Hmm, noticed that log has changed (are any of these changes documented somewhere on a change log?). Changed:
log /var/log/caddy/git-quark-business.log {
rotate {
size 1 # Rotate after 1 MB
age 7 # Keep log files for 7 days
keep 1 # Keep at most 1 log files
}
To:
log /var/log/caddy/git-quark-business.log {
rotate_size 1 # Rotate after 1 MB
rotate_age 7 # Keep log files for 7 days
rotate_keep 1 # Keep at most 1 log files
}
And the error went away, but it will still refuse to start with systemctl start caddy. If I run caddy on /etc/caddy/ (where Cadddyfile is), it runs fine. What next?
The release notes are in CHANGES.txt that are distributed with every Caddy download, but also always available on GitHub: Releases · caddyserver/caddy · GitHub and for significant releases there is a blog post with information. (A quick Google search for “Caddy release notes” would bring these up too ;))
Help me out - I’m looking for an error message here. What’s the error?
Thanks, that’s much more helpful. There would be errors on the server side, if you’re reading the logs – make sure you enable the logs with the -log flag.
I see the same thing here, but I’m not sure why it would have changed in 0.10…
This is what it gets on the log (running caddy -log /tmp/dump.txt:
2017/04/26 11:07:09 http: TLS handshake error from 132.170.26.39:58031: tls: no cipher suite supported by both client and server
2017/04/26 11:07:09 http: TLS handshake error from 132.170.26.39:58032: tls: no cipher suite supported by both client and server
2017/04/26 11:07:09 http: TLS handshake error from 132.170.26.39:58033: tls: client offered an unsupported, maximum protocol version of 301
2017/04/26 11:07:09 http: TLS handshake error from 132.170.26.39:58034: tls: client offered an unsupported, maximum protocol version of 301
Okay, so, this is an easy explanation. I didn’t catch this before in your config:
ECDHE-ECDSA-AES256-GCM-SHA384 is the only cipher suite you’re allowing, but your certificate is RSA. You can’t use a wholly elliptic cipher suite with an RSA key; while it can use EC for key exchange, the asymmetric encryption (for the signature) has to use an RSA key, so ECDSA won’t be used.
So add ECDHE-RSA-AES256-GCM-SHA384 to your cipher suite list.
This is one reason why I urge caution when adjusting the TLS configuration. The defaults are sane, I suggest sticking to them unless you’re really careful.
Because in Go 1.8 we can finally customize each site’s TLS config, rather than having to combine them all that share a listener. So it unioned cipher suites before, meaning that another site had a more generous cipher suite selection.