No certificate matching TLS ClientHello

1. The problem I’m having:

Im unable to connect to my homeserver using tailscale domain name. Im getting some error no certificate matching TLS ClientHello. If I try to connect with my tailscale ip it works fine.

 tls: client offered only unsupported versions: [301]
{"CipherSuites":[51914,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"azabache.narwhal-nominal.ts.net","SupportedCurves":[14906,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,515,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771,770,769],"Conn":{}}}}

As far as I remember I haven’t changed anything besides updating ubuntu, caddy and tailscale.

2. Error messages and/or full log output:

$ curl -vL azabache.narwhal-nominal.ts.net
*   Trying 100.126.156.31:80...
* Connected to azabache.narwhal-nominal.ts.net (100.126.156.31) port 80 (#0)
> GET / HTTP/1.1
> Host: azabache.narwhal-nominal.ts.net
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://azabache.narwhal-nominal.ts.net/
< Server: Caddy
< Date: Sun, 26 Nov 2023 09:10:05 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://azabache.narwhal-nominal.ts.net/'
*   Trying 100.126.156.31:443...
* Connected to azabache.narwhal-nominal.ts.net (100.126.156.31) port 443 (#1)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
* Closing connection 1
curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
{"level":"debug","ts":"2023-11-26T09:12:02.461Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"100.126.186.99","remote_port":"55779","server_name":"azabache.narwhal-nominal.ts.net","remote":"100.126.186.99:55779","identifier":"azabache.narwhal-nominal.ts.net","cipher_suites":[14906,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10,22016],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":"2023-11-26T09:12:02.462Z","logger":"http.stdlib","msg":"http: TLS handshake error from 100.126.186.99:55779: no certificate available for 'azabache.narwhal-nominal.ts.net'"}
{"level":"debug","ts":"2023-11-26T09:12:02.476Z","logger":"http.stdlib","msg":"http: TLS handshake error from 100.126.186.99:55780: tls: client offered only unsupported versions: [301]"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"94d43bac-690c-4176-bc77-53175c9f1905","origin":"tls","data":{"client_hello":{"CipherSuites":[51914,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"azabache.narwhal-nominal.ts.net","SupportedCurves":[14906,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,515,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771,770,769],"Conn":{}}}}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"azabache.narwhal-nominal.ts.net"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.narwhal-nominal.ts.net"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.ts.net"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.net"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"100.126.186.99","remote_port":"55781","server_name":"azabache.narwhal-nominal.ts.net","remote":"100.126.186.99:55781","identifier":"azabache.narwhal-nominal.ts.net","cipher_suites":[51914,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}

3. Caddy version:

$ caddy version                                                                                                            130 ↵
v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=

4. How I installed and ran Caddy:

a. System environment:

$ sudo lsb_release -a

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.3 LTS
Release:	22.04
Codename:	jammy

b. Command:

sudo service caddy start

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        email some@email.com
        debug
        servers {
                metrics
        }

        log {
                output file /var/log/caddy/caddy.log {
                        roll_size 500mb
                }
                format json {
                        time_format iso8601
                }
        }
}

# PiHole
azabache.narwhal-nominal.ts.net {
        encode zstd gzip
        reverse_proxy localhost:1080
        redir / /admin
        log {
                output file /var/log/caddy/pihole.log {
                        roll_size 500mb
                }
                format json {
                        time_format iso8601
                }
        }
}

5. Links to relevant resources:

Just a hunch, but if you remove the email line from your global options, does the behavior change?

You are right, without the email option it works again.

I thought we fixed that in the past

Should I open a new issue?

1 Like

I actually think there might already be an open issue about it – I am mobile right now but will try to find it soon. If you can’t find one, then yeah please open one!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.