Different reverse proxies for different subdomains but same cert

Sheepa · April 26, 2023, 11:49am

1. The problem I’m having:

I’m trying to serve two different reverse proxies for two different subdomains (on same domain) with the same external (self-managed) wildcard certificate. With only one reverse proxy (example config at bottom) it works perfectly but with two it works poorly. Websocket connections doesn’t work at all and normal http requests works sometimes. Looking at the debug logs it seems like it cannot find the correct certificate.

2. Error messages and/or full log output:

{"level":"debug","ts":1682509170.0010908,"logger":"events","msg":"event","name":"tls_get_certificate","id":"0d66da0e-dbbe-4be4-9036-d1abcbe9bb2d","origin":"tls","data":{"client_hello":{"CipherSuites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"node.example.com","SupportedCurves":[51914,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"Conn":{}}}}
{"level":"debug","ts":1682509170.0011282,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"node.example.com"}
{"level":"debug","ts":1682509170.001132,"logger":"tls.handshake","msg":"choosing certificate","identifier":"node.example.com","num_choices":1}
{"level":"debug","ts":1682509170.001138,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"node.example.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0011451,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.example.com","num_choices":1}
{"level":"debug","ts":1682509170.0011468,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.example.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0011497,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"*.*.com"}
{"level":"debug","ts":1682509170.0011513,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.*.com","num_choices":1}
{"level":"debug","ts":1682509170.001153,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.*.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0011554,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"*.*.*"}
{"level":"debug","ts":1682509170.0011616,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.*.*","num_choices":1}
{"level":"debug","ts":1682509170.0011637,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.*.*","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0011668,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"127.0.0.1","remote_port":"60028","sni":"node.example.com"}
{"level":"debug","ts":1682509170.0011835,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"127.0.0.1","remote_port":"60028","server_name":"node.example.com","remote":"127.0.0.1:60028","identifier":"node.example.com","cipher_suites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1682509170.0012333,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:60028: no certificate available for 'node.example.com'"}
{"level":"debug","ts":1682509170.0481808,"logger":"events","msg":"event","name":"tls_get_certificate","id":"4edd543f-e1e7-49ef-8b7a-65871430c601","origin":"tls","data":{"client_hello":{"CipherSuites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"node.example.com","SupportedCurves":[6682,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[64250,772,771],"Conn":{}}}}
{"level":"debug","ts":1682509170.0482256,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"node.example.com"}
{"level":"debug","ts":1682509170.0482302,"logger":"tls.handshake","msg":"choosing certificate","identifier":"node.example.com","num_choices":1}
{"level":"debug","ts":1682509170.048237,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"node.example.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.048246,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.example.com","num_choices":1}
{"level":"debug","ts":1682509170.0482502,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.example.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.048255,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"*.*.com"}
{"level":"debug","ts":1682509170.048258,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.*.com","num_choices":1}
{"level":"debug","ts":1682509170.0482616,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.*.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0482657,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"*.*.*"}
{"level":"debug","ts":1682509170.048269,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.*.*","num_choices":1}
{"level":"debug","ts":1682509170.0482728,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.*.*","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0482922,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"127.0.0.1","remote_port":"60027","sni":"node.example.com"}
{"level":"debug","ts":1682509170.0482962,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"127.0.0.1","remote_port":"60027","server_name":"node.example.com","remote":"127.0.0.1:60027","identifier":"node.example.com","cipher_suites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1682509170.04834,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:60027: no certificate available for 'node.example.com'"}

3. Caddy version:

2.6.3

4. How I installed and ran Caddy:

docker

Caddy config:

{
	debug
	auto_https off
	admin localhost:219
}

node.example.com {
	tls /cert.pem /cert.pem
	reverse_proxy unix//node/caddy.sock
}

node2.example.com {
	tls /cert.pem /cert.pem
	reverse_proxy unix//node2/caddy.sock
}

Caddy config with only one reverse proxy:

{
	auto_https off
	admin localhost:219
}

:443 {
	tls /cert.pem /cert.pem
	reverse_proxy unix//node/caddy.sock
}

francislavoie · April 26, 2023, 12:17pm

What SANs do you have in your certificate? It must contain names for each of the domains you want to serve, or have a wildcard name which covers them all. If it’s a wildcard, then you should use a config pattern like this Common Caddyfile Patterns — Caddy Documentation

Sheepa · April 26, 2023, 12:29pm

It’s a wildcard and that’s exactly what I needed. Thanks a lot!

system · May 26, 2023, 12:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.