Hi, I have Caddy as a reverse proxy for a couple internal services and I am using Letsencrypt with wildcard DNS-01. I am now trying to add client certificates but Caddy doesnt want to start with the following config and error:
tls { //Reused config in each site block below. I want all sites to share this wildcard cert and require the same client cert.
dns namecheap
wildcard
clients require /mnt/user/appdata/caddy/conf/ca.crt
}
service1.domain.com {
import tls
proxy / https://10.0.1.0:8443 {
transparent
websocket
insecure_skip_verify
}
}
service2.domain.com {
import tls
proxy / https://10.0.1.0:8443 {
transparent
websocket
insecure_skip_verify
}
}
The error is:
incompatible TLS configurations for the same SNI name (*.domain.com) on the same listener: multiple hosts requiring client authentication ambiguously configured
whitestrake at apollo in ~/Projects/test
❯ caddy -version
Caddy 0.11.0 (non-commercial use only)
whitestrake at apollo in ~/Projects/test
❯ env CLOUDFLARE_EMAIL=[snip] CLOUDFLARE_API_KEY=[snip] caddy
Activating privacy features... done.
2018/08/03 09:51:58 incompatible TLS configurations for the same SNI name (*.whitestrake.net) on the same listener: multiple hosts requiring client authentication ambiguously configured
The client auth requirement shouldn’t be ambiguous (it’s identical between hosts) and the SNI name should be different. Perhaps this is an unintended side effect of wildcard changing the site label in order to have multiple sites come under one certificate.
Is it failing the check there because each TLS config creates its own x509.NewCertPool() to use as config.ClientCAs, even if the config.ClientCerts list is identical?
Thank you for your time and sorry for the formatting, I am away from a computer until this afternoon. Is there any possible easy workaround in the source that i could recompile myself?
Should i open an issue on Github or do you want to do it?
The error serves to prevent a security vulnerability - as the comment on the check explains, if client certificate requirements vary between configs on the same server name, a client could gain access to a protected resource without supplying the correct certificate because Caddy can’t tell which one to enforce.
From a quick assessment, I’d wager that this particular vulnerability doesn’t apply to you if you keep your actual server names separate, because it seems like the wildcard setting is provoking the error, as Caddy thinks they’re all the same server name.
You could try simply removing that check entirely and recompiling. As long as there’s no other logic in Caddy that relies on the assumption that check was passed (I can’t think of any off the top of my head), it should function just fine. Being a security concern, though, I’d probably want to wait until some of the contributors have had a chance to look it over on Github and discuss the implications, just in case; you’re disabling a feature in place to protect you from clients bypassing your authorization, and that responsibility will be on you.
So if i have a wildcard certificate for domain.com, dont require a client certificate on public.domain.com but require a client certificate for anything on private.domain.com there should be no issues? Not sure if i understand the definition of resource correctly.
Yeah, that’s my understanding. If Caddy must make a decision about which client certificate requirement to enforce at the SNI stage, before the full URL is requested, all Caddy knows at that point is that it’s private.domain.com.
If it had to “guess” (by using the first available, or a “default”, config), it might get it wrong and fail to require the correct certificate, because it only found out after the fact that the request was actually for the other resource at /res2 (which has different security requirements). Hence the check: Make sure the client certificate requirement is the same across the entire SNI name, and we don’t have this problem.
Based on that, as long as you don’t configure two of the same FQDNs (doesn’t look like you have, Caddy just thinks so because wildcard works by pretending the sites are all *.domain.com for TLS purposes) with different client validation requirements (looks like all sites that require client certificates are identical, Caddy doesn’t realise this because each TLS configuration creates its own clientCA pool instead of reusing them), you’ll be fine, security-wise.
Probably worth mentioning that I’m not a security expert or even particularly knowledgeable about the inner mechanics of TLS; I’m just working off the explanation in the source.
Were all the “domain.com” examples in your Caddyfile the same domain? I ask for unredacted Caddyfiles because domain names are already public anyway, and what the actual values are can affect the answer and implementation. I know I won’t invest time on fixing the bug unless we can be absolutely sure we understand the problem.
Hi Matt, yes, they are all the same domain. I will open an issue on Github within the next day or so. The issue was also confirmed by someone else with a minimal example Caddyfile. Thank you for time!