A tlsv1 alert? Caddy doesn’t support TLS 1.0 by default; you’ll have to enable that with the tls directive. But I don’t recommend it, instead use TLS 1.2 to make the connection.
@matt I did some further testing and noticed that I could isolate the error from the monitoring server inside the caddy log. This allowed me to reproduce the error with the openssl command. The error looks like this.
Mar 12 11:30:05 30 server caddy.linux.amd64[26748]: 2018/03/12 11:30:05 http: TLS handshake error from 84.46.xx.xxx:50265: hostname '' does not qualify for certificate
Mar 12 11:30:10 30 server caddy.linux.amd64[26748]: 2018/03/12 11:30:10 http: TLS handshake error from 84.46.xx.xxx:50292: hostname '' does not qualify for certificate
Now the weird thing is I am able to reproduce this error with tls1.2. Here is the full error that I receive during my test
That message given you when you’re using s_client means that Caddy isn’t getting SNI information; in other words, your client isn’t using SNI when making the connection, and Caddy can’t get a certificate for an empty hostname.
Thanks for the help @matt I don’t see anything wrong in our Caddyfile. It’s a fairly long file, I could send it in a pm if it would help.
The weird thing is that we just recently starting receiving this error when we upgraded to 0.10.11. Everything had been working fine for the past year. The only changes we have made is to add more sites using the same format to our Caddyfile.
The good thing is that I don’t see any regular users throwing this error. I am a backend developer with some ops experience, I have never worked much with networking and ssl. I know very little about SNI so I will need to read up on it to understand the problem better.
We changed how empty SNI is handled in 0.10.11 (an improvement, in fact) – and regular users with browsers won’t see the errors; but your client will need to use SNI. Most do, and with s_client I think there’s a way to specify it.
I have a hunch, but unless I see the full and finished Caddyfile I can’t be sure. I can’t offer support privately for free, so you’ll have to post it here in the thread or try https://github.com/mholt/caddy/pull/2037 and see if that fixes it.