1. The problem I’m having:
I’m trying to configure caddy for having internal ssl but it looks like I’m having a SSL problem.
2. Error messages and/or full log output:
Curl the external name
curl https://jelly.billkidd.fr/ -v
* Trying 192.168.11.41...
* TCP_NODELAY set
* Connected to jelly.billkidd.fr (192.168.11.41) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, internal error (592):
* error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
Curl the local name:
curl https://jelly.roadrunner -v
* Trying 192.168.11.41...
* TCP_NODELAY set
* Connected to jelly.roadrunner (192.168.11.41) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Caddy logs backend
Jul 16 15:56:23 corneille systemd[1]: Reloading Caddy...
Jul 16 15:56:23 corneille caddy[57382]: {"level":"info","ts":1689537383.836844,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jul 16 15:56:23 corneille caddy[57382]: {"level":"warn","ts":1689537383.8376567,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter
":"caddyfile","file":"/etc/caddy/Caddyfile","line":10}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8388731,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","re
mote_ip":"127.0.0.1","remote_port":"58230","headers":{"Accept-Encoding":["gzip"],"Cache-Control":["must-revalidate"],"Content-Length":["628"],"Content-Type":["application/json"],"Or
igin":["http://localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8397205,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"orig
ins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.839917,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0003d2d2
0"}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8401237,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; a
dding one to enable TLS","server_name":"srv0","https_port":443}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.840154,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8402743,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/autho
rities/local/root.crt"}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8403614,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Jul 16 15:56:23 corneille caddy[609]: {"level":"debug","ts":1689537383.8403864,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.840401,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Jul 16 15:56:23 corneille caddy[609]: {"level":"debug","ts":1689537383.840432,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8404412,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.840447,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["jelly.roadrunner"]}
Jul 16 15:56:23 corneille caddy[609]: {"level":"warn","ts":1689537383.8406663,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [jelly.roadrunner]: no OCSP server specified in certificate","identifiers":["jelly.roadrunner"]}
Jul 16 15:56:23 corneille caddy[609]: {"level":"debug","ts":1689537383.8406832,"logger":"tls.cache","msg":"added certificate to cache","subjects":["jelly.roadrunner"],"expiration":1689552929,"managed":true,"issuer_key":"local","hash":"f78de98e28bc6bca8ee3abd5e2d5aea414b9fef951a1f88d88d802d78ad526bf","cache_size":1,"cache_capacity":10000}
Jul 16 15:56:23 corneille caddy[609]: {"level":"debug","ts":1689537383.840701,"logger":"events","msg":"event","name":"cached_managed_cert","id":"f321d77b-44e6-4574-a2c5-158d03db9c57","origin":"tls","data":{"sans":["jelly.roadrunner"]}}
Jul 16 15:56:23 corneille caddy[609]: {"level":"debug","ts":1689537383.8407419,"logger":"http","msg":"servers shutting down with eternal grace period"}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.840891,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0001d8f50"}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8410387,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8410914,"logger":"admin.api","msg":"load complete"}
Jul 16 15:56:23 corneille systemd[1]: Reloaded Caddy.
Jul 16 15:56:23 corneille caddy[609]: {"level":"info","ts":1689537383.8442667,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Jul 16 15:56:41 corneille caddy[609]: {"level":"debug","ts":1689537401.998924,"logger":"events","msg":"event","name":"tls_get_certificate","id":"84110155-aeb4-4939-be68-01706ba13994","origin":"tls","data":{"client_hello":{"CipherSuites":[49200,49196,49192,49188,49172,49162,159,107,57,52393,52392,52394,65413,196,136,129,157,61,53,192,132,49199,49195,49191,49187,49171,49161,158,103,51,190,69,156,60,47,186,65,49169,49159,5,4,49170,49160,22,10,255],"ServerName":"jelly.billkidd.fr","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1537,1539,61423,1281,1283,1025,1027,61166,60909,769,771,513,515],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[771,770,769],"Conn":{}}}}
Jul 16 15:56:41 corneille caddy[609]: {"level":"debug","ts":1689537401.9989855,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"
jelly.billkidd.fr"}
Jul 16 15:56:41 corneille caddy[609]: {"level":"debug","ts":1689537401.998994,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*
.billkidd.fr"}
Jul 16 15:56:41 corneille caddy[609]: {"level":"debug","ts":1689537401.9989994,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"
*.*.fr"}
Jul 16 15:56:41 corneille caddy[609]: {"level":"debug","ts":1689537401.9990046,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"
*.*.*"}
Jul 16 15:56:41 corneille caddy[609]: {"level":"debug","ts":1689537401.9990108,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no error
s","remote_ip":"192.168.11.13","remote_port":"50226","sni":"jelly.billkidd.fr"}
Jul 16 15:56:41 corneille caddy[609]: {"level":"debug","ts":1689537401.9990172,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.11.13","
remote_port":"50226","server_name":"jelly.billkidd.fr","remote":"192.168.11.13:50226","identifier":"jelly.billkidd.fr","cipher_suites":[49200,49196,49192,49188,49172,49162,159,107
,57,52393,52392,52394,65413,196,136,129,157,61,53,192,132,49199,49195,49191,49187,49171,49161,158,103,51,190,69,156,60,47,186,65,49169,49159,5,4,49170,49160,22,10,255],"cert_cache_f
ill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
Jul 16 15:56:41 corneille caddy[609]: {"level":"debug","ts":1689537401.999072,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.11.13:50226: no certificate availa
ble for 'jelly.billkidd.fr'"}
(END)
3. Caddy version:
v2.6.4
4. How I installed and ran Caddy:
a. System environment:
Distributor ID: | Ubuntu |
---|---|
Description: | Ubuntu 22.04.2 LTS |
Release: | 22.04 |
Codename: | jammy |
b. Command:
None
c. Service/unit/compose file:
d. My complete Caddy config:
Caddy frontend file
# Global Options Block
{
# General Options
debug
acme_dns cloudflare mycloudflaretoken
}
#ACME Server
frontcaddy.home {
acme_server
tls internal
}
jelly.billkidd.fr {
#reverse_proxy 192.168.11.41:8096
reverse_proxy https://jelly.roadrunner {
header_up Host {upstream_hostport}
}
log {
output file /var/log/caddy/jellyfin-access.log
format transform "{common_log}"
}
}
Caddy backend
{
debug
acme_ca https://frontcaddy.home/acme/local/directory
acme_ca_root /etc/ssl/certs/root.crt
}
jelly.roadrunner {
tls internal
reverse_proxy localhost:8096
log {
output file /var/log/caddy/jellyfin-access.log
}
}