ERR_SSL_PROTOCOL_ERROR - No self signed cert proposed

Vincent_Joignie_DD · March 10, 2023, 2:28pm

1. The problem I’m having:

Hi all!
I’m currently building my first docker stack with caddy (we want to replace nginx here ). But I’m facing a strange issue:
Chrome is giving me a ERR_SSL_PROTOCOL_ERROR without proposing to accept any self signed cert.

2. Error messages and/or full log output:

Main main error is that I’m receiving a code: ERR_SSL_PROTOCOL_ERROR.

Here is the full logs of the starting server:

container-caddy-1    | {"level":"info","ts":1678457618.401892,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
container-caddy-1    | {"level":"warn","ts":1678457618.4046283,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":5}
container-caddy-1    | {"level":"info","ts":1678457618.406586,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
container-caddy-1    | {"level":"info","ts":1678457618.407156,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
container-caddy-1    | {"level":"info","ts":1678457618.4074059,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
container-caddy-1    | {"level":"info","ts":1678457618.4073477,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x4000206e70"}
container-caddy-1    | {"level":"info","ts":1678457618.4080667,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
container-caddy-1    | {"level":"info","ts":1678457618.4081972,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
container-caddy-1    | {"level":"info","ts":1678457618.408458,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
container-caddy-1    | {"level":"info","ts":1678457618.4085166,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
container-caddy-1    | {"level":"info","ts":1678457618.408758,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
container-caddy-1    | {"level":"info","ts":1678457618.4088247,"msg":"serving initial configuration"}
container-caddy-1    | {"level":"info","ts":1678457618.409076,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
container-caddy-1    | {"level":"info","ts":1678457618.4094574,"logger":"tls","msg":"finished cleaning storage units"}

3. Caddy version:

2.6.4

4. How I installed and ran Caddy:

I ran Caddy through docker with this files architecture:

a. System environment:

Here is my docker-compose.yml:

version: '3.1'
services:
    redis:
        image: 'redis:alpine'

    mysql:
        image: 'mysql:8.0'
        working_dir: /application
        volumes:
            - '.:/application'
        environment:
            - SOME VARS...
        ports:
            - '6002:3306'

    php-fpm:
        build: phpdocker/php-fpm
        working_dir: /application
        volumes:
            - '.:/application'
            - './phpdocker/php-fpm/php-ini-overrides.ini:/etc/php/8.2/fpm/conf.d/99-overrides.ini'

    phpmyadmin:
        image: phpmyadmin/phpmyadmin
        container_name: phpmyadmin
        ports:
            - "6089:80"
        depends_on:
            - mysql
        environment:
            - SOME VARS...

    caddy:
        image: caddy:2.6.4-alpine
        environment:
            SERVER_NAME: "OBFUSCATE"
        restart: unless-stopped
        ports:
            # HTTP
            - target: 80
              published: 80
              protocol: tcp
            # HTTPS
            - target: 443
              published: 443
              protocol: tcp
            # HTTP/3
            - target: 443
              published: 443
              protocol: udp
        volumes:
            - ./phpdocker/caddy/Caddyfile:/etc/caddy/Caddyfile
            - ./app:/srv
            - caddy_data:/data
            - caddy_config:/config
        depends_on:
            -   php-fpm

volumes:
    caddy_data:
    caddy_config:

d. My complete Caddy config:

{
}

:443 {
    root * /srv/public
    encode gzip
    php_fastcgi unix//var/run/php/php-fpm.sock
    file_server
}

I don’t understand why it’s not proposing me to accept the self generated cert
Could you help me pls?

matt · March 10, 2023, 4:45pm

Caddy can only install its cert on the machine it’s running on. If you’re running it in Docker that’s basically like running it in a separate machine. You’ll have to install the cert manually I think, but I don’t use Docker so I’ll let a Docker expert chime in here.

Typically we recommend running Caddy without Docker. (I literally made Caddy because I didn’t want to deal with the containers mess.)

Vincent_Joignie_DD · March 10, 2023, 5:14pm

ahah understood.

To be fair, I inspired myself with this repo (which is present in the official documentation of Symfony) and especially :

and it’s working great there! But I can’t spot the problem/difference on my end…

Vincent_Joignie_DD · March 11, 2023, 10:08am

Finally I managed it to “work” with 2 changes in my Caddyfile:

http://localhost, https://localhost { <-- directly putted the address I'm accessing of (found this in a github issue)
    log {
        level DEBUG
    }

	root * ./srv/public/
	encode gzip
	php_fastcgi php-fpm:9000 <-- directly indicates my docker container
	file_server
}

But now I’m getting:

Not sure of what to do now.
I correctly see my files on the caddy container at the right place.

Any idea? This could like a right problem, but where …

matt · March 12, 2023, 3:51am

You could probably just change that first line to localhost { unless you actually intend to serve your site over plaintext HTTP too.

As for the File not found error, not sure. Make sure the file you’re requesting actually exists in the site root? (And that the site root exists too.)

francislavoie · March 13, 2023, 5:46am

These aren’t the same. You probably meant to use root * /srv/public in your Caddyfile. You included ./ which means “relative path”. Caddy’s default working directory in the Docker image is /srv already, so that would mean /srv/srv/public I think.

Make sure the site’s files are mounted in the same place in both your Caddy and PHP containers, since Caddy sends the path to the file to execute to the PHP container.

Vincent_Joignie_DD · March 13, 2023, 8:51am

Hi Francis! (we spoke together few minutes in September in France at th @APIPPlatform conf )

You were totally right! I used a shared mounted volume across my php and my caddy containers, and it worked!

Thanks a lot for your help!!

francislavoie · March 14, 2023, 8:35am

Ah! Was it you that I spoke to with Daniel after his talk, outside? Sorry if not, I don’t remember!

system · April 13, 2023, 8:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.