Issues Using Caddy as Reverse Proxy to Gitea

cwoodjr · December 27, 2023, 4:57pm

1. The problem I’m having:

I have a Caddy reverse proxy to a Gitea instance. I can access the Gitea instance via browser just fine. When I attempt to perform a git push, it fails with:
fatal: unable to access 'https://gitea.privateserver.com/user/test-first-repo.git/': OpenSSL/3.1.2: error:0A000438:SSL routines::tlsv1 alert internal error

2. Error messages and/or full log output:

Note that I enabled debug mode and tried running $ journalctl -u caddy --no-pager | less +G. The resulting opened file is empty every time, even immediately after attempting a push.

~
~
~
-- No entries --
(END)

A curl request:

PS C:\Users\user\Documents\test> curl -v https://gitea.privateserver.com/user/test-first-repo.git/
VERBOSE: GET with 0-byte payload
VERBOSE: received -1-byte response of content type text/html; charset=UTF-8


StatusCode        : 200
StatusDescription : OK

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

#!/bin/bash

# Update and upgrade system packages
sudo yum update
sudo yum upgrade

# Download and extract Go
wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz
tar -xvf go1.21.5.linux-amd64.tar.gz

# Move Go to the system directory
sudo mv go /usr/local

# Set up Go environment variables
echo 'export GOROOT=/usr/local/go' >> ~/.bashrc
echo 'export GOPATH=$HOME/go' >> ~/.bashrc
echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> ~/.bashrc
source ~/.bashrc

# Install xcaddy
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest

# Build Caddy with Route 53 DNS plugin
xcaddy build --with github.com/caddy-dns/route53

# Move Caddy to the system binaries directory
sudo mv caddy /usr/local/bin

# Create Caddyfile
mkdir /etc/caddy && touch /etc/caddy/Caddyfile

a. System environment:

[ec2-user@ip-10-0-0-1 caddy]$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
SUPPORT_END="2028-03-15"

b. Command:

caddy run

c. Service/unit/compose file:

not applicable

d. My complete Caddy config:

gitea.privateserver.com {
        reverse_proxy 10.0.0.10:80

        tls {
                dns route53 {
                        max_retries 10
                }
        }
}

5. Additional information:

All of this is running in a private subnet that allows only whitelisted IP addresses to access it. I’m not sure I should publicize the domain name here, despite the template’s indication to do so. Even with it being shared, nobody would receive responses should they try to query it. Please let me know if it should still be shared for other reasons.

I am assuming that pushes would not work with SSH because Caddy doesn’t support SSH. However, I did expect HTTPS pushing to work.

cwoodjr · December 27, 2023, 6:08pm

The failure seems to occur intermittently, actually:

PS C:\Users\user\Documents\server\caddy> git branch --set-upstream-to=origin/main main
branch 'main' set up to track 'origin/main'.
PS C:\Users\user\Documents\server\caddy> git pull
Already up to date.
PS C:\Users\user\Documents\server\caddy> git push
Everything up-to-date
PS C:\Users\user\Documents\server\caddy> git push
fatal: unable to access 'https://gitea.privateserver.com/user/caddy.git/': OpenSSL/3.1.2: error:0A000438:SSL routines::tlsv1 alert internal error
PS C:\Users\user\Documents\server\caddy> git push
Everything up-to-date
PS C:\Users\user\Documents\server\caddy> git push
fatal: unable to access 'https://gitea.privateserver.com/user/caddy.git/': OpenSSL/3.1.2: error:0A000438:SSL routines::tlsv1 alert internal error
PS C:\Users\user\Documents\server\caddy> git pull
Already up to date.
PS C:\Users\user\Documents\server\caddy> git push
fatal: unable to access 'https://gitea.privateserver.com/user/caddy.git/': OpenSSL/3.1.2: error:0A000438:SSL routines::tlsv1 alert internal error
PS C:\Users\user\Documents\server\caddy> git push
Everything up-to-date
PS C:\Users\user\Documents\server\caddy> git push
Everything up-to-date
PS C:\Users\user\Documents\server\caddy> git push
fatal: unable to access 'https://gitea.privateserver.com/user/caddy.git/': OpenSSL/3.1.2: error:0A000438:SSL routines::tlsv1 alert internal error
PS C:\Users\user\Documents\server\caddy>

cwoodjr · December 27, 2023, 7:13pm

For the record, updating git doesn’t seem to have made any difference.

PS C:\Users\user\Documents\server\caddy> git -v
git version 2.43.0.windows.1

Mohammed90 · December 27, 2023, 10:49pm

The command journalctl is for inspection of logs of services that are managed by systemd. Per your post, you aren’t using systemd, are you? If you’re plainly using the command caddy run, the logs will be printed to the console unless you’ve told it to print them elsewhere. We can only troubleshoot with those logs.

cwoodjr · December 27, 2023, 11:47pm

I see, thanks for the advise. I’m still figuring some of the fundamentals out too.
Whats the correct way to use systemd for log statements?

For the record, I got ssh working by skipping through Caddy. I use the machine hosting Caddy as a jump server and connect to my backend (Gitea) that way. git approves. The ssh connection seems to work fine.

If interested in the bug report, I’ll collect logs for you guys. Otherwise, I’ll just move on with ssh.

Mohammed90 · December 28, 2023, 12:06am

I don’t believe there are any bugs. It’s most likely a network issue. I use Caddy with Gitea myself, and never had any issues of what you’re seeing.

For setting up Caddy as a systemd service, read this page:

It should help you figure out the basics.

system · January 27, 2024, 12:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.