1. Caddy version (caddy version
):
v2.4.5 h1:P1mRs6V2cMcagSPn+NWpD+OEYUYLIf6ecOa48cFGeUg=
2. How I run Caddy:
Running on a standard linux ubunutu Digital Ocean droplet. I have run it manually (caddy run
) and also as a service. Caddy is acting as a reverse proxy to my Rails app which is running on port 4567
I have Cloudflare managing my app’s DNS. There is a single DNS record:
A * <my digital ocean droplet IP address>
I don’t have Cloudflare Enterprise or anything, so Cloudflare is acting as DNS only.
a. System environment:
Ubuntu 20
b. Command:
sudo systemctl start caddy
d. My complete Caddyfile or JSON config:
{
storage redis {
host 127.0.0.1
port 6379
db 1
tls_enabled false
aes_key redistls-01234567890-caddytls-32
}
on_demand_tls {
ask http://127.0.0.1:4567/ask
interval 2m
burst 5
}
}
*.myappdomain:443 {
reverse_proxy 127.0.0.1:4567 {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Real-IP {http.reverse-proxy.upstream.address}
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Host {http.request.host}
}
tls me@myappdomain {
dns cloudflare <my cloudflare api key>
}
log {
output file /var/log/caddy/access-app.log
}
}
:443 {
reverse_proxy 127.0.0.1:4567 {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Real-IP {http.reverse-proxy.upstream.address}
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Host {http.request.host}
}
tls me@myappdomain {
on_demand
}
log {
output file /var/log/caddy/access-customdomain.log
}
}
3. The problem I’m having:
Caddy appears to be serving my app fine. I can access it on `https://myappdomain.com’ and I can access subdomains (e.g. https://blog.myappdomain.com). This is great.
My app allows custom domains to be configured. If I point a second domain (e.g. mycustomdomain.com) to my DigitalOcean droplet (single A record pointing to the IP address of the droplet), I expect Caddy to handle this and do on demand TLS (see the :443
blog in my Caddyfile) but what I see when I visit this domain (via https) in my browser is this error:
This site can’t provide a secure connection
**mycustomdomain.com** sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
FYI: This other domain has nothing to do with Cloudflare, it’s using Namecheap for DNS.
4. Error messages and/or full log output:
There are no messages in my server’s caddy log or syslog.
5. What I already tried:
I have had this working in the past and I can’t for the life of me figure out what I’m doing wrong! Caddy appears to be working normally, my DO droplet appears to be fine (I can access the app domain no problem).
I tried this command on the terminal to see if I could figure out what’s happening but it’s beyond me… perhaps it is of help in debugging this issue?
$ openssl s_client -connect mycustomdomain:443 -servername mycustomdomain
CONNECTED(00000005)
4333588140:error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error:/System/Volumes/Data/SWE/macOS/BuildRoots/38cf1d983f/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 80
4333588140:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/38cf1d983f/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1632670992
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Can anyone offer any advice please?