Combining on demand TLS with custom SSL certs doesn't seem to work in 2.1.1

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

caddy run --environ --config /etc/caddy/Caddyfile

a. System environment:

Ubuntu 18.04.2 LTS

b. Command:

caddy run --environ --config /etc/caddy/Caddyfile

d. My complete Caddyfile or JSON config:

{
 on_demand_tls {
    ask https://hashnode.com/utility/ajax/can-generate-ssl
  }
}

:443 {
  tls {
    on_demand
  }
  reverse_proxy localhost:3000
  encode gzip
  log {
    output file /home/sandeep/caddy2/access.log
  }
}

*.hashnode.dev:443 {
  tls /home/sandeep/ssl/fullchain.pem /home/sandeep/ssl/privkey.pem
  reverse_proxy localhost:3000
  encode gzip
  log {
   output file /home/sandeep/caddy2/access.log
  }
}

3. The problem I’m having:

I am trying to upgrade from Caddy 1 to Caddy 2. Everything seems to work except for one particular thing. We have a multi-tenant app that powers 3000+ custom domains. In the above config, I have on_demand tls set for :443. So, any custom domain that is mapped to our IP is served over HTTPS.

But we also have our own sub domains *.hashnode.dev – I have created another server block for it in Caddyfile. However, if I add this block (*.hashnode.dev), on demand TLS is not working anymore. It works fine if this block is removed.

Detailed logs below.

4. Error messages and/or full log output:

2020/09/08 13:17:17.709	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/09/08 13:17:17.711	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/09/08 13:17:17 [INFO][cache:0xc000343440] Started certificate maintenance routine
2020/09/08 13:17:17.713	INFO	http	skipping automatic certificate management because one or more matching certificates are already loaded	{"domain": "*.hashnode.dev", "server_name": "srv0"}
2020/09/08 13:17:17.713	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/09/08 13:17:17.714	INFO	tls	cleaned up storage units
2020/09/08 13:17:17.714	INFO	autosaved config	{"file": "/home/sandeep/.config/caddy/autosave.json"}
2020/09/08 13:17:17.715	INFO	serving initial configuration
2020/09/08 13:17:24 http: TLS handshake error from 49.207.202.108:43554: no server TLS configuration available for ClientHello: &{CipherSuites:[14906 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53] ServerName:sandeep.dev SupportedCurves:[27242 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537] SupportedProtos:[h2 http/1.1] SupportedVersions:[2570 772 771 770 769] Conn:0xc00000f478 config:0xc000494f00}
2020/09/08 13:17:24 http: TLS handshake error from 49.207.202.108:43555: no server TLS configuration available for ClientHello: &{CipherSuites:[60138 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:sandeep.dev SupportedCurves:[23130 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[35466 772 771 770 769] Conn:0xc00000f480 config:0xc000494f00}
2020/09/08 13:17:24 http: TLS handshake error from 49.207.202.108:43556: no server TLS configuration available for ClientHello: &{CipherSuites:[56026 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53] ServerName:sandeep.dev SupportedCurves:[27242 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537] SupportedProtos:[h2 http/1.1] SupportedVersions:[51914 772 771 770 769] Conn:0xc00000f488 config:0xc000494f00}
2020/09/08 13:17:24 http: TLS handshake error from 49.207.202.108:43557: no server TLS configuration available for ClientHello: &{CipherSuites:[31354 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:sandeep.dev SupportedCurves:[10794 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[14906 772 771 770 769] Conn:0xc00000f490 config:0xc000494f00}
2020/09/08 13:17:24 http: TLS handshake error from 49.207.202.108:43561: no server TLS configuration available for ClientHello: &{CipherSuites:[2570 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53] ServerName:sandeep.dev SupportedCurves:[23130 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537] SupportedProtos:[h2 http/1.1] SupportedVersions:[64250 772 771 770 769] Conn:0xc00000f498 config:0xc000494f00}
2020/09/08 13:17:24 http: TLS handshake error from 49.207.202.108:43562: no server TLS configuration available for ClientHello: &{CipherSuites:[56026 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:sandeep.dev SupportedCurves:[35466 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[39578 772 771 770 769] Conn:0xc00000f4a0 config:0xc000494f00}
2020/09/08 13:17:25 http: TLS handshake error from 49.207.202.108:43566: no server TLS configuration available for ClientHello: &{CipherSuites:[35466 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53] ServerName:sandeep.dev SupportedCurves:[64250 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537] SupportedProtos:[h2 http/1.1] SupportedVersions:[35466 772 771 770 769] Conn:0xc00000f4a8 config:0xc000494f00}
2020/09/08 13:17:25 http: TLS handshake error from 49.207.202.108:43567: no server TLS configuration available for ClientHello: &{CipherSuites:[35466 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:sandeep.dev SupportedCurves:[51914 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[43690 772 771 770 769] Conn:0xc00000f4b0 config:0xc000494f00}

I would like on_demand TLS to be active for custom user supplied domains (ours is a multi-tenant system) and at the same time be able to use my own certs for *.hashnode.dev domains.

How can I achieve it?

Update: This works when I downgrade to 2.0.0

Thanks for your hard work on Caddy! :pray:

1 Like

I’m going to look into this before tagging 2.2 rc 2.

This might be the same or related issue: https://github.com/caddyserver/caddy/issues/3670

@sandeep Hey, thanks for providing your full, unredacted config. I’m pretty sure the issue 3670 I linked to above is the same one, but I was unable to obtain the necessary information from those reports, unfortunately, since they went out of their way to redact configs, which made my troubleshooting difficult. :frowning_face:

Anyway, I think what is happening is that if you look at the adapted JSON resulting from your Caddyfile, there is no TLS connection policy for ServerNames that aren’t *.hashnode.dev, so they all get refused. This is a regression, since before we used to add a “catch-all” policy after it that would get chosen for all other names, from the site block where you’ve enabled on-demand TLS.

Can you please build from source with at least this commit: https://github.com/caddyserver/caddy/commit/4217217badf220d7d2c25f43f955fdc8454f2c64 - or download the build artifacts from CI, and verify that it works for you?

1 Like

You can grab the CI artifacts from here: https://github.com/caddyserver/caddy/actions/runs/250371997

1 Like