1. Caddy version (caddy version
):
v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=
2. How I run Caddy:
using the systemctl it is started with ExecStart=/usr/local/bin/caddy run -config /etc/caddy/Caddyfile
a. System environment:
Linux server01 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
b. Command:
systemctl start caddy
c. Service/unit/compose file:
paste full file contents here
d. My complete Caddyfile or JSON config:
tracypearson.me {
file_server {
root /var/www/tracypearson.me
}
}
tracypearson.com {
file_server {
root /var/www/tracypearson.com
}
}
tracypearson.net {
file_server {
root /var/www/tracypearson.net
}
}
git.tracypearson.net {
reverse_proxy localhost:3000
}
server01.lan {
tls internal
file_server {
root /var/www/server01
}
}
3. The problem I’m having:
The SSL handshake keeps failing. It works sometimes. The
4. Error messages and/or full log output:
C:\Users\tracy\Downloads\Tools\CaddyServer\caddy_2.0.0_windows_amd64>curl -k -v https://server01.lan
* Rebuilt URL to: https://server01.lan/
* Trying 192.168.17.111...
* TCP_NODELAY set
* Connected to server01.lan (192.168.17.111) port 443 (#0)
* schannel: SSL/TLS connection with server01.lan port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: sending initial handshake data: sending 168 bytes...
* schannel: sent initial handshake data: sent 168 bytes
* schannel: SSL/TLS connection with server01.lan port 443 (step 2/3)
* schannel: encrypted data got 7
* schannel: encrypted data buffer: offset 7 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with server01.lan port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
and a success
C:\Users\tracy\Downloads\Tools\CaddyServer\caddy_2.0.0_windows_amd64>curl -v -k https://server01.lan
* Rebuilt URL to: https://server01.lan/
* Trying 192.168.17.111...
* TCP_NODELAY set
* Connected to server01.lan (192.168.17.111) port 443 (#0)
* schannel: SSL/TLS connection with server01.lan port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: sending initial handshake data: sending 168 bytes...
* schannel: sent initial handshake data: sent 168 bytes
* schannel: SSL/TLS connection with server01.lan port 443 (step 2/3)
* schannel: encrypted data got 1122
* schannel: encrypted data buffer: offset 1122 length 4096
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with server01.lan port 443 (step 2/3)
* schannel: encrypted data got 186
* schannel: encrypted data buffer: offset 186 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with server01.lan port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET / HTTP/1.1
> Host: server01.lan
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 350
* schannel: encrypted data buffer: offset 350 length 103424
* schannel: decrypted data length: 321
* schannel: decrypted data added: 321
* schannel: decrypted data cached: offset 321 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 321 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 321
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 103
< Content-Type: text/html; charset=utf-8
< Etag: "qc3gff2v"
< Last-Modified: Wed, 17 Jun 2020 23:40:27 GMT
< Server: Caddy
< Date: Thu, 18 Jun 2020 00:32:14 GMT
<
<!DOCTYPE html>
<head>
<title>Testing</title>
</head>
<body>
<h1>Testing web site</h1>
</body>
</html>
* Connection #0 to host server01.lan left intact
5. What I already tried:
I’m at a loss as to where to go. Is this a Caddy problem or an SSL problem on the Debian system I recently built.
I have been having problems with upload speeds and had the internet company come out. But now I have tested with the internal certificate of Caddy and have the same failure…
6. Links to relevant resources:
EDIT
I have captured a failure using OpenSSL on the system that is running Caddy.
* Expire in 0 ms for 6 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Trying 127.0.1.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x563a83d5ddc0)
* Connected to server01.lan (127.0.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
tracy@server01:~$ openssl s_client -connect server01.lan:443
CONNECTED(00000003)
140099183916160:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1544:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 304 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Would this be a bug I need to write up against Caddy now?
tracy@server01:~$ openssl version
OpenSSL 1.1.1d 10 Sep 2019