No certificate available for <docker container ip>

bykof · July 28, 2024, 4:48pm

Hi dear caddy Team,
I got a problem today that I am not able to fix by myself.

Somehow I get the error:

caddy-1  | {"level":"debug","ts":1722078527.5707881,"logger":"http.stdlib","msg":"http: TLS handshake error from 167.235.203.100:35474: no certificate available for '172.19.0.2'"}

172.19.0.2 is the docker container’s IP but I setup a proper IP in my Caddyfile which is the <public ip>.

Did I misused caddy here? How can I tell it, just to use self-signed certs and to use my public ip?

docker-compose.yml:

services:
  caddy:
    image: caddy
    restart: unless-stopped
    ports:
      - "9080:9080"
      - "9081:9081"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
...

Caddyfile:

<public ip>:9080 {
    reverse_proxy cadvisor:8080
    tls internal
    basic_auth {
        a b
    }
}

<public ip>:9081 {
    reverse_proxy node_exporter:9100
    tls internal
    basic_auth {
        a b 
    }
}

francislavoie · July 29, 2024, 6:40am

But how did you make a request? If you made a request to 172.19.0.2 then obviously Caddy won’t have a certificate for that IP address if you configured it for your public IP.

bykof · July 29, 2024, 6:53am

I make a request to my public ip.

francislavoie · July 29, 2024, 7:18am

The issue is that TLS-SNI doesn’t carry IP addresses. SNI is used for certificate selection. So since it would be empty in that case, Caddy has to guess by using the destination IP on the TCP connection. Since you’re using Docker, it might be set up with Docker’s TCP userland proxy, which would make the request look like it had your container’s IP as the target instead of your WAN IP.

You’d be much better off just using an actual domain. You can get a free domain very easily, e.g. DuckDNS.

system · August 28, 2024, 7:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.