1. The problem I’m having:
I have a rather simple Caddy setup that takes care of the TLS handshake and then passes on to an upstream server. It uses https. I nenewed the certs on the upstream server, and they are all valid and up to date. But now my Caddy setup errors on verifying the certificate.
2. Error messages and/or full log output:
from Status Caddy which shows the error:
Jun 17 15:50:55 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639455.2892745,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"si>
Jun 17 15:50:55 Dig-Ocean04-Caddy caddy[3028975]: {"level":"error","ts":1718639455.2898178,"logger":"http.log.error","msg":"tls: failed to verify certificate: x509: certif>
Jun 17 15:50:59 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639459.174295,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f86656db-95fd->
Jun 17 15:50:59 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639459.1752944,"logger":"tls.handshake","msg":"choosing certificate","identifier":"www.surethin>
Jun 17 15:50:59 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639459.1755283,"logger":"tls.handshake","msg":"default certificate selection results","identifi>
Jun 17 15:50:59 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639459.1756985,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"205.1>
Jun 17 15:51:00 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639460.214579,"logger":"events","msg":"event","name":"tls_get_certificate","id":"0099d9a3-8f98->
Jun 17 15:51:00 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639460.2154574,"logger":"tls.handshake","msg":"choosing certificate","identifier":"www.surethin>
Jun 17 15:51:00 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639460.2156327,"logger":"tls.handshake","msg":"default certificate selection results","identifi>
Jun 17 15:51:00 Dig-Ocean04-Caddy caddy[3028975]: {"level":"debug","ts":1718639460.2157674,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"23.10>
From curl -vL "https://surething.com":
* Trying 159.223.195.50:443...
* Connected to surething.com (159.223.195.50) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=surething.com
* start date: May 19 13:10:51 2024 GMT
* expire date: Aug 17 13:10:50 2024 GMT
* subjectAltName: host "surething.com" matched cert's "surething.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://surething.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: surething.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: surething.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 502
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Mon, 17 Jun 2024 15:58:41 GMT
<
* Connection #0 to host surething.com left intact
3. Caddy version:
- v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=
4. How I installed and ran Caddy:
- I installed Caddy on our Ubuntu server using the instructions for Debian, Ubuntu, Raspbian found on your site. Everything went quite smoothly and Caddy seems to be running as a service.
a. System environment:
- 1 GB Memory / 25 GB Disk / SFO3 - Ubuntu 23.10 x64. Very plain Ubuntu server with nothing else installed. systemd yes, docker no.
b. Command:
Not currently using any commands, running Caddy as a service. Using a Caddyfile for config. ```
### c. Service/unit/compose file:
- Using systemd but nothing else
### d. My complete Caddy config:
{
debug
}
https://surething.com, https://www.surething.com {
reverse_proxy https://sites.surething.com {
header_up Host {upstream_hostport}
}
}
https://esd.surething.com {
reverse_proxy https://dl.surething.com {
header_up Host {upstream_hostport}
}
}
https://downloads.surething.com, https://downloads2.surething.com {
reverse_proxy https://downloadz.surething.com {
header_up Host {upstream_hostport}
}
}
### 5. Links to relevant resources:
Do I need to clear any caches? regenerate certs on Caddy? Why fhe failure, I've renewed certs successfully on the upstream server before.