1. Caddy version (caddy version
):
v2.4.4
and
“org.opencontainers.image.version”: “v2.4.3”
2. How I run Caddy:
caddy run --watch
[as root]
and
docker run -d -p 10.2.236.9:443:443 -p 10.2.236.9:80:80 -v $PWD/Caddyfile:/etc/caddy/Caddyfile -v caddy_data:/data caddy
a. System environment:
OS: Arch Linux x86_64
Kernel: 5.13.12-arch1-1
Docker version 20.10.8, build 3967b7d28e
d. My complete Caddyfile or JSON config:
{
http_port 80
https_port 443
skip_install_trust
local_certs
}
10.2.236.9
encode gzip
@insecureadmin {
not remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1
path /admin*
}
redir @insecureadmin /
reverse_proxy /notifications/hub/negotiate 172.17.0.2:80
reverse_proxy /notifications/hub 172.17.0.2:3012
reverse_proxy 172.17.0.2:80 {
# Send the true remote IP to Rocket, so that vaultwarden can put this in the
# log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host}
}
3. The problem I’m having:
My caddyfile works great on a system without Docker, but in Docker I get an HTTPS error from the browser.
4. Error messages and/or full log output:
curl -v -k https://10.2.236.9
* Trying 10.2.236.9:443...
* Connected to 10.2.236.9 (10.2.236.9) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
docker logs magical_kapitsa
{"level":"info","ts":1630424142.4293022,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1630424142.43465,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1630424142.4363222,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["[::1]:2019","127.0.0.1:2019","localhost:2019"]}
{"level":"info","ts":1630424142.436763,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002be8c0"}
{"level":"info","ts":1630424142.4591525,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1630424142.4591875,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1630424142.4601185,"logger":"pki.ca.local","msg":"root certificate trust store installation disabled; unconfigured clients may show warnings","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1630424142.4602673,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1630424142.4603434,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1630424142.4604115,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["10.2.236.9"]}
{"level":"info","ts":1630424142.4606602,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1630424142.4606822,"msg":"serving initial configuration"}
{"level":"info","ts":1630424142.4611225,"logger":"tls.obtain","msg":"acquiring lock","identifier":"10.2.236.9"}
{"level":"info","ts":1630424142.5088987,"logger":"tls.obtain","msg":"lock acquired","identifier":"10.2.236.9"}
{"level":"info","ts":1630424142.5127416,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"10.2.236.9"}
{"level":"info","ts":1630424142.5127726,"logger":"tls.obtain","msg":"releasing lock","identifier":"10.2.236.9"}
{"level":"warn","ts":1630424142.514271,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [10.2.236.9]: no OCSP server specified in certificate"}
openssl s_client -connect 172.17.0.3:443
CONNECTED(00000003)
139750776890752:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1543:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
5. What I already tried:
I built the caddyfile using a locale console with watch enabled as an argument. This worked for me without problems, when I wanted to test it in Docker I encountered this problem and unfortunately have no idea for a solution.
thank you for your help