How do I get automatic HTTPS on an IP address?

Drillan767 · July 1, 2019, 7:16pm

I’m struggling with a basic configuration. Basically, I would like to get HTTPS over 0.0.0.0 (my website is in a Docker container). Somehow, with the following configuration, I can have HTTP but not HTTPS:

0.0.0.0
root /home/sendo/public
gzip
fastcgi / 127.0.0.1:9000 php
rewrite {
    regexp .*
    ext /
    to /index.php?{query}
}

log stdout
errors stdout
on startup php-fpm --nodaemonize

I read this documentation, so I guessed I only had to add https before 0.0.0.0 but now i get this error:

This site can’t provide a secure connection
website.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

and the website isn’t even available in HTTPS.

What am I missing?

Thank you in advance for your answers

matt · July 2, 2019, 1:49am

Update: This is old info. Caddy 2 will provision its own certificate for your IP addresses.

From the automatic HTTPS docs page:

Caddy automatically enables HTTPS for all your sites, given that some reasonable criteria are met:

The hostname:

is not an IP address

Since you can’t (practically) get a publicly-trusted certificate for an IP address, you will have to roll your own – but it won’t be trusted in browsers. And 0.0.0.0 isn’t a valid IP either, it’s just kind of a wildcard for “anything on this IPv4 interface.”

If you don’t know which domains you’ll be serving, you need to enable on-demand TLS using the tls directive’s ask subdirective (don’t use max_certs, we’re deprecating it next week): https://caddyserver.com/docs/tls

Whitestrake · July 3, 2019, 12:54am

As an addendum to Matt Holt’s advice, if you need HTTPS, you can get a non-trusted, self-signed certificate for an IP address (it’s just not compatible with the Automatic HTTPS feature).

You’ll need to use tls self_signed to do that. You’ll also probably want to set the port and HTTP(S) redirection up manually - normally, Automatic HTTPS does that for you.

pepa65 · July 3, 2019, 1:44pm

Feature request: wouldn’t it be great if one could set the expiry to something else than 7 days?? It saves someone from having to generate their own self-signed key/certificate, and has the same effect as self_signed (unless I misunderstand what self_signed does).

matt · July 3, 2019, 5:15pm

Yeah, Caddy 2 will let you do this.

Drillan767 · July 3, 2019, 6:42pm

Thanks for your reply, I guess I have no other choice than using a Caddy proxy outside the Docker container (which is cool anyway)

system · October 1, 2019, 6:44pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.