Issues with nested subdomains

xidiot · January 27, 2025, 12:57pm

1. The problem I’m having:

I have a setup where nested subdomains are required but caddy does not seem to support them. I am trying to “catch” them using :443.

*   Trying <ip>:443...
* Connected to one.two.example.com (<ip>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure

2. Error messages and/or full log output:

Despite debug being enabled i did not get any logs using the :443 setup.
The browser throwed SSL_ERROR_NO_CYPHER_OVERLAP.

I later tried hardcoding the nested subdomain and it throwed this:

caddy Error: adapting config using caddyfile: ambiguous site definition: sub.sub.example.com

3. Caddy version:

v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

I used docker

a. System environment:

Ubuntu 24.04.1 LTS
Docker version 27.5.1

b. Command:

sudo docker compose up -d

c. Service/unit/compose file:

  caddy:
    image: caddy:latest
    container_name: caddy
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./caddy/data:/data
      - ./caddy/config:/config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - "80:80"
      - "443:443"
    networks:
      - web
    restart: always

d. My complete Caddy config:

{
    debug
    email my-email@example.com
    on_demand_tls {
        ask http://example.com
    }
}

:443 {
    tls {
        on_demand
    }
    reverse_proxy app:3011
}

5. Links to relevant resources:

Mohammed90 · January 27, 2025, 1:38pm

It does

Show us the config you tried that produced these errors.

xidiot · January 29, 2025, 1:27am

{
    debug
    email my-email@example.com
    on_demand_tls {
        ask http://example.com
    }
}

sub.sub.example.com {
    tls {
        on_demand
    }
    reverse_proxy app:3010
}

:443 {
    tls {
        on_demand
    }
    reverse_proxy app:3011
}

Mohammed90 · January 29, 2025, 8:23am

First, let’s take a step back. The error SSL_ERROR_NO_CYPHER_OVERLAP is not about the site definition in Caddy. Your browser does not seem to support proper, modern TLS cipher suites. This is the default cipher suite in Caddy:

TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Check why your browser isn’t supporting them.

For sub-sub-domain definition, or any level for that matter, something like this should be enough:

sub.sub.example.com {
    reverse_proxy app:3010
}

You don’t need on_demand or anything like that, that is unless the real config file has other unshared config.