1. The problem I’m having:
I’m trying to serve two different reverse proxies for two different subdomains (on same domain) with the same external (self-managed) wildcard certificate. With only one reverse proxy (example config at bottom) it works perfectly but with two it works poorly. Websocket connections doesn’t work at all and normal http requests works sometimes. Looking at the debug logs it seems like it cannot find the correct certificate.
2. Error messages and/or full log output:
{"level":"debug","ts":1682509170.0010908,"logger":"events","msg":"event","name":"tls_get_certificate","id":"0d66da0e-dbbe-4be4-9036-d1abcbe9bb2d","origin":"tls","data":{"client_hello":{"CipherSuites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"node.example.com","SupportedCurves":[51914,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"Conn":{}}}}
{"level":"debug","ts":1682509170.0011282,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"node.example.com"}
{"level":"debug","ts":1682509170.001132,"logger":"tls.handshake","msg":"choosing certificate","identifier":"node.example.com","num_choices":1}
{"level":"debug","ts":1682509170.001138,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"node.example.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0011451,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.example.com","num_choices":1}
{"level":"debug","ts":1682509170.0011468,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.example.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0011497,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"*.*.com"}
{"level":"debug","ts":1682509170.0011513,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.*.com","num_choices":1}
{"level":"debug","ts":1682509170.001153,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.*.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0011554,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"*.*.*"}
{"level":"debug","ts":1682509170.0011616,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.*.*","num_choices":1}
{"level":"debug","ts":1682509170.0011637,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.*.*","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0011668,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"127.0.0.1","remote_port":"60028","sni":"node.example.com"}
{"level":"debug","ts":1682509170.0011835,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"127.0.0.1","remote_port":"60028","server_name":"node.example.com","remote":"127.0.0.1:60028","identifier":"node.example.com","cipher_suites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1682509170.0012333,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:60028: no certificate available for 'node.example.com'"}
{"level":"debug","ts":1682509170.0481808,"logger":"events","msg":"event","name":"tls_get_certificate","id":"4edd543f-e1e7-49ef-8b7a-65871430c601","origin":"tls","data":{"client_hello":{"CipherSuites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"node.example.com","SupportedCurves":[6682,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[64250,772,771],"Conn":{}}}}
{"level":"debug","ts":1682509170.0482256,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"node.example.com"}
{"level":"debug","ts":1682509170.0482302,"logger":"tls.handshake","msg":"choosing certificate","identifier":"node.example.com","num_choices":1}
{"level":"debug","ts":1682509170.048237,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"node.example.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.048246,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.example.com","num_choices":1}
{"level":"debug","ts":1682509170.0482502,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.example.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.048255,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"*.*.com"}
{"level":"debug","ts":1682509170.048258,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.*.com","num_choices":1}
{"level":"debug","ts":1682509170.0482616,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.*.com","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0482657,"logger":"tls.handshake","msg":"no matching certificate; will choose from all certificates","identifier":"*.*.*"}
{"level":"debug","ts":1682509170.048269,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.*.*","num_choices":1}
{"level":"debug","ts":1682509170.0482728,"logger":"tls.handshake","msg":"custom certificate selection results","error":"no certificates matched custom selection policy","identifier":"*.*.*","subjects":[],"managed":false,"issuer_key":"","hash":""}
{"level":"debug","ts":1682509170.0482922,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"127.0.0.1","remote_port":"60027","sni":"node.example.com"}
{"level":"debug","ts":1682509170.0482962,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"127.0.0.1","remote_port":"60027","server_name":"node.example.com","remote":"127.0.0.1:60027","identifier":"node.example.com","cipher_suites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1682509170.04834,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:60027: no certificate available for 'node.example.com'"}
3. Caddy version:
2.6.3
4. How I installed and ran Caddy:
docker
Caddy config:
{
debug
auto_https off
admin localhost:219
}
node.example.com {
tls /cert.pem /cert.pem
reverse_proxy unix//node/caddy.sock
}
node2.example.com {
tls /cert.pem /cert.pem
reverse_proxy unix//node2/caddy.sock
}
Caddy config with only one reverse proxy:
{
auto_https off
admin localhost:219
}
:443 {
tls /cert.pem /cert.pem
reverse_proxy unix//node/caddy.sock
}