No certificate available error

1. Caddy version (caddy version):

v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I=

2. How I run Caddy:

caddy start

a. System environment:

Ubuntu 20.04

b. Command:

caddy start

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

{
        debug
        on_demand_tls {
                ask https://api.onecalls.in/custom-domains/verify
                interval 2m
                burst 5
        }
}
01-parking-proxy.onecalls.in {
        reverse_proxy * {
                to https://one-calls-website.vercel.app

                header_up Host {http.reverse_proxy.upstream.hostport}
                header_up X-Forwarded-For {http.request.remote}
                header_up X-Real-IP {http.reverse-proxy.upstream.address}
                header_up X-Forwarded-Port {http.request.port}
                header_up X-Forwarded-Host {http.request.host}
        }
        tls {
                on_demand
        }
        log {
                output file /var/log/caddy/access.log
        }
}

3. The problem I’m having:

Pointed 01-parking-proxy.onecalls.in to cuddy server IP.
Added CNAME to indhya.com → 01-parking-proxy.onecalls.in
Getting http: TLS handshake error from 103.240.233.XXX:19134: no certificate available for 'indhya.com'

4. Error messages and/or full log output:

http: TLS handshake error from 103.240.233.XXX:19134: no certificate available for 'indhya.com'

5. What I already tried:

1. Removing ask from on_demand_tls

6. Links to relevant resources:

Remove all these lines. They aren’t useful, and in some situations harmful. Caddy sets the appropriate proxy headers automatically.

There must be more logs than that. Caddy will have attempted to issue a certificate for that domain. Please post all your logs, not just that one line.

Removed

{
        debug
        on_demand_tls {
                ask https://api.onecalls.in/custom-domains/verify
                interval 2m
                burst 5
        }
}
01-parking-proxy.onecalls.in {
        reverse_proxy * {
                to https://one-calls-website.vercel.app
                header_up Host {http.reverse_proxy.upstream.hostport}
        }
        tls {
                on_demand
        }
        log {
                output file /var/log/caddy/access.log
        }
}

root@ubuntu-1cpu-1gb-sg-sin1:/etc/caddy# caddy start
2021/06/24 16:11:10.370 INFO    using adjacent Caddyfile
2021/06/24 16:11:10.371 WARN    input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2021/06/24 16:11:10.373 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/06/24 16:11:10.373 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2021/06/24 16:11:10.373 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/06/24 16:11:10.374 DEBUG   http    starting server loop    {"address": "[::]:443", "http3": false, "tls": true}
2021/06/24 16:11:10.374 DEBUG   http    starting server loop    {"address": "[::]:80", "http3": false, "tls": false}
2021/06/24 16:11:10.374 INFO    http    enabling automatic TLS certificate management   {"domains": ["01-parking-proxy.onecalls.in"]}
2021/06/24 16:11:10.374 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2021/06/24 16:11:10.374 INFO    serving initial configuration
2021/06/24 16:11:10.375 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0005f0fc0"}
2021/06/24 16:11:10.375 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2021/06/24 16:11:10.375 INFO    tls     finished cleaning storage units
Successfully started Caddy (pid=34249) - Caddy is running in the background
root@ubuntu-1cpu-1gb-sg-sin1:/etc/caddy# 2021/06/24 16:11:15.667        DEBUG   http.stdlib     http: TLS handshake error from 103.240.233.131:18823: no certificate available for 'indhya.com'
2021/06/24 16:11:15.844 DEBUG   http.stdlib     http: TLS handshake error from 103.240.233.131:18826: no certificate available for 'indhya.com'
2021/06/24 16:11:15.871 DEBUG   http.stdlib     http: TLS handshake error from 103.240.233.131:18827: no certificate available for 'indhya.com'
2021/06/24 16:11:16.048 DEBUG   http.stdlib     http: TLS handshake error from 103.240.233.131:18829: no certificate available for 'indhya.com'

Ah, right – your site address is 01-parking-proxy.onecalls.in, so requests for the domain indhya.com will not match.

When using On-Demand TLS, typically you should use :443 as your site address to allow any domain to match.

{
	debug
	on_demand_tls {
		ask https://api.onecalls.in/custom-domains/verify
		interval 2m
		burst 5
	}
}
:443 {
	reverse_proxy https://one-calls-website.vercel.app {
		header_up Host {http.reverse_proxy.upstream.hostport}
	}
	tls {
		on_demand
	}
	log {
		output file /var/log/caddy/access.log
	}
}

Also, I strongly recommend running Caddy as a systemd service rather than using caddy start for reliability.

If you installed Caddy with the apt repo we provide, then that’s set up automatically. If you installed Caddy manually, then you can follow these instructions:

This did the trick, it’s working now. Thanks for the help

It’s already a systemd service as I installed it using apt, I stopped and restarted the caddy to get clean logs.

Using the caddy start command runs Caddy as a different user than with the systemd service, which means it won’t use the same storage, so it would fetch new TLS certificates. Don’t do that.

To see your logs, run this command:

journalctl -u caddy --no-pager | less

To see the latest logs, hit Shift+G to jump to the bottom, arrow keys/pgup/pgdn to navigate. Q to exit.

Thanks for the information, I’ll use systemctl start caddy from now on.

This topic was automatically closed after 30 days. New replies are no longer allowed.