1. The problem I’m having:
Im unable to connect to my homeserver using tailscale domain name. Im getting some error no certificate matching TLS ClientHello
. If I try to connect with my tailscale ip it works fine.
tls: client offered only unsupported versions: [301]
{"CipherSuites":[51914,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"azabache.narwhal-nominal.ts.net","SupportedCurves":[14906,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,515,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771,770,769],"Conn":{}}}}
As far as I remember I haven’t changed anything besides updating ubuntu, caddy and tailscale.
2. Error messages and/or full log output:
$ curl -vL azabache.narwhal-nominal.ts.net
* Trying 100.126.156.31:80...
* Connected to azabache.narwhal-nominal.ts.net (100.126.156.31) port 80 (#0)
> GET / HTTP/1.1
> Host: azabache.narwhal-nominal.ts.net
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://azabache.narwhal-nominal.ts.net/
< Server: Caddy
< Date: Sun, 26 Nov 2023 09:10:05 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://azabache.narwhal-nominal.ts.net/'
* Trying 100.126.156.31:443...
* Connected to azabache.narwhal-nominal.ts.net (100.126.156.31) port 443 (#1)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
* Closing connection 1
curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
{"level":"debug","ts":"2023-11-26T09:12:02.461Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"100.126.186.99","remote_port":"55779","server_name":"azabache.narwhal-nominal.ts.net","remote":"100.126.186.99:55779","identifier":"azabache.narwhal-nominal.ts.net","cipher_suites":[14906,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10,22016],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":"2023-11-26T09:12:02.462Z","logger":"http.stdlib","msg":"http: TLS handshake error from 100.126.186.99:55779: no certificate available for 'azabache.narwhal-nominal.ts.net'"}
{"level":"debug","ts":"2023-11-26T09:12:02.476Z","logger":"http.stdlib","msg":"http: TLS handshake error from 100.126.186.99:55780: tls: client offered only unsupported versions: [301]"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"94d43bac-690c-4176-bc77-53175c9f1905","origin":"tls","data":{"client_hello":{"CipherSuites":[51914,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"azabache.narwhal-nominal.ts.net","SupportedCurves":[14906,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,515,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771,770,769],"Conn":{}}}}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"azabache.narwhal-nominal.ts.net"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.narwhal-nominal.ts.net"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.ts.net"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.net"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
{"level":"debug","ts":"2023-11-26T09:12:02.482Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"100.126.186.99","remote_port":"55781","server_name":"azabache.narwhal-nominal.ts.net","remote":"100.126.186.99:55781","identifier":"azabache.narwhal-nominal.ts.net","cipher_suites":[51914,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}
3. Caddy version:
$ caddy version 130 ↵
v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=
4. How I installed and ran Caddy:
a. System environment:
$ sudo lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
b. Command:
sudo service caddy start
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
{
email some@email.com
debug
servers {
metrics
}
log {
output file /var/log/caddy/caddy.log {
roll_size 500mb
}
format json {
time_format iso8601
}
}
}
# PiHole
azabache.narwhal-nominal.ts.net {
encode zstd gzip
reverse_proxy localhost:1080
redir / /admin
log {
output file /var/log/caddy/pihole.log {
roll_size 500mb
}
format json {
time_format iso8601
}
}
}