No certificate with double reverse proxy

Rob789 · February 22, 2021, 10:47pm

1. Caddy version (`caddy version`):

v2.4.0-beta.1

2. How I run Caddy:

a. System environment:

Debian 10, native

b. Command:

caddy run

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

Front-end

# Global Option Block
{
        # General Option
        debug
}

# ACME Server
acme.roadrunner {
        acme_server
        tls internal
}

nextcloud.intrafit.nl {
        reverse_proxy https://nextcloud.roadrunner {
                header_up Host {http.reverse_proxy.upstream.hostport}
                header_up X-Forwarded-Host {host}
        }
}

Backe-nd

# Global Option Block
{
        # General Option
        debug

}

nextcloud.roadrunner {
        tls {
                ca https://acme.roadrunner/acme/local/directory
                ca_root ./root.crt
        }

        @collabora {
                path /loleaflet/* # Loleaflet is the client part of LibreOffice Online
                path /hosting/discovery # WOPI discovery URL
                path /hosting/capabilities # Show capabilities as json
                path /lool/* # Main websocket, uploads/downloads, presentations
        }

        reverse_proxy @collabora http://127.0.0.1:9980 {
               header_up Host "nextcloud.intrafit.nl"
        }

<nextcloud configuration (working) >

3. The problem I’m having:

This setup is to have a front-end Caddy Reverse Proxy with Let’s Encrypt TLS. On the Back-end there is a 2nd Caddy (native), Nextcloud and Collabora both in Docker containers. Front-end to Back-end are setup with TLS with a local ACME server.

I can access Nextcloud at https://nextcloud.intrafit.nl
Collabora tests successful on the back-end with curl -k localhost:9980 OK
I can reach Collabora on https://nextcloud.intrafit.nl/hosting/capabilities and …/hosting/discovery where I can see that it resoles the correct URL.

<action default="true" ext="sxw" name="view" urlsrc="https://nextcloud.intrafit.nl/loleaflet/44a46d7/loleaflet.html?"/>

When I try to configure Collabora in Nextcloud by providing the Collabora server URL : https://nextcloud.intrafit.nl the Caddy log on the Back-end reports:

2021/02/22 22:29:57.927 DEBUG http.stdlib http: TLS handshake error from 172.20.0.4:47060: no certificate available for 'nextcloud.intrafit.nl

4. Error messages and/or full log output:

5. What I already tried:

I had to add header_up Host "nextcloud.intrafit.nl" in order to have Collabora generate the correct URL for external access.

<action default="true" ext="sxw" name="view" urlsrc="https://nextcloud.intrafit.nl/loleaflet/44a46d7/loleaflet.html?"/>

But I think this is also the cause of the issue as it is skipping nextcloud.roadrunner that has the certificate with the front-end.

6. Links to relevant resources:

https://www.collaboraoffice.com/code/apache-reverse-proxy/

francislavoie · February 22, 2021, 11:00pm

What machine is that? What’s making that request?

Rob789 · February 22, 2021, 11:01pm

That is the Collabora docker container

francislavoie · February 22, 2021, 11:03pm

Okay, so what IP address is nextcloud.intrafit.nl resolving to for the Collabora container? Do you have a DNS server resolving that IP address directly to the backend Caddy instance?

Rob789 · February 22, 2021, 11:25pm

In the docker-compose.yml for Nextcloud and Collabora I included

extra_hosts:
      - "nextcloud.intrafit.nl:192.168.2.51"

Where 192.168.2.51 is the Caddy Back-end.

francislavoie · February 22, 2021, 11:39pm

Then there’s your problem. The backend doesn’t have a certificate to serve for that domain so it won’t work.

Either make it resolve to your frontend so it can resolve it, or have your backend have a certificate issued for that domain (you’d also need to add the CA root cert to your collabora container’s trust store if you go with the second option).

Rob789 · February 23, 2021, 6:26pm

I changed the docker-compose:

extra_hosts:
      - "nextcloud.intrafit.nl:192.168.2.1"

Where 192.168.2.1 is the frontend and that removed the error message in the Caddy log

Unfortunately I still get no go ahead within Nextcloud and I haven’t seen any other indicators about what goes wrong…

btw, I was wrong the IP address 172.20.0.4 was not the Collabora container but the nextcloud conttainer. I corrected the host resolver accordignly.

Before the DNS fix if I push save I got the above mentioned error:

2021/02/22 22:29:57.927 DEBUG http.stdlib http: TLS handshake error from 172.20.0.4:47060: no certificate available for 'nextcloud.intrafit.nl.

Now the log show this:

2021/02/23 18:23:33.663 DEBUG http.handlers.rewrite rewrote request {“request”: {“remote_addr”: “192.168.2.2:56382”, “proto”: “HTTP/2.0”, “method”: “POST”, “host”: “nextcloud.roadrunner:443”, “uri”: “/index.php/apps/richdocuments/ajax/admin.php”, “headers”: {“X-Forwarded-For”: [“192.168.5.1”], “Origin”: [“https://nextcloud.intrafit.nl”], “Accept”: [“application/json, text/plain, /”], “Requesttoken”: [“4X2gYswds0TBW1cR85FQNnzcAXZLMmPhQldkuRE4SLA=:gEnGL6hU/i+kYzxep6IfTh/zNx8JeA2xDTEP715hIeg=”], “Accept-Encoding”: [“gzip, deflate, br”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”], “Accept-Language”: [“en-US,en;q=0.9,nl;q=0.8”], “Content-Length”: [“78”], “Sec-Fetch-Mode”: [“cors”], “Cookie”: [“__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=admin; oc_sessionPassphrase=4UOIBkuPshICUK8uqzuzT3qn3x%2BlD3wWm8Tbu5chtEhytZ%2BJX1JBr%2FLxLJPHaPp1YRkMsAjcZ5pU96O9yxwQc5y7pvMFP5VYtsgFjnhWay3L591Cin9deguKUZwTP03p; ocgj81bndo6d=d68e8b8fc4584d7197f547f650defb6d; nc_token=ojNl%2FgVxVh4oMIM8h%2FeCM6Z0rKKHxlUk; nc_session_id=d68e8b8fc4584d7197f547f650defb6d”], “X-Forwarded-Host”: [“nextcloud.intrafit.nl”], “Sec-Fetch-Dest”: [“empty”], “Content-Type”: [“application/json;charset=UTF-8”], “Sec-Fetch-Site”: [“same-origin”], “X-Forwarded-Proto”: [“https”]}, “tls”: {“resumed”: false, “version”: 772, “cipher_suite”: 4865, “proto”: “h2”, “proto_mutual”: true, “server_name”: “nextcloud.roadrunner”}}, “method”: “POST”, “uri”: “/index.php”}
2021/02/23 18:23:33.663 DEBUG http.reverse_proxy.transport.fastcgi roundtrip {“request”: {“remote_addr”: “192.168.2.2:56382”, “proto”: “HTTP/2.0”, “method”: “POST”, “host”: “nextcloud.roadrunner:443”, “uri”: “/index.php”, “headers”: {“Requesttoken”: [“4X2gYswds0TBW1cR85FQNnzcAXZLMmPhQldkuRE4SLA=:gEnGL6hU/i+kYzxep6IfTh/zNx8JeA2xDTEP715hIeg=”], “Accept-Encoding”: [“gzip, deflate, br”], “Sec-Fetch-Mode”: [“cors”], “Cookie”: [“__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=admin; oc_sessionPassphrase=4UOIBkuPshICUK8uqzuzT3qn3x%2BlD3wWm8Tbu5chtEhytZ%2BJX1JBr%2FLxLJPHaPp1YRkMsAjcZ5pU96O9yxwQc5y7pvMFP5VYtsgFjnhWay3L591Cin9deguKUZwTP03p; ocgj81bndo6d=d68e8b8fc4584d7197f547f650defb6d; nc_token=ojNl%2FgVxVh4oMIM8h%2FeCM6Z0rKKHxlUk; nc_session_id=d68e8b8fc4584d7197f547f650defb6d”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”], “Accept-Language”: [“en-US,en;q=0.9,nl;q=0.8”], “Content-Length”: [“78”], “Sec-Fetch-Site”: [“same-origin”], “X-Forwarded-Proto”: [“https”], “X-Forwarded-Host”: [“nextcloud.intrafit.nl”], “Sec-Fetch-Dest”: [“empty”], “Content-Type”: [“application/json;charset=UTF-8”], “Origin”: [“https://nextcloud.intrafit.nl”], “Accept”: [“application/json, text/plain, /”], “X-Forwarded-For”: [“192.168.5.1, 192.168.2.2”]}, “tls”: {“resumed”: false, “version”: 772, “cipher_suite”: 4865, “proto”: “h2”, “proto_mutual”: true, “server_name”: “nextcloud.roadrunner”}}, “dial”: “127.0.0.1:9000”, “env”: {“AUTH_TYPE”:“”,“CONTENT_LENGTH”:“78”,“CONTENT_TYPE”:“application/json;charset=UTF-8”,“DOCUMENT_ROOT”:“/var/www/html”,“DOCUMENT_URI”:“/index.php”,“GATEWAY_INTERFACE”:“CGI/1.1”,“HTTPS”:“on”,“HTTP_ACCEPT”:“application/json, text/plain, /”,“HTTP_ACCEPT_ENCODING”:“gzip, deflate, br”,“HTTP_ACCEPT_LANGUAGE”:“en-US,en;q=0.9,nl;q=0.8”,“HTTP_CONTENT_LENGTH”:“78”,“HTTP_CONTENT_TYPE”:“application/json;charset=UTF-8”,“HTTP_COOKIE”:“__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=admin; oc_sessionPassphrase=4UOIBkuPshICUK8uqzuzT3qn3x%2BlD3wWm8Tbu5chtEhytZ%2BJX1JBr%2FLxLJPHaPp1YRkMsAjcZ5pU96O9yxwQc5y7pvMFP5VYtsgFjnhWay3L591Cin9deguKUZwTP03p; ocgj81bndo6d=d68e8b8fc4584d7197f547f650defb6d; nc_token=ojNl%2FgVxVh4oMIM8h%2FeCM6Z0rKKHxlUk; nc_session_id=d68e8b8fc4584d7197f547f650defb6d”,“HTTP_HOST”:“nextcloud.roadrunner:443”,“HTTP_ORIGIN”:“https://nextcloud.intrafit.nl”,“HTTP_REQUESTTOKEN”:“4X2gYswds0TBW1cR85FQNnzcAXZLMmPhQldkuRE4SLA=:gEnGL6hU/i+kYzxep6IfTh/zNx8JeA2xDTEP715hIeg=”,“HTTP_SEC_FETCH_DEST”:“empty”,“HTTP_SEC_FETCH_MODE”:“cors”,“HTTP_SEC_FETCH_SITE”:“same-origin”,“HTTP_USER_AGENT”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”,“HTTP_X_FORWARDED_FOR”:“192.168.5.1, 192.168.2.2”,“HTTP_X_FORWARDED_HOST”:“nextcloud.intrafit.nl”,“HTTP_X_FORWARDED_PROTO”:“https”,“PATH_INFO”:“/apps/richdocuments/ajax/admin.php”,“PATH_TRANSLATED”:“/var/www/html/apps/richdocuments/ajax/admin.php”,“QUERY_STRING”:“”,“REMOTE_ADDR”:“192.168.2.2”,“REMOTE_HOST”:“192.168.2.2”,“REMOTE_IDENT”:“”,“REMOTE_PORT”:“56382”,“REMOTE_USER”:“”,“REQUEST_METHOD”:“POST”,“REQUEST_SCHEME”:“https”,“REQUEST_URI”:“/index.php/apps/richdocuments/ajax/admin.php”,“SCRIPT_FILENAME”:“/var/www/html/index.php”,“SCRIPT_NAME”:“/index.php”,“SERVER_NAME”:“nextcloud.roadrunner”,“SERVER_PORT”:“443”,“SERVER_PROTOCOL”:“HTTP/2.0”,“SERVER_SOFTWARE”:“Caddy/v2.4.0-beta.1”,“SSL_CIPHER”:“TLS_AES_128_GCM_SHA256”,“SSL_PROTOCOL”:“TLSv1.3”,“front_controller_active”:“true”}}
2021/02/23 18:23:33.773 DEBUG http.handlers.reverse_proxy upstream roundtrip {“upstream”: “127.0.0.1:9000”, “request”: {“remote_addr”: “192.168.2.2:56382”, “proto”: “HTTP/2.0”, “method”: “POST”, “host”: “nextcloud.roadrunner:443”, “uri”: “/index.php”, “headers”: {“Accept-Encoding”: [“gzip, deflate, br”], “Requesttoken”: [“4X2gYswds0TBW1cR85FQNnzcAXZLMmPhQldkuRE4SLA=:gEnGL6hU/i+kYzxep6IfTh/zNx8JeA2xDTEP715hIeg=”], “Cookie”: [“__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=admin; oc_sessionPassphrase=4UOIBkuPshICUK8uqzuzT3qn3x%2BlD3wWm8Tbu5chtEhytZ%2BJX1JBr%2FLxLJPHaPp1YRkMsAjcZ5pU96O9yxwQc5y7pvMFP5VYtsgFjnhWay3L591Cin9deguKUZwTP03p; ocgj81bndo6d=d68e8b8fc4584d7197f547f650defb6d; nc_token=ojNl%2FgVxVh4oMIM8h%2FeCM6Z0rKKHxlUk; nc_session_id=d68e8b8fc4584d7197f547f650defb6d”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”], “Accept-Language”: [“en-US,en;q=0.9,nl;q=0.8”], “Content-Length”: [“78”], “Sec-Fetch-Mode”: [“cors”], “X-Forwarded-Proto”: [“https”], “X-Forwarded-Host”: [“nextcloud.intrafit.nl”], “Sec-Fetch-Dest”: [“empty”], “Content-Type”: [“application/json;charset=UTF-8”], “Sec-Fetch-Site”: [“same-origin”], “Accept”: [“application/json, text/plain, /”], “X-Forwarded-For”: [“192.168.5.1, 192.168.2.2”], “Origin”: [“https://nextcloud.intrafit.nl”]}, “tls”: {“resumed”: false, “version”: 772, “cipher_suite”: 4865, “proto”: “h2”, “proto_mutual”: true, “server_name”: “nextcloud.roadrunner”}}, “duration”: 0.109904529, “headers”: {“Status”: [“500 Internal Server Error”], “X-Powered-By”: [“PHP/7.4.14”], “X-Frame-Options”: [“SAMEORIGIN”], “X-Xss-Protection”: [“1; mode=block”], “Cache-Control”: [“no-cache, no-store, must-revalidate”], “Feature-Policy”: [“autoplay ‘none’;camera ‘none’;fullscreen ‘none’;geolocation ‘none’;microphone ‘none’;payment ‘none’”], “Pragma”: [“no-cache”], “Referrer-Policy”: [“no-referrer”], “X-Content-Type-Options”: [“nosniff”], “X-Download-Options”: [“noopen”], “X-Permitted-Cross-Domain-Policies”: [“none”], “X-Robots-Tag”: [“none”], “Content-Security-Policy”: [“default-src ‘none’;base-uri ‘none’;manifest-src ‘self’;frame-ancestors ‘none’”], “Content-Length”: [“78”], “Expires”: [“Thu, 19 Nov 1981 08:52:00 GMT”], “Content-Type”: [“application/json; charset=utf-8”]}, “status”: 500}
2021/02/23 18:23:37.514 INFO admin.api received request {“method”: “POST”, “host”: “localhost:2019”, “uri”: “/stop”, “remote_addr”: “127.0.0.1:58516”, “headers”: {“Accept-Encoding”:[“gzip”],“Content-Length”:[“0”],“Origin”:[“localhost:2019”],“User-Agent”:[“Go-http-client/1.1”]}}
2021/02/23 18:23:37.515 WARN admin.api exiting; byeee!!
2021/02/23 18:23:38.516 INFO tls.cache.maintenance stopped background certificate maintenance {“cache”: “0xc000227dc0”}
2021/02/23 18:23:39.018 INFO admin stopped previous server {“address”: “tcp/localhost:2019”}
2021/02/23 18:23:39.019 INFO admin.api shutdown complete {“exit_code”: 0}
root@RJ-TestDocker ~/nextcloud_new#

edit3: should you wonder; IP 192.168.5.1 is the internet router.

Rob789 · February 24, 2021, 3:03pm

Nevermind the above post. It’s working now. I messed up the DNS config during the troubleshooting.

system · March 24, 2021, 10:47pm

This topic was automatically closed after 30 days. New replies are no longer allowed.