ERR_SSL_PROTOCOL_ERROR This site can’t provide a secure connection

chatofking · September 8, 2022, 3:41am

1. Output of `caddy version`:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

a. System environment:

pi os lite debian 11 bulleye systemctl cli

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

systemctl

d. My complete Caddy config:

srimuang.duckdns.org:443 {
    reverse_proxy myip:2368
}

3. The problem I’m having:

curl -v srimuang.duckdns.org

Trying 49.230.162.50:80…* connect to 49.230.162.50 port 80 failed: Connection timed out
Failed to connect to srimuang.duckdns.org port 80: Connection timed out
Closing connection 0
curl: (28) Failed to connect to srimuang.duckdns.org port 80: Connection timed out

4. Error messages and/or full log output:

$ journalctl -u caddy --no-pager | less +G`

Sep 08 04:28:15 raspberrypi caddy[634]: {"level":"error","ts":1662607695.7665794,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"srimuang.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"49.230.162.50: Fetching http://srimuang.duckdns.org/.well-known/acme-challenge/5OXgto_YtGlYQp18IMrLdR3BW_iSYQVp8lUegyFxspk: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/67700113/3969562703","attempt":2,"max_attempts":3}
Sep 08 04:28:15 raspberrypi caddy[634]: {"level":"error","ts":1662607695.766781,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"srimuang.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 49.230.162.50: Fetching http://srimuang.duckdns.org/.well-known/acme-challenge/5OXgto_YtGlYQp18IMrLdR3BW_iSYQVp8lUegyFxspk: Timeout during connect (likely firewall problem)"}
Sep 08 04:28:38 raspberrypi caddy[634]: {"level":"info","ts":1662607718.4571407,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"srimuang.duckdns.org","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
Sep 08 04:34:00 raspberrypi caddy[634]: {"level":"error","ts":1662608040.02146,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"srimuang.duckdns.org","issuer":"acme.zerossl.com-v2-DV90","error":"[srimuang.duckdns.org] solving challenges: [srimuang.duckdns.org] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/5fkoDc9db4rbi29GZ-JohQ) (ca=https://acme.zerossl.com/v2/DV90)"}
Sep 08 04:34:00 raspberrypi caddy[634]: {"level":"error","ts":1662608040.0216696,"logger":"tls.obtain","msg":"will retry","error":"[srimuang.duckdns.org] Obtain: [srimuang.duckdns.org] solving challenges: [srimuang.duckdns.org] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/5fkoDc9db4rbi29GZ-JohQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":1784.467478511,"max_duration":2592000}

5. What I already tried:

6. Links to relevant resources:

francislavoie · September 8, 2022, 4:39am

Are you running this on your home network? Are you sure you have ports 80 and 443 open on your router and/or firewall? Does your ISP block ports 80 and 443?

It seems like your server isn’t reachable. That’s not a problem with Caddy, you’ll need to figure out your networking.

chatofking · September 8, 2022, 6:43am

yes I have already opened port 80 443 for both firewall & router


Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)

chatofking · September 17, 2022, 10:01am

i can’t still figure out how my server can’t be reach
here is my compose rn

version: '3.3'
networks:
  caddy:
services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/blue/containers/portainer/portainer-data:/data
    networks:
      - caddy
    ports:
      - 9000:9000

  caddy:
    image: caddy:latest
    restart: unless-stopped
    container_name: caddy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /home/chatofking/containers/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /home/chatofking/containers/caddy/site:/srv
      - /home/chatofking/containers/caddy/caddy_data:/data
      - /home/chatofking/containers/caddy/caddy_config:/config
    networks:
      - caddy
volumes:
  caddy_data:
    external: true
  caddy_config:

here is my caddy file

{
        email chat_4432@hotmail.com
}

portainerchat.duckdns.org {
  reverse_proxy portainer:9000
}

i think i set up everything correctly

Whitestrake · September 17, 2022, 12:21pm

Is 182.232.226.96 the correct current IP address?

If it is (i.e. DNS is resolving correctly), and you’re sure that your host firewall and your router’s firewall are both open, and it’s still not working, you could investigate the possibility that your ISP has you behind Carrier-Grate NAT (CGNAT) and you may need to call them and have them disable it, or use a VPN or tunnel out to a VPS that you can access.

chatofking · September 17, 2022, 3:31pm

yes it is correctly current IP
I am sure ??
my host

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

my router firewall

IPv4 SPI Firewall:
opened
Service Filtering:
HTTP 80-80 & HTTPS 443-443 
Protocol: TCP/UDP
point to single IP

same as the Nat Forwarding.

emilylange · September 17, 2022, 8:27pm

I want to double down on what @Whitestrake wrote earlier:

Your ISP might have their own firewall in front of you, which blocks port :80 and :443 before those packages even reaches your router firewall.

Your ISP might also be using something called “Carrier-grade NAT” for your connection, which essentially means the IPv4 you see and configured duckdns to use isn’t actually your IPv4, but instead shared among others via NAT.
You won’t be able to use any port forwarding then.

I’d recommend asking your ISP about that.

You could also try opening a different (high) port number and test if it’s open externally via a different IP server not on your network or certain online port scanner like Port Checker - Check Open Ports Online

You will need to have either :80 or :443 open to have Caddy issue a valid ACME certificate via http or tls challenge for you automatically as of Automatic HTTPS — Caddy Documentation

If you manage to open, for example, port :8080 externally, then you could use the DNS challenge and would have to append :8080 whenever you enter your domain into a webbrowser.
This is nothing caddy can change and would be the same with e.g. nginx and apache.

There are certain workarounds via Cloudflare tunnels or having a totally different server proxying your requests to your private home IP. But those are very much out of scope of this thread here, unfortunately

balloon · September 19, 2022, 2:53am

I recently solved using Tailscale to be able to see the Raspberry Pi inside.It’s an alternative to NAT. However, for that purpose, an external server that configures a proxy such as a web service or VPS is required.
As more ISPs in Japan adopt IPoE instead of PPPoE, The router at my work can no longer be configured for NAT.

chatofking · September 19, 2022, 4:12am

after I contact ISP I can access the site but my URL is like http://ww17.portainerchat.duckddns.org/
and not show my instance it shows duckdns Related Searches: instead
what should I do ??

emilylange · September 19, 2022, 3:31pm

I think you have a little typo:
duckddns.org vs the actual duckdns.org (note the additional/missing d)

But I am unable to reach port :80 and :443 on portainerchat.duckdns.org nonetheless

chatofking · September 21, 2022, 8:43am

did you know how to fix this ??

francislavoie · September 21, 2022, 9:36am

What have you tried? We already told you what we see as the problem. If you don’t elaborate, we can’t help any further.

system · October 8, 2022, 3:42am

This topic was automatically closed after 30 days. New replies are no longer allowed.