1. The problem I’m having:
Hello,
I have an embedded device (esp) which needs TLS. I want to use the ISRG Root X2 for verification, because ECDSA uses less ressources/is more efficient.
I configured caddy to use it with:
{ preferred_chains { root_common_name “ISRG Root X2” } }
I get a certificate from now and the browser says it is okay, but from my device I get an handshake error.
My guess is that caddy is not serving the full chain.
2. Error messages and/or full log output:
mbedtls_ssl_handshake returned -0x2700
Which means: “certificate verification failed, e.g., CRL, CA or signature check failed”
It looks like something is wrong with the cert chain, I made an check with openssl s_client -connect xx.yy:443 -showcert which says:
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1983 bytes and written 380 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: 6F411F858DDEC88EC0880CB7AF0CBBD860799953FD911B9C49C1F30E343FEE93
Session-ID-ctx:
Resumption PSK: 027408C0104A071DCADBA2CF539B4C5904E9F37A8A8581E6AAC35AEF3C777148
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - dc db 45 ec 66 82 05 cc-3d 14 fb 6e 03 0b a9 85 ..E.f...=..n....
0010 - d2 45 25 e7 70 58 19 d5-11 20 8a 21 03 f1 1f 1d .E%.pX... .!....
0020 - f6 eb 46 e9 8f 15 5a 3d-9b 1d 3f f3 1d 25 38 7a ..F...Z=..?..%8z
0030 - 0a 40 89 f9 be 8a 3a c8-69 80 9a 83 5b c3 87 e6 .@....:.i...[...
0040 - 09 dd 5e 2b e0 a2 c9 cf-94 95 94 21 48 6e 8e fb ..^+.......!Hn..
0050 - 05 42 1a f8 26 32 de 80-72 60 a5 74 d4 5a fd 9d .B..&2..r`.t.Z..
0060 - 83 6e 16 e8 24 24 a1 26-64 .n..$$.&d
Start Time: 1753885066
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
3. Caddy version:
v2.10.0
4. How I installed and ran Caddy:
a. System environment:
Debian
b. Command:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
c. Service/unit/compose file:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
d. My complete Caddy config:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.