Need to use an IP address

Tectonic · September 24, 2024, 12:34am

1. I’m trying to use Caddy with an IP address

I currently have a ZeroSSL certificate assigned for my IP address, and my Caddyfile seems to be configured correctly with the certificate

2. My Log

2024/09/23 06:04:56.385 INFO    using adjacent Caddyfile
2024/09/23 06:04:56.386 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2024/09/23 06:04:56.386 WARN    Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2024/09/23 06:04:56.387 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/09/23 06:04:56.387 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0x40005fb600"}
2024/09/23 06:04:56.387 INFO    http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "158.101.31.180", "server_name": "srv0"}
2024/09/23 06:04:56.387 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/09/23 06:04:56.387 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2024/09/23 06:04:56.388 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/09/23 06:04:56.388 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/09/23 06:04:56.388 INFO    http    enabling automatic TLS certificate management   {"domains": [irrelavant domain"]}
2024/09/23 06:04:56.388 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2024/09/23 06:04:56.388 INFO    serving initial configuration
2024/09/23 06:04:56.388 INFO    tls.obtain      acquiring lock  {"identifier": "irrelavant domain"}
2024/09/23 06:04:56.391 INFO    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:/root/.local/share/caddy", "instance": "272d8f52-9fd8-403e-a214-796ac2bd288e", "try_again": "2024/09/24 06:04:56.391", "try_again_in": 86399.99999968}
2024/09/23 06:04:56.391 INFO    tls     finished cleaning storage units
2024/09/23 06:04:56.392 INFO    tls.obtain      lock acquired   {"identifier": "irrelavant domain"}
2024/09/23 06:04:56.392 INFO    tls.obtain      obtaining certificate   {"identifier": "irrelavant domain"}
2024/09/23 06:04:56.658 INFO    http    waiting on internal rate limiter        {"identifiers": [irrelavant domain"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/09/23 06:04:56.658 INFO    http    done waiting on internal rate limiter   {"identifiers": ["irrelavant domain"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/09/23 06:04:56.658 INFO    http    using ACME account      {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/1961896326", "account_contact": []}
2024/09/23 06:04:56.784 INFO    http.acme_client        trying to solve challenge       {"identifier": "irrelavant domain", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/09/23 06:04:56.929 INFO    tls     served key authentication certificate   {"server_name": "irrelavant domain", "challenge": "tls-alpn-01", "remote": "23.178.112.101:51295", "distributed": false}
2024/09/23 06:04:57.199 INFO    tls     served key authentication certificate   {"server_name": "irrelavant domain", "challenge": "tls-alpn-01", "remote": "3.15.28.3:55260", "distributed": false}
2024/09/23 06:04:57.243 INFO    tls     served key authentication certificate   {"server_name": "irrelavant domain", "challenge": "tls-alpn-01", "remote": "18.237.99.175:59338", "distributed": false}
2024/09/23 06:04:57.662 INFO    tls     served key authentication certificate   {"server_name": "irrelavant domain", "challenge": "tls-alpn-01", "remote": "13.61.3.210:63110", "distributed": false}
2024/09/23 06:04:57.828 INFO    tls     served key authentication certificate   {"server_name": "irrelavant domain", "challenge": "tls-alpn-01", "remote": "3.0.249.225:39058", "distributed": false}
2024/09/23 06:04:58.251 INFO    http.acme_client        authorization finalized {"identifier": "irrelavant domain", "authz_status": "valid"}
2024/09/23 06:04:58.251 INFO    http.acme_client        validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/1961896326/307566350166"}
2024/09/23 06:04:58.657 INFO    http.acme_client        got renewal info        {"names": ["irrelavant domain"], "window_start": "2024/11/21 05:25:57.000", "window_end": "2024/11/23 05:25:57.000", "selected_time": "2024/11/22 14:04:23.000", "recheck_after": "2024/09/23 12:04:58.657", "explanation_url": ""}
2024/09/23 06:04:58.725 INFO    http.acme_client        got renewal info        {"names": ["irrelavant domain"], "window_start": "2024/11/21 05:25:57.000", "window_end": "2024/11/23 05:25:57.000", "selected_time": "2024/11/22 09:38:50.000", "recheck_after": "2024/09/23 12:04:58.725", "explanation_url": ""}
2024/09/23 06:04:58.726 INFO    http.acme_client        successfully downloaded available certificate chains    {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/032a1e0be2680b7827d8d1b4ee63495150d7"}
2024/09/23 06:04:58.726 INFO    tls.obtain      certificate obtained successfully       {"identifier": "irrelavant domain", "issuer": "acme-v02.api.letsencrypt.org-directory"}
2024/09/23 06:04:58.726 INFO    tls.obtain      releasing lock  {"identifier": "irrelavant domain"

The notable thing happening in my logs is the following line

http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "158.101.31.180", "server_name": "srv0"}```

Seems like the certificate is already loaded, but I can’t visit the IP address via SSL?

3. Caddy version: v2.8.4

4. How I installed and ran Caddy:

For installing, I just used my package manager. To run Caddy, I edit the Caddyfile over at /etc/caddy/Caddyfile
Contents of my Caddyfile:

158.101.31.180 {
   tls /etc/ssl/certs/certificate.crt /etc/ssl/private/private.key
}

irrelavant domain {
   reverse_proxy localhost:8080
}

a. System environment: Ubuntu

b. Command for running Caddy

sudo systemctl restart caddy

d. My complete Caddy config:

        tls /etc/ssl/certs/certificate.crt /etc/ssl/private/private.key
}

google.com {
        reverse_proxy localhost:8080
}
Error: Caddyfile:2: Caddyfile input is not formatted; Tip: use '--overwrite' to update your Caddyfile in-place instead of previewing it. Consult '--help' for more options

5. Links to relevant resources:

https://zerossl.com

francislavoie · September 24, 2024, 5:18am

Show evidence of that. Enable the debug global option, make a request with curl -v, show what you get.

Why does is have to be an IP cert? That’s asking from trouble tbh.

Since TLS-SNI cannot contain IPs, Caddy needs to use the remote IP on the TCP connection to guess the certificate to choose, so if you have somekind of TCP-layer proxy in front of Caddy, the remote IP Caddy sees won’t be correct and won’t cause the correct cert to be chosen.

Tectonic · September 24, 2024, 9:16pm

Using curl -v 158.101.31.180, it returns

C:\Windows\System32>curl -v 158.101.31.180
*   Trying 158.101.31.180:80...
* Connected to 158.101.31.180 (158.101.31.180) port 80
> GET / HTTP/1.1
> Host: 158.101.31.180
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://158.101.31.180/
< Server: Caddy
< Date: Tue, 24 Sep 2024 21:09:51 GMT
< Content-Length: 0
<
* Closing connection

As for saying the certificate is loaded, the caddy logs said

http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "158.101.31.180", "server_name": "srv0"}

I don’t have a proxy past Caddy

Whitestrake · September 24, 2024, 11:22pm

That’s the result from HTTP, which appears to be working just fine (redirecting to HTTPS).

You said it’s the HTTPS that isn’t working, though - we need the curl from that, and the debug logs.

system · October 24, 2024, 11:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.