My server isn't working anymore due to SSL

1. My Caddy version (1.05):

2. How I run Caddy:

On a windows server VM with gzip and templates enabled.

a. System environment:

Windows server 2012 VM

My Config:


ftl-computer-repairs.com.au
gzip
templates

3. The problem I’m having:

My site was working as normal, my internet connection was lost for a while and I most likely received a new IP. My IP was automatically updated with the DNS and pinging my domain seems to show its going to the right IP.

The problem is that my website won’t load anymore, something to do with SSL

Chrome says: ERR_SSL_PROTOCOL_ERROR
Firefox says: SSL_ERROR_RX_RECORD_TOO_LONG
Edge says: Can’t connect securely to this page

I run my website through cloudflare for the cname flattening (Not sure if I even need to do that anymore)

It seems like it barely tries to register my website for SSL. on Caddy Server V1 it goes past “activating privacy features” instantly. On V2 It instantly shows “Certificate maintenance routine”

4. Error messages and/or full log output:

I put log into my config, but the log file is empty.

5. What I already tried:

I just upgrading to caddy server version 2, but it doesn’t seem to work. It gets stuck at “Certificate maintenance routine”

My caddy2 config was
ftl-computer-repairs.com.au:443
encode gzip
templates

Hi @samfisher5986, welcome to the Caddy community!

So I read through this and had a quick poke at your domain. Long story short, I’ve got no clue what’s going on, but it’s definitely happening somewhere at SSL connection.

So my next thought was to request you run the following command at the command line of the server running Caddy:

openssl s_client -connect localhost:443 -servername ftl-computer-repairs.com.au

And copy its output here. Basically, if it showed a different result from what I’m seeing across the internet, we know the issue lies somewhere between the internet and your Caddy server.

But alas, openssl is not exactly standard on Windows. You’d need to install it from one of the links here: Binaries - OpenSSLWiki

If someone else knows a quick and easy Windows equivalent to get a similar result, instead of having to install openssl, that’d probably be easier. But unfortunately I don’t do a lot of troubleshooting from a Windows PC.

This usually means the server is sending plaintext, i.e. not using TLS.

Can you post the full logs please?

And post your full config too. Remember to use the -log flag as well.

Thanks for the help so far.

So one thing I’ve found out so far, it has nothing to do with my server, I started the server on my Windows 10 machine and I have the same error.

I’ve also tried clearing renaming the caddy folder in appdata, but it didn’t make a difference unfortunately.

At the moment I’m fiddling with my nameservers to see if that could be causing it somehow.

I’ve put the output from openssl here

Here is the output from Caddy V1 when used on another computer (but still doesn’t work)

Here is Caddy V2:

Sorry, how do I do this?

Putting log into my caddy config doesn’t seem to achieve this.

Do you mean my full caddyfile? I have it in my first post, I’m only running a html website.

Since you had published your domain name ftl-computer-repairs.com.au,
I checked the issuance status of the certificate:

The certificate appears to have been successfully issued for your submission.
The problem seems to be with subsequent HTTPS connections and certificate lookups.

1 Like

So what do you think this means? It sounds like not a letsencrypt issue then?

I’ve checked my IP address is a proper public IP, and it seems to be. The domain is pointing towards my IP as well.

I tried putting localhost:2015 and then visiting https://localhost:2015 and I get the same ERR_SSL_PROTOCOL_ERROR.

This is such a weird issue.

One strange thing I’ve noticed is that the port 80 version of my site isn’t working at all, I can’t remember if this is normal.

Even when using localhost I get 404 Site 192.168.1.17:2015 is not served on this interface, despite it specifically saying its hosting on 192.168.1.17 on the HTTP port

Putting 192.168.1.17:80 into my caddy config fixed that, I can at least get it working locally.

However port 443 locally still shows the same protocol error, which I’m not sure is normal or not.


Ok so it doesn’t mean much but I have it running with “TLS Off” but thats not going to help as my site is found via the HTTPS site.


Another update. I completely removed cloudflare and directed it to duckdns my dns provider, and I have the same issue.

So I’ve run the latest caddy v2 RC
One of the messages are

“2020/04/05 23:38:00.006 ?[34mINFO?[0m http server is listening only on the
HTTPS port but has no TLS connection policies; adding one to enable TLS {“server
_name”: “srv0”, “https_port”: 443}
2020/04/05 23:38:00.006 ?[34mINFO?[0m http enabling automatic HTTP->HTTPS r
edirects {“server_name”: “srv0”}”

How do I add a TLS connection policy?

The full message is here

2020/04/05 23:38:00.003 ?[34mINFO?[0m using adjacent Caddyfile
2020/04/05 23:38:00.005 ?[34mINFO?[0m admin admin endpoint started {“addres
s”: “localhost:2019”, “enforce_origin”: false, “origins”: [“localhost:2019”]}
2020/04/05 23:38:00.006 ?[34mINFO?[0m http server is listening only on the
HTTPS port but has no TLS connection policies; adding one to enable TLS {“server
_name”: “srv0”, “https_port”: 443}
2020/04/05 23:38:00.006 ?[34mINFO?[0m http enabling automatic HTTP->HTTPS r
edirects {“server_name”: “srv0”}
2020/04/05 23:38:00.007 ?[34mINFO?[0m tls cleaned up storage units
2020/04/05 23:38:00.008 ?[34mINFO?[0m http enabling automatic TLS certifica
te management {“domains”: [“ftl-computer-repairs.com.au”]}
2020/04/05 23:38:00.015 ?[34mINFO?[0m autosaved config {“file”: “C:\Us
ers\Administrator\AppData\Roaming\Caddy\autosave.json”}
2020/04/05 23:38:00.017 ?[34mINFO?[0m serving initial configuration
2020/04/06 09:38:00 [INFO][cache:0xc000641950] Started certificate maintenance r
outine

Alright, this is a great sign and indicates that the issue is not with Caddy at all.

When you connect locally to the port - TLS works, and openssl shows that it is receiving a LetsEncrypt certificate from Caddy for the domain we want. Excellent!

But, if the local host is working fine, and Caddy is responding appropriately… Where is the issue? It has to be somewhere between the internet and your Caddy host.

What’s your network look like? Do you have a router port forwarding to your Caddy host, perhaps? If so, have you double checked that those ports are being forwarded correctly?

1 Like

Yes I’ve doubled checked port forwarding, but I guess there could be some kind of bug with my Ubiquiti Dream Machine. I will see what I can do to rule out my router.

Thanks for the tip.

Edit:

OH MY GOD!

So removing and readding the port forward did nothing at all.

I changed the DHCP IP for my server from .17 to .18, I changed the port forwarding IP, and now it works!

So my stupid Ubiquiti router obviously created some kind of problem with .17.

And I had already restarted my Ubiquiti router three times to solve any issues…

Thank you to everyone who helped.

3 Likes

I just came across this. I use Ubiquity in the same way you do, be sure to turn on “used fixed IP” (clients → configuration cog → network) if you haven’t already (or used ssh) - on next reboot the gateway won’t respect any manual IP changes only made on your server machine. I mention this because bizarrely (imho|) the Ubituiti UI doesn’t have a central place where DHCP settings can be set up and from your wording I thought maybe you had set the static IP on the server which will work, but not forever… My 2¢

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.