HTTPS to a port other than 443 not working

1. Caddy version (caddy version):

v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

From the docker respository caddy:alpine

docker run -d --name='CaddyV2' --net='bridge' -e TZ="America/New_York" -e HOST_OS="Unraid" -p '1880:80/tcp' -p '18443:443/tcp' -p '8880:8880/tcp' -v '/mnt/user/appdata/caddy/data':'/data':'rw' -v '/mnt/user/appdata/caddy':'/config':'rw' -v '/mnt/user/appdata/caddy/caddyfile.cfg':'/etc/caddy/Caddyfile':'rw' -v '/mnt/user/appdata/caddy/www/':'/www':'ro' 'caddy:alpine'

a. System environment:

Docker

b. Command:

It’s internal to the official Docker. Not sure.

c. Service/unit/compose file:

It’s internal to the official Docker. Not sure.

d. My complete Caddyfile or JSON config:

{
  admin :2019 {
    #enforce_origin
    #origins 192.168.0.0/24
  }
  auto_https off 
}  

#http://192.168.0.100:8880 {
#https://192.168.0.100:8880 {
192.168.0.100:8880 {
  file_server
  root * /www
  #rewrite * /index.html
  encode gzip
  log {
    output file         8880.log
    format single_field common_log
  }  
  tls internal {
  }
}

3. The problem I’m having:

Things just work when you don’t specify a port, but with a port only http will work. I can’t find any combination that enables TLS with a HTTPS request.

4. Error messages and/or full log output:

curl -v https://192.168.0.100:8880
* Rebuilt URL to: https://192.168.0.100:8880/
*   Trying 192.168.0.100...
* TCP_NODELAY set
* Connected to 192.168.0.100 (192.168.0.100) port 8880 (#0)
* schannel: SSL/TLS connection with 192.168.0.100 port 8880 (step 1/3)
* schannel: checking server certificate revocation
* schannel: using IP address, SNI is not supported by OS.
* schannel: sending initial handshake data: sending 162 bytes...
* schannel: sent initial handshake data: sent 162 bytes
* schannel: SSL/TLS connection with 192.168.0.100 port 8880 (step 2/3)
* schannel: encrypted data got 7
* schannel: encrypted data buffer: offset 7 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with 192.168.0.100 port 8880
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

5. What I already tried:

I had great early success with Caddy, everything just worked amazingly well, but now I’ve somehow spent 6 hours on getting https to work on a port.

I’ve tried including the protocol in the caddy file configuration of the domain. This works to enable http, but https is just ignored it would seem. With just http, I’ve validated all the networking, but once I try and use https it falls apart. I’ve checked that the certificate as created. It was. I’ve tried turning off the auto_https but it didn’t help in anyway. I’ve stripped the config down to just this server. Only other option I can think of is whatever options moving to JSON would offer but having turned “auto_https off” completely I don’t see those extra “automatic_https” options being relevant.

6. Links to relevant resources:

Using https://192.168.0.100:8880 as your site address is correct.

You’re using tls internal, have you added the root CA cert that Caddy generates to your trust store? Clients won’t know how to trust the connection to Caddy unless you do that.

I had not done this prior. However, I just added “Caddy Local Authority - 2020 ECC Root” to my Windows “Trusted Root Certificate Authorities”. It didn’t fair any better. I then added it directly to Firefox’s Certificate Manager as well without any improvement. I may have done something wrong in this regard. I found this certificate in the /pki/certificates/local directory. I added the Intermediate as well. The error message remains the same.

This topic was automatically closed after 30 days. New replies are no longer allowed.