Client_auth with verify_if_given Fails If No Certificate Is Sent

1. The problem I’m having:

I configured Caddy to use client certificates with mode verify_if_given, a trusted_ca_cert_file and a trusted_leaf_cert_file. As expected, I get prompted for a client certificate and the site loads fine if I provide it. However, if I do not send a client certificate then the connection fails. According to the Caddy log a TLS handshake error occurred due to no client certificate being provided. Doesn’t verify_if_given allow the connection if no certificate is sent by the client?

2. Error messages and/or full log output:

caddy  | 2023-12-25T18:11:01.179Z       DEBUG   http.stdlib     http: TLS handshake error from 192.168.1.24:5596: no client certificate provided

3. Caddy version:

v2.7.5

4. How I installed and ran Caddy:

Docker on Ubuntu server.

a. System environment:

  • Ubuntu 22.04.3 LTS
  • Docker Engine 24.0.7
  • Docker Compose 2.23.3

b. Command:

sudo docker compose up -d

c. Service/unit/compose file:

d. My complete Caddy config:

{
        email foo@yahoo.com
        log default {
                output stdout
                format console {
                        time_format iso8601
                        time_local
                }
        }
}

*.foobar.duckdns.org, foobar.duckdns.org, {
        tls {
                dns duckdns <token>
                client_auth {
                                mode verify_if_given
                                trusted_ca_cert_file /etc/ssl/caddy/client_certs/Intermediate_CA.cer
                                trusted_leaf_cert_file /etc/ssl/caddy/client_certs/Client_Certificate.cer
                }
        }

        @immich host immich.foobar.duckdns.org
        handle @immich {
                reverse_proxy https://192.168.150.40:28376 {
                        header_up Host immich.ddns.net:28376
                        transport http {
                                tls_server_name immich.ddns.net
                        }
                }
        }

        @nextcloud host nextcloud.foobar.duckdns.org
        handle @nextcloud {
                reverse_proxy https://192.168.1.112:46950 {
                        transport http {
                                tls_server_name nextcloud.ddns.net
                        }
                }
        }

        handle {
                abort
        }
}

5. Links to relevant resources:

Ok, fixed it. Simply had to remove the trusted_leaf_cert_file subdirective.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.