"http HTTP/2 skipped because it requires TLS" warning; server only running HTTP/1

Help
1

1. The problem I’m having:

So I’m having an issue getting HTTP/2 and HTTP/3 to work; the protocols are enabled, but it says that they’re being skipped because “it requires TLS”. HTTP/1 clearly works, and the server obtains an SSL cert from Let’s Encrypt, so I’m not sure… if I need to configure something else? Docs indicate that it should work out of the box and it doesn’t seem like there’s anything else I need to install that I know of.

2. Error messages and/or full log output:

Relevant debug section:

2025/06/06 20:30:02.272	DEBUG	http	starting server loop	{"address": "[::]:443", "tls": true, "http3": false}
2025/06/06 20:30:02.272	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2025/06/06 20:30:02.272	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/06/06 20:30:02.272	DEBUG	http	starting server loop	{"address": "[::]:80", "tls": false, "http3": false}
2025/06/06 20:30:02.272	WARN	http	HTTP/2 skipped because it requires TLS	{"network": "tcp", "addr": ":80"}
2025/06/06 20:30:02.272	WARN	http	HTTP/3 skipped because it requires TLS	{"network": "tcp", "addr": ":80"}
2025/06/06 20:30:02.272	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}

I’m also seeing this show up in the debug logs a lot:

2025/06/06 20:33:14.011	DEBUG	http.stdlib	http: TLS handshake error from 3.107.48.1:15212: no certificate available for '69.48.200.46'

Which makes no sense to me because AFAIK it does have a certificate? Help T-T

3. Caddy version:

v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

4. How I installed and ran Caddy:

installed as linux package on ubuntu

a. System environment:

Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

5. Links to relevant resources:

2

Well, the problem lies with your config, and you chose to skip that part of the template. I don’t know how we can help.

1 Like
3

…oh I somehow completely missed that. Sorry, I have a newborn, I am incredibly sleep deprived.

b. Command:

caddy start

c. Service/unit/compose file:

n/a

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.
{
	debug
}

blotter.veryroundbird.house {
	# Set this path to your site's directory.
	root * /var/www/html/blotter/public

	try_files {path} {path}.html {path}/ =404

	# Enable the static file server.
	file_server

	encode gzip

	handle_errors {
		rewrite * /{err.status_code}.html
		file_server
	}

	log {
		output file /var/log/caddy/blotter.error.log
		format console
	}

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

sync.veryroundbird.house {
	basic_auth {
		smallbird $2y$12$cAS6TvUKhWYi7m2wrW6e0OWtKTGjJXbMF3FQSHig4qnvJr3kVWVhS
	}

	reverse_proxy localhost:8384 {
		header_up Host {upstream_hostport}
	}
}

spoverlay.veryroundbird.house {
	root * /var/www/html/streamplace-overlay
	file_server
	encode gzip
}

spoverlayapi.veryroundbird.house {
	reverse_proxy localhost:8080
}

smallbird.live {
	root * /var/www/html/smallbirdlive
	file_server

	encode gzip

	log {
		output file /var/log/caddy/smallbird.live.error.log
		format console
	}
}

at.veryroundbird.house {
	root * /var/www/html/at
	file_server

	encode gzip

	log {
		output file /var/log/caddy/at.error.log
		format console
	}
}

placemat.veryroundbird.house {
	reverse_proxy localhost:3501 {
		header_up Sec-Websocket-Key {>Sec-Websocket-Key}
	}

	log {
		output file /var/log/caddy/placemat.error.log
		format console
	}
}

dev.placemat.veryroundbird.house {
	reverse_proxy localhost:3001

	log {
		output file /var/log/caddy/dev.placemat.error.log
		format console
	}
}

listmatcher.veryroundbird.house {
	root * /var/www/html/listmatcher
	file_server

	encode gzip

	log {
		output file /var/log/caddy/listmatcher.error.log
		format console
	}
}
# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile
4

Notice the "addr": ":80". Caddy is just telling you that it can’t use HTTP/2 and HTTP/3 over the plain HTTP port. (because they require TLS)
It works fine over HTTPS:

$ curl -v --http2 https://blotter.veryroundbird.house
[...]
* ALPN: curl offers h2,http/1.1
[...]
* ALPN: server accepted h2
[...]
* Connected to blotter.veryroundbird.house (69.48.200.46) port 443
* using HTTP/2
[...]

However, HTTP/3 uses QUIC, which uses UDP, so you need to open port 443 over UDP for it to work. (and expose it in Docker if you use that)

$ curl -v --http3-only https://blotter.veryroundbird.house
* Host blotter.veryroundbird.house:443 was resolved.
* IPv6: (none)
* IPv4: 69.48.200.46
*   Trying 69.48.200.46:443...
*  CAfile: /usr/etc/tls/cert.pem
*  CApath: /usr/etc/tls/certs
* QUIC connection has been shut down
* QUIC connect to 69.48.200.46 port 443 failed: Could not connect to server
* Failed to connect to blotter.veryroundbird.house port 443 after 30040 ms: Could not connect to server
* closing connection #0
curl: (7) QUIC connection has been shut down

I think those are just bots trying to access your server using the IP directly.

Also are you ok with that hash in the config being posted publicly?

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.