Error 404 when external SSL certificate is provided

Help
1

Hello,

I get a 404 Error when I would like to use our SSL certificat (Wildcard COMODO). Everything is OK with auto-generated Let’s Encrypt certificate.

sandbox.domain.io, core-sandbox.domain.io {
  #tls root@domain.io
  tls /etc/nginx/ssl/domain-io/2017/STAR_domain_io.crt-bundle /etc/nginx/ssl/domain-io/2017/wildcard-domain-io.key

  header / -Server
  header / Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

  proxy / 127.0.0.1:9090 {
    transparent
  }

  log / /tmp/caddy-access-core.log "[{when_iso}] {remote} \"{method} {uri} {proto}\" {status} {size} {latency_ms}ms" {
    rotate_size 10
    rotate_age  30
    rotate_keep 5
  }

  errors /tmp/caddy-error-core.log {
    rotate_size 10
    rotate_age  30
    rotate_keep 5
  }
}
2

Make sure the user you run Caddy as has at least read access to the certificates (all used). To test, I would comment out the proxy, and simply print a dummy page.

Do that, and post back.

3

Hi,

same issue with the following configuration file. With Let’s Encrypt, I get the index.html page correctly. But with my own certificate (wildcard issued by COMODO), I get a 404 Not Found error. I have check access and ownership (all set to caddy:caddy). I’m using the last version of Caddy (0.10.2).

For testing purpose, Starcom StartSSL provide free SSL certificate.

sandbox.domain.io, core-sandbox.domain.io {
  #tls root@domain.io
  tls /etc/nginx/ssl/domain-io/2017/STAR_domain_io.crt-bundle /etc/nginx/ssl/domain-io/2017/wildcard-domain-io.key

  header / -Server
  header / Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

  root /opt/caddy/html/

  log / /tmp/caddy-access-core.log "[{when_iso}] {remote} \"{method} {uri} {proto}\" {status} {size} {latency_ms}ms" {
    rotate_size 10
    rotate_age  30
    rotate_keep 5
  }

  errors /tmp/caddy-error-core.log {
    rotate_size 10
    rotate_age  30
    rotate_keep 5
  }
}
4

Sorry, I forgot to add, do caddy (user and group) have access to the directories as well? (nginx, ssl, domain-io). How about to /opt/caddy/html/, does it have access? Is there an index file there?

5

As I said, the page index.html from /opt/caddy/html/ is correctly showed on the browser when tls is set with an email address. The issue appear only with a custom certificate / key.

I have re-checked, all access permissions are correct. I’m not sure it was related cause, yes I got a 404 error page, but the SSL URL bar is green on the browser and display the custom certificate *.domain.io)

I think you can easily reproduce the issue with a self-signed certificated (not by using self_signed setting, but by using openssl and indicate tls cert key on the Caddy file).

6

I see. Well, stumped. Hopefully someone else will chime in.

7

HTTP errors have nothing to do with your TLS certificate. 404 means that it couldn’t find the page or resource you requested. But it’s also proxying upstream so that’s another layer of complexity. You really should strip out everything you can to make the problem as minimal as possible. There’s too much that could be interfering right now.

What is the result when you use curl instead of a browser?

9

Hi @matt,

The only notable difference, is that COMODO cert is a wildcard cert. Do you think, @matt that Caddy don’t handle correctly wildcard certificate? Maybe the plugin break the chain by returning status = 404 when a wildcard certificate is used ?

EDIT: I have tested with a clean install of Caddy (without any plugin). same issue…

#> curl -vvv https://sandbox.domain.io

With specific SSL certificate / key

* About to connect() to sandbox.domain.io port 443 (#0)
*   Trying 167.xx.xx.xx...
* Connected to sandbox.domain.io (167.xx.xx.xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=*.domain.io,OU=EssentialSSL Wildcard,OU=Domain Control Validated
*       start date: Nov 16 00:00:00 2016 GMT
*       expire date: Jan 15 23:59:59 2018 GMT
*       common name: *.domain.io
*       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sandbox.domain.io
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Server: Caddy
< X-Content-Type-Options: nosniff
< Date: Fri, 12 May 2017 05:53:08 GMT
< Content-Length: 14
<
404 Not Found
* Connection #0 to host sandbox.domain.io left intact

With Let’s Encrypt auto-generated cert

* About to connect() to sandbox.domain.io port 443 (#0)
*   Trying 167.xx.xx.xx...
* Connected to sandbox.domain.io (167.xx.xx.xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=sandbox.domain.io
*       start date: May 05 17:19:00 2017 GMT
*       expire date: Aug 03 17:19:00 2017 GMT
*       common name: sandbox.domain.io
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sandbox.domain.io
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 1046
< Content-Type: text/html; charset=utf-8
< Date: Fri, 12 May 2017 05:55:06 GMT
< Iso-Date: 2017-05-12T05:55:06.752Z
< Set-Cookie: SESS=665c4b6f47276d3a72ddf3aabb9f59318787dd98-csrfToken=99bc32509a0205d120d603ac2217d6fb01a603bc-1494568506729-d1c7b6e4ff3cbe610e2de404; Path=/; Secure; HTTPOnly
< Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-Served-By: pit-wallet-sandbox
< X-Xss-Protection: 1; mode=block
<
<!DOCTYPE html> <html lang="en" class="uk-height-1-1"> <head> <meta charset="UTF-8"/> <meta http-equiv="X-UA-Compatible" content="chrome=1,IE=edge"/>
10

Hi @matt,

I find what going wrong. With tls <email>, server listining on port :443. But when I provide a custom certificate, it use the port :2015.

I have forced the right port to use to avoid collision with the fallback block.

Before

sandbox.domain.io, core-sandbox.domain.io {
  #tls root@domain.io
  tls /etc/nginx/ssl/domain-io/2017/STAR_domain_io.crt-bundle /etc/nginx/ssl/domain-io/2017/wildcard-domain-io.key

  header / -Server
  header / Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

  root /opt/caddy/html/

  log / /tmp/caddy-access-core.log "[{when_iso}] {remote} \"{method} {uri} {proto}\" {status} {size} {latency_ms}ms" {
    rotate_size 10
    rotate_age  30
    rotate_keep 5
  }

  errors /tmp/caddy-error-core.log {
    rotate_size 10
    rotate_age  30
    rotate_keep 5
  }
}

:443 {
  tls root@payintech.com

  root /htdocs/
}

After

sandbox.domain.io:443, core-sandbox.domain.io:443 {
  #tls root@domain.io
  tls /etc/nginx/ssl/domain-io/2017/STAR_domain_io.crt-bundle /etc/nginx/ssl/domain-io/2017/wildcard-domain-io.key

  header / -Server
  header / Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

  root /opt/caddy/html/

  log / /tmp/caddy-access-core.log "[{when_iso}] {remote} \"{method} {uri} {proto}\" {status} {size} {latency_ms}ms" {
    rotate_size 10
    rotate_age  30
    rotate_keep 5
  }

  errors /tmp/caddy-error-core.log {
    rotate_size 10
    rotate_age  30
    rotate_keep 5
  }
}

:443 {
  tls root@payintech.com

  root /htdocs/
}
11

Ah yes, excellent. I was about to mention that specifying your own certificates turns off automatic TLS. I hadn’t noticed the :443 host in your Caddyfile at the bottom.

1 Like
12

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.