Hi everyone, i having a issue of my SSL certificate for localhost. I’m trying to use h3 protocol and QUIC for my Springboot by caddy proxy, but my cilent alway use h2 or http1.1 for my api. And when i clear Alpn h2 and http1.1 in CaddyFile for using only h3, it gives error ERR_SSL_PROTOCOL_ERROR. I was import root.rct in mmc. I tried testing h3 in curl with the command line pointing directly to the root file: C:\Users\hlongday>curl -v --http3 --cacert C:/Users/hlongday/AppData/Roaming/Caddy/pki/authorities/local/root.crt https://localhost/api/rooms. And then it worked using h3 protocol
2. Error messages and/or full log output:
Here is curl with root file
C:\Users\hlongday>curl -v --http3 --cacert C:/Users/hlongday/AppData/Roaming/Caddy/pki/authorities/local/root.crt https://localhost/api/rooms
Note: Using embedded CA bundle, for proxies (234847 bytes)
* Host localhost:443 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:443...
* CAfile: C:/Users/hlongday/AppData/Roaming/Caddy/pki/authorities/local/root.crt
* CApath: none
* Server certificate:
* subject: [NONE]
* start date: Sep 30 13:37:27 2024 GMT
* expire date: Oct 1 01:37:27 2024 GMT
* subjectAltName: host "localhost" matched cert's "localhost"
* issuer: CN=Caddy Local Authority - ECC Intermediate
* SSL certificate verify ok.
* Certificate level 0: Public key type ? (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Certificate level 1: Public key type ? (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Certificate level 2: Public key type ? (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Connected to localhost (::1) port 443
* using HTTP/3
* [HTTP/3] [0] OPENED stream for https://localhost/api/rooms
* [HTTP/3] [0] [:method: GET]
* [HTTP/3] [0] [:scheme: https]
* [HTTP/3] [0] [:authority: localhost]
* [HTTP/3] [0] [:path: /api/rooms]
* [HTTP/3] [0] [user-agent: curl/8.10.1]
* [HTTP/3] [0] [accept: */*]
> GET /api/rooms HTTP/3
> Host: localhost
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/3 200
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< x-frame-options: DENY
< date: Mon, 30 Sep 2024 17:20:52 GMT
< x-content-type-options: nosniff
< server: Caddy
< content-type: application/json
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers
< x-xss-protection: 0
< expires: 0
<
[{"id":1,"name":"HÊ HÊ","description":"XEM YT VOI TOI"}]* Connection #0 to host localhost left intact
And here is curl with no root file
C:\Users\hlongday>curl -I --http3 https://localhost/api/rooms
curl: (55) SSL certificate problem: unable to get local issuer certificate
Please completely fill out the help topic as per the forum rules. Don’t skip any section. Show your Caddyfile, show your Caddy logs. You didn’t provide enough for us to help you.
Browsers typically always try HTTP/2 first and only try HTTP/3 on later requests if they had seen the Alt-Svc header earlier. This isn’t an issue with Caddy, it’s just how browsers do it.
actually i removed h2 from caddy file and browser reported err_SSL_PROTOCOL_ERROR error even though i had previously imported caddy certificate into system.
Are you actually using localhost? As far as I know, chrome won’t use h3 for localhost even if advertised. Browser quirk. Report to chrome if you like.
If you want to test h3 in a development environment, you have to use real domains other than localhost. But I won’t be surprised if chrome refuses to use h3 for domains that resolve to localhost.
You can’t disable h1 and h2 completely. That’s not how browser works, browser tries to establish tcp connection (h1 and h2) first, and if that fails, even if there is h3 available. You can but you can only access it programmatically