ERR_SSL_PROTOCOL_ERROR — both with TLS and TLS off, curl gives mixed results

Maxiride · January 13, 2020, 8:25pm

1. My Caddy version (`caddy -version`):

Caddy v1.0.4

2. How I run Caddy:

I use the hook.service plugin

a. System environment:

The domain is hosted by Google Domains.

The machine:

cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"

b. Command:

caddy -validate                                                                                            
Activating privacy features... done.

Serving HTTPS on port 443
https://federicod.dev


Serving HTTP on port 80
http://federicod.dev

WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with `ulimit -n 8192`.

c. Service/unit/compose file:

none

d. My complete Caddyfile:

⋊> ~/caddy cat Caddyfile                                                                                                    21:14:47
#veronamusical.federicod.dev {
#       proxy / 192.168.1.6:8000 {
#               transparent
#       }
#       log veronamusical-seafile.log {
#               rotate_size 10
#               rotate_age  14
#               rotate_keep 20
#               rotate_compress
#       }
#}

federicod.dev {
        root /root/caddy/test
}

3. The problem I’m having:

I expect to be served the index.html under the root provided. Instead, I receive an ERR_SSL_PROTOCOL_ERROR.

4. Error messages and/or full log output:

curl -IL http://federicod.dev
HTTP/1.1 301 Moved Permanently
Connection: close
Content-Type: text/html; charset=utf-8
Location: https://federicod.dev/
Server: Caddy
Date: Mon, 13 Jan 2020 20:21:24 GMT

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

5. What I already tried:

I’ve tried to change the Caddyfile to serve the domain on port 80 and disabling tls, in the browser I get the same error, however, with curl I get:

curl -IL http://federicod.dev
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 11
Content-Type: text/html; charset=utf-8
Etag: "q422pkb"
Last-Modified: Mon, 13 Jan 2020 17:17:44 GMT
Server: Caddy
Date: Mon, 13 Jan 2020 20:18:18 GMT

6. Links to relevant resources:

With Firefox the error shown instead is: SSL_ERROR_RX_RECORD_TOO_LONG

Whitestrake · January 14, 2020, 3:58am

I can’t access the site at all right now, connection refused on both ports.

Was there some kind of proxy in front of your server at all, maybe?

Is port forwarding in play here? Do you have both 80 and 443 forwarded to the same machine?

Maxiride · January 14, 2020, 7:17am

In between each try I didn’t left caddy running so it’s ok that you had a connection refused.

There is port forwarding enabled 80-80 443-443 and there aren’t proxies. Both ports are forwarded to a proxmox host.

One last try I did was to swap out the domain name with the public IP and TLS off and the test page was served correctly.

publicip:80 {
    root ...
    tls off
}

EDIT
I did leave the caddy service running in case you needed to further inspect the issue by querying the domain.

I also doubted my DNS configuration over Google Domains (@ A 1H 93.49.98.183) and tried a free subdomain at duckdns but I get the same issue so I suspect troubles are in my host\caddy. now the Caddyfile is:

root@caddy:~# cat caddy/Caddyfile
    federicod.dev {
        root /var/www/test
}

*:80 {
        root /var/www/test
        tls off
}

federicod.duckdns.org {
        root /var/www/test
}

EDIT 2
Upon further investigating I discovered the command line command openssl s_client -connect federicod.dev:443 and got:

root@caddy:~/caddy# openssl s_client -connect federicod.dev:443
CONNECTED(00000006)
139799956910528:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Resumption PSK:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1579024459
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---

EDIT 3
I’ve also tried to obtain myself the SSL certificates following the instructions here and edited the Caddyfile accordingly with no success.

federicod.dev:80, federicod.dev:443 {
        root /var/www/test
        tls /etc/letsencrypt/live/federicod.dev/fullchain.pem /etc/letsencrypt/live/federicod.dev/privkey.pem


}

Whitestrake · January 14, 2020, 11:11pm

Is Caddy running directly on the Proxmox host or in a guest VM / container?

The more I think about it, the more I reckon 443 is being intercepted and sent somewhere other than Caddy. I note that you have not once yet in this thread had success over port 443 regardless of what certificates or Caddy configuration you use.

Maxiride · January 15, 2020, 2:55pm

My modem\router is just crap. Turns out port forwarding sometimes doesn’t work correctly, after further investigating the issue as you suggested it was a networking issue. Tried with other hardware and everything worked like plug-n-play.

system · April 14, 2020, 2:55pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.