Internal SSL error instead of warning for invalid cert

sidamos · May 18, 2024, 9:29am

1. The problem I’m having:

I have Caddy working with auto SSL support (Let’s Encrypt) for my external domain without problems.
But I also want to be able to access the server on the local network with its local network name.
When I used Apache (with a paid cert), this worked. The browser just gave me a warning NET::ERR_CERT_COMMON_NAME_INVALID and let me continue to the page.
With Caddy, I get an error ERR_SSL_PROTOCOL_ERROR and the browser does not let me visit the page.

2. Error messages and/or full log output:

curl -vL https://backend/mypath/
* Host backend:443 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1, 192.168.0.7
*   Trying [::1]:443...
* Connected to backend (::1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection
curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

docker compose

a. System environment:

Docker.

b. Command:

docker compose

c. Service/unit/compose file:

Nothing related to this error in the docker-compose file.

d. My complete Caddy config:

{
        order webdav before file_server
        order cgi before handle_path
        order cgi before respond
}

externaldomain.com:443 {
        handle_path /mypath* {
                root * /mypath
                file_server browse
        }
}

Nothing in the Caddy log for this error.

I also tried:

externaldomain.com:443, backend:443 {
        handle_path /mypath* {
                root * /mypath
                file_server browse
        }
}

Which of course resulted in auto SSL errors in the Caddy log (because it could not request a domain for “backend”) and also did not work.

Instead adding http://backend:80 is working. But I did not want to use HTTP 80, if possible.

Thanks!

francislavoie · May 18, 2024, 4:09pm

You have two options:

Set up a DNS server in your LAN which resolves your domain name to your server’s LAN IP address for devices within your network. That way you can use the same publicly trusted cert for connecting locally, with the same domain name. This is what I recommend.
Set up a separate site block for your internal hostname, and add tls internal in it, which tells Caddy to issue a cert using it’s own local CA. You can then take Caddy’s root CA cert and install it on all your devices in your LAN to establish trust.

sidamos · May 19, 2024, 7:26am

Thanks for the quick response. I am looking into option 2.

I added another block for my internal hostname, but then Caddy complains about ambiguous side definition:

backend:443 {
        tls internal
}
externaldomain.com:443, backend:443 {
        handle_path /mypath* {
                root * /mypath
                file_server browse
        }
}

Looks like I would have to duplicate everything that is in the external definition also into the new internal definition? Or is there another way to prevent duplicate definitions?

francislavoie · May 19, 2024, 7:41am

You can deduplicate config using Snippets:

And yeah, you cannot repeat a site address in more than one site definition.

sidamos · May 19, 2024, 8:17am

Thanks again. Very cool, this works, as I wanted.

Although, I get now this warning in the log:

caddy-caddy-1  | {"level":"info","ts":1716106020.9321294,"msg":"warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}

The internal cert is working despite this warning.

Edit:
One more thing: The internal auto SSL does not work with IP addresses:

backend:443, 192.168.0.7:443 {
        tls internal
        handle_path /mypath* {
                root * /mypath
                file_server browse
        }
}
externaldomain.com:443, backend:443 {
        handle_path /mypath* {
                root * /mypath
                file_server browse
        }
}

This generates an internal cert for the IP address, but browser and curl cannot connect to https://192.168.0.7 because of “tlsv1 alert internal error”.
Is this a bug or expected?

francislavoie · May 19, 2024, 8:33am

Yeah you can ignore that warning, it’s just Caddy attempting to install the root CA cert in the system’s trust store, but inside a container it doesn’t have any of the software necessary to install. Specifically nss-tools is for installing the cert for Firefox, but obviously you don’t have a Firefox inside the container.

You need to install Caddy’s root CA cert on your host machine so that it trusts connections to Caddy. See the docs:

sidamos · May 20, 2024, 8:27am

Thanks a lot for your patience and help!

system · June 19, 2024, 8:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.