Fix ERR_SSL_PROTOCOL_ERROR for SpringBoot using Caddy

1. The problem I’m having:

Hi everyone, i having a issue of my SSL certificate for localhost. I’m trying to use h3 protocol and QUIC for my Springboot by caddy proxy, but my cilent alway use h2 or http1.1 for my api. And when i clear Alpn h2 and http1.1 in CaddyFile for using only h3, it gives error ERR_SSL_PROTOCOL_ERROR. I was import root.rct in mmc. I tried testing h3 in curl with the command line pointing directly to the root file: C:\Users\hlongday>curl -v --http3 --cacert C:/Users/hlongday/AppData/Roaming/Caddy/pki/authorities/local/root.crt https://localhost/api/rooms. And then it worked using h3 protocol

2. Error messages and/or full log output:

Here is curl with root file

C:\Users\hlongday>curl -v --http3 --cacert C:/Users/hlongday/AppData/Roaming/Caddy/pki/authorities/local/root.crt https://localhost/api/rooms
Note: Using embedded CA bundle, for proxies (234847 bytes)
* Host localhost:443 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:443...
*  CAfile: C:/Users/hlongday/AppData/Roaming/Caddy/pki/authorities/local/root.crt
*  CApath: none
* Server certificate:
*  subject: [NONE]
*  start date: Sep 30 13:37:27 2024 GMT
*  expire date: Oct  1 01:37:27 2024 GMT
*  subjectAltName: host "localhost" matched cert's "localhost"
*  issuer: CN=Caddy Local Authority - ECC Intermediate
*  SSL certificate verify ok.
*   Certificate level 0: Public key type ? (256/128 Bits/secBits), signed using ecdsa-with-SHA256
*   Certificate level 1: Public key type ? (256/128 Bits/secBits), signed using ecdsa-with-SHA256
*   Certificate level 2: Public key type ? (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Connected to localhost (::1) port 443
* using HTTP/3
* [HTTP/3] [0] OPENED stream for https://localhost/api/rooms
* [HTTP/3] [0] [:method: GET]
* [HTTP/3] [0] [:scheme: https]
* [HTTP/3] [0] [:authority: localhost]
* [HTTP/3] [0] [:path: /api/rooms]
* [HTTP/3] [0] [user-agent: curl/8.10.1]
* [HTTP/3] [0] [accept: */*]
> GET /api/rooms HTTP/3
> Host: localhost
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/3 200
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< x-frame-options: DENY
< date: Mon, 30 Sep 2024 17:20:52 GMT
< x-content-type-options: nosniff
< server: Caddy
< content-type: application/json
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers
< x-xss-protection: 0
< expires: 0
<
[{"id":1,"name":"HÊ HÊ","description":"XEM YT VOI TOI"}]* Connection #0 to host localhost left intact

And here is curl with no root file

C:\Users\hlongday>curl -I --http3 https://localhost/api/rooms
curl: (55) SSL certificate problem: unable to get local issuer certificate

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

Please help me

Please completely fill out the help topic as per the forum rules. Don’t skip any section. Show your Caddyfile, show your Caddy logs. You didn’t provide enough for us to help you.

2 Likes

here is my caddy file:

{
    debug
}

https://localhost {
    reverse_proxy localhost:8080 {
        transport http {
            versions h1 h2
            dial_timeout 30s
            read_timeout 90s  # Tangthoigian
            write_timeout 90s
        }
    }
    tls internal {
        protocols tls1.2 tls1.3
        alpn h3, h2
    }
}

And here is my caddy log when I delete alpn h2 in caddyfile

c:\caddy>2024/10/02 05:03:37.473        INFO    tls     storage cleaning happened too recently; skipping for now       {"storage": "FileStorage:C:\\Users\\hlongday\\AppData\\Roaming\\Caddy", "instance": "a4b53546-3294-4682-abf9-d8f9f0ff4347", "try_again": "2024/10/03 05:03:37.473", "try_again_in": 86400}
2024/10/02 05:03:37.474 INFO    tls     finished cleaning storage units
2024/10/02 05:03:41.066 DEBUG   http.stdlib     http: TLS handshake error from [::1]:53198: tls: client requested unsupported application protocols ([h2 http/1.1])
2024/10/02 05:03:41.068 DEBUG   http.stdlib     http: TLS handshake error from [::1]:53199: tls: client requested unsupported application protocols ([h2 http/1.1])
2024/10/02 05:03:41.565 DEBUG   http.stdlib     http: TLS handshake error from [::1]:53208: tls: client requested unsupported application protocols ([h2 http/1.1])
2024/10/02 05:03:41.566 DEBUG   http.stdlib     http: TLS handshake error from [::1]:53209: tls: client requested unsupported application protocols ([h2 http/1.1])

I was imported root.crt in my local machine

That’s invalid, Caddyfile doesn’t use commas. So it’s taking it as two values, literally h3, and h2.

1 Like

I removed the comma in the caddy file. and it still uses the h2 protocol instead of h3

You see it still uses H2 even though checking in the header it says it supports h3. What should I do? Thank you


here is second picture

Browsers typically always try HTTP/2 first and only try HTTP/3 on later requests if they had seen the Alt-Svc header earlier. This isn’t an issue with Caddy, it’s just how browsers do it.

2 Likes

actually i removed h2 from caddy file and browser reported err_SSL_PROTOCOL_ERROR error even though i had previously imported caddy certificate into system.

Are you actually using localhost? As far as I know, chrome won’t use h3 for localhost even if advertised. Browser quirk. Report to chrome if you like.

If you want to test h3 in a development environment, you have to use real domains other than localhost. But I won’t be surprised if chrome refuses to use h3 for domains that resolve to localhost.

You can’t disable h1 and h2 completely. That’s not how browser works, browser tries to establish tcp connection (h1 and h2) first, and if that fails, even if there is h3 available. You can but you can only access it programmatically

1 Like

Thanks man. I will try to do on domain to use h3. If any problem I will reply back later. Thanks again for help :smiling_face_with_three_hearts: