Can't get tls internal to work, get internal error in OpenSSL

dramforever · April 11, 2025, 3:37am

1. The problem I’m having:

I’m trying to set up Caddy to run an HTTPS server with a self-signed certificate but I cannot get it to work at all. I tried using tls internal but I just get something like curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

2. Error messages and/or full log output:

2025/04/11 03:27:47.487 INFO    using adjacent Caddyfile
2025/04/11 03:27:47.488 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2025/04/11 03:27:47.489 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/04/11 03:27:47.489 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0001aef80"}
2025/04/11 03:27:47.489 INFO    http.auto_https automatic HTTPS is completely disabled for server       {"server_name": "srv0"}
2025/04/11 03:27:47.489 INFO    pki.ca.local    root certificate trust store installation disabled; unconfigured clients may show warnings      {"path": "storage:pki/authorities/local/root.crt"}
2025/04/11 03:27:47.489 INFO    http    enabling HTTP/3 listener        {"addr": ":3035"}
2025/04/11 03:27:47.489 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2025/04/11 03:27:47.489 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/04/11 03:27:47.489 INFO    autosaved config (load with --resume flag)      {"file": "/home/dram/.config/caddy/autosave.json"}
2025/04/11 03:27:47.489 INFO    serving initial configuration
2025/04/11 03:27:47.509 INFO    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:/home/dram/.local/share/caddy", "instance": "1fd3e90e-89e3-4f5d-959b-2018276fa279", "try_again": "2025/04/12 03:27:47.509", "try_again_in": 86399.999999674}
2025/04/11 03:27:47.509 INFO    tls     finished cleaning storage units

$ curl -vL https://127.0.0.1:3035
*   Trying 127.0.0.1:3035...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error
* closing connection #0
curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

3. Caddy version:

2.9.1

4. How I installed and ran Caddy:

a. System environment:

NixOS unstable (25.05.20250325.698214a (Warbler))

b. Command:

caddy run

c. Service/unit/compose file:

None

d. My complete Caddy config:

{
        auto_https off # Otherwise, tries to listen on 80
        skip_install_trust # Otherwise, tries to sudo
}

:3035 {
        tls internal
        respond "hello i am https"
}

5. Links to relevant resources:

dramforever · April 11, 2025, 4:37am

i got help elsewhere. there were two problems

auto_https off disabled certificate generation altogether, should be auto_https disable_redirects
on_demand is needed to generate certificates without specifying domain name in config

This one works

{
        auto_https disable_redirects # Otherwise, tries to listen on 80
        skip_install_trust # Otherwise, tries to sudo
}

:3035 {
        tls internal {
                on_demand
        }
        respond "hello i am https"
}

Of course in a deployment scenario you would need some restrictions on on_demand but this is fine enough for my use.

Now I only need to figure out how to mark this as solved…