote_port":"49792","sni":"foo.example.com"}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6735659,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"zzzz:zzzz:zzzz:zzzz::zzzz","remote_port":"49792","server_name":"foo.example.com","remote":"[zzzz:zzzz:zzzz:zzzz::zzzz]:49792","identifier":"foo.example.com","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
May 07 22:10:07 localhost caddy[13915]: {"level":"debug","ts":1683497407.6737633,"logger":"http.stdlib","msg":"http: TLS handshake error from [YYYYYYYYYYYYYYYYYYYYYYYYX]:49792: no certificate available for 'foo.example.com'"}
3. Caddy version:
774f2288682c117763a42de17b592200469ebaac (06 May 23 17:30 UTC)
4. How I installed and ran Caddy:
binary
a. System environment:
Arch linux
b. Command:
caddy run --config /path/to/Caddyfile
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
{
debug
}
foo.example.com {
root * /var/www
file_server browse
log {
output file /var/log/caddy/foo.log
}
}