No response for "curl localhost" with fresh caddy installation

donaldpooh · August 5, 2020, 3:05am

1. Caddy version (`caddy version`):

v2.1.1

2. How I run Caddy:

systemd service content:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

a. System environment:

openSUSE Leap server 15.2 installed in a virtualbox

b. Command:

curl http://localhost

c. Service/unit/compose file:

 [Unit]
    Description=Caddy
    Documentation=https://caddyserver.com/docs/
    After=network.target

    [Service]
    User=caddy
    Group=caddy
    ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
    ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
    TimeoutStopSec=5s
    LimitNOFILE=1048576
    LimitNPROC=512
    PrivateTmp=true
    ProtectSystem=full
    AmbientCapabilities=CAP_NET_BIND_SERVICE

    [Install]
    WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

localhost

respond "Hello, world!"

3. The problem I’m having:

Following the tutorial of Caddy quickstart:

4. Error messages and/or full log output:

No response received from the command “curl http://localhost”

journalctl -u caddy results:

-- Reboot --
Aug 05 10:18:16 vbsuse systemd[1]: Started Caddy.
Aug 05 10:18:16 vbsuse caddy[1008]: caddy.HomeDir=/var/lib/caddy
Aug 05 10:18:16 vbsuse caddy[1008]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Aug 05 10:18:16 vbsuse caddy[1008]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Aug 05 10:18:16 vbsuse caddy[1008]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Aug 05 10:18:16 vbsuse caddy[1008]: runtime.GOOS=linux
Aug 05 10:18:16 vbsuse caddy[1008]: runtime.GOARCH=amd64
Aug 05 10:18:16 vbsuse caddy[1008]: runtime.Compiler=gc
Aug 05 10:18:16 vbsuse caddy[1008]: runtime.NumCPU=1
Aug 05 10:18:16 vbsuse caddy[1008]: runtime.GOMAXPROCS=1
Aug 05 10:18:16 vbsuse caddy[1008]: runtime.Version=go1.14.5
Aug 05 10:18:16 vbsuse caddy[1008]: os.Getwd=/
Aug 05 10:18:16 vbsuse caddy[1008]: LANG=en_US.UTF-8
Aug 05 10:18:16 vbsuse caddy[1008]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Aug 05 10:18:16 vbsuse caddy[1008]: HOME=/var/lib/caddy
Aug 05 10:18:16 vbsuse caddy[1008]: LOGNAME=caddy
Aug 05 10:18:16 vbsuse caddy[1008]: USER=caddy
Aug 05 10:18:16 vbsuse caddy[1008]: INVOCATION_ID=8291a9648efa4194b394f4da166b57bc
Aug 05 10:18:16 vbsuse caddy[1008]: JOURNAL_STREAM=9:19892
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.520891,"msg":"using provided configuration","config_file":"/etc/caddy>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5216901,"logger":"admin","msg":"admin endpoint started","address":"tc>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5217736,"logger":"http","msg":"server is listening only on the HTTPS >
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5217822,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirec>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5608642,"logger":"tls","msg":"setting internal issuer for automation >
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.561415,"logger":"tls","msg":"cleaned up storage units"}
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][cache:0xc00048c000] Started certificate maintenance routine
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"warn","ts":1596593896.779625,"logger":"pki.ca.local","msg":"installing root certificate (yo>
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 not NSS security databases found
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 define JAVA_HOME environment variable to use the Java trust
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"error","ts":1596593896.7803092,"logger":"pki.ca.local","msg":"failed to install root certif>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.7805374,"logger":"http","msg":"enabling automatic TLS certificate man>
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specifi>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.781292,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.7814252,"msg":"serving initial configuration"}
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew certificate; acquiring lock...
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: Lock acquired; proceeding...
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: -3h27m44.782301979s remaining
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Certificate renewed successfully
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: Releasing lock
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO] Reloading managed certificate for [localhost]
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specifi>
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO] Replaced certificate in cache for [localhost] (new expiration date: 2020-0>
Aug 05 10:53:51 vbsuse caddy[1008]: 2020/08/05 10:53:51 http: TLS handshake error from 127.0.0.1:55530: local error: tls: bad record MAC
lines 336-363/363 (END)


Aug 05 10:18:16 vbsuse caddy[1008]: LOGNAME=caddy
Aug 05 10:18:16 vbsuse caddy[1008]: USER=caddy
Aug 05 10:18:16 vbsuse caddy[1008]: INVOCATION_ID=8291a9648efa4194b394f4da166b57bc
Aug 05 10:18:16 vbsuse caddy[1008]: JOURNAL_STREAM=9:19892
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.520891,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5216901,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["[::1]:2019","127.0>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5217736,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","ser>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5217822,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5608642,"logger":"tls","msg":"setting internal issuer for automation policy that has only internal subjects but no issuer configured","subje>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.561415,"logger":"tls","msg":"cleaned up storage units"}
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][cache:0xc00048c000] Started certificate maintenance routine
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"warn","ts":1596593896.779625,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/loca>
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 not NSS security databases found
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 define JAVA_HOME environment variable to use the Java trust
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"error","ts":1596593896.7803092,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"install is not supported on this system","certificate_f>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.7805374,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["localhost"]}
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.781292,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.7814252,"msg":"serving initial configuration"}
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew certificate; acquiring lock...
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: Lock acquired; proceeding...
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: -3h27m44.782301979s remaining
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Certificate renewed successfully
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: Releasing lock
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO] Reloading managed certificate for [localhost]
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO] Replaced certificate in cache for [localhost] (new expiration date: 2020-08-05 14:18:16)
Aug 05 10:53:51 vbsuse caddy[1008]: 2020/08/05 10:53:51 http: TLS handshake error from 127.0.0.1:55530: local error: tls: bad record MAC
~
~
~
Aug 05 10:18:16 vbsuse caddy[1008]: LOGNAME=caddy
Aug 05 10:18:16 vbsuse caddy[1008]: USER=caddy
Aug 05 10:18:16 vbsuse caddy[1008]: INVOCATION_ID=8291a9648efa4194b394f4da166b57bc
Aug 05 10:18:16 vbsuse caddy[1008]: JOURNAL_STREAM=9:19892
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.520891,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5216901,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["[::1]:2019","127.0.>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5217736,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","serv>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5217822,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.5608642,"logger":"tls","msg":"setting internal issuer for automation policy that has only internal subjects but no issuer configured","subjec>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.561415,"logger":"tls","msg":"cleaned up storage units"}
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][cache:0xc00048c000] Started certificate maintenance routine
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"warn","ts":1596593896.779625,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local>
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 not NSS security databases found
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 define JAVA_HOME environment variable to use the Java trust
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"error","ts":1596593896.7803092,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"install is not supported on this system","certificate_fi>
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.7805374,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["localhost"]}
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.781292,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Aug 05 10:18:16 vbsuse caddy[1008]: {"level":"info","ts":1596593896.7814252,"msg":"serving initial configuration"}
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew certificate; acquiring lock...
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: Lock acquired; proceeding...
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: -3h27m44.782301979s remaining
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Certificate renewed successfully
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO][localhost] Renew: Releasing lock
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO] Reloading managed certificate for [localhost]
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
Aug 05 10:18:16 vbsuse caddy[1008]: 2020/08/05 10:18:16 [INFO] Replaced certificate in cache for [localhost] (new expiration date: 2020-08-05 14:18:16)
Aug 05 10:53:51 vbsuse caddy[1008]: 2020/08/05 10:53:51 http: TLS handshake error from 127.0.0.1:55530: local error: tls: bad record MAC

5. What I already tried:

In Caddyfile I tried “localhost” “localhost:80” “localhost:443”
I also tried the command “curl http:\localhost” and “curl https:\localhost”

6. Links to relevant resources:

francislavoie · August 5, 2020, 3:25am

Unfortunately your logs are truncated (the lines are much longer than that, you only grabbed what was visible on your screen).

Could you try again with curl -v instead? This will make the output more verbose.

It’s expected that curl http://localhost will return nothing, because by default Caddy will set up an HTTP->HTTPS redirect for localhost, but curl does not follow redirects unless you pass the -L option (short for Location, i.e. the name of the header used for redirects).

Please don’t forget to use ``` on the lines before and after your config and logs, I went ahead and updated your post to wrap your logs as such because it makes it much easier to read.

donaldpooh · August 5, 2020, 7:36am

Thank you for the help. You are probably right about the http->https redirect.

I’d like to provide some background on why I’m doing this:
I’m learning basic Caddy setup to finally be able to setup a wordpress server with my own VPS. So I started with the online instructions on a virtual machine, as I have no knowledge on these things at all, except some linux usage experience.

curl -v localhost shows

curl -v http://localhost
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://localhost/
< Server: Caddy
< Date: Wed, 05 Aug 2020 07:22:40 GMT
< Content-Length: 0
< 
* Closing connection 0

I can forget about the “curl…” thing, since my goal is to be able to see the caddy hosted page from my host machine browser with the address “http://10.0.0.2” (10.0.0.2 is the IP of the guest machine". At the moment, it does not work in the host browser either with the error message:

This site can’t provide a secure connection
10.0.0.2 sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

francislavoie · August 5, 2020, 8:14am

That’s working as expected. You can see in the response:

This is Caddy telling curl it wants to trigger a redirect.

If you now try curl -vL localhost, you should see that it makes a first request to http://localhost, then will follow the redirect to https://localhost which should then show you the response Hello, world! at the bottom.

Sure. For a simple WordPress site, the config example right on the first page of the Caddyfile docs will be all you need!

You’ll need php-fpm installed to actually run the site. You should be able to figure out how to set that up pretty easily from the multitudes of guides online.

So you’re saying that your VPS has IP 10.0.0.2 on your private network? If you simply want to connect to a site that your VPS serves over HTTP (not HTTPS, with no domain), then your site label can just be :80

:80

respond "Hello World!"

By default, Caddy will configure localhost to be served over HTTPS with a locally trusted certificate, unless it’s explicitly told not to (i.e. http://localhost as the site label), or the site label is not something with which it can set up HTTPS (i.e. simply a port like :80).

I’m not sure in which direction to go at this point to help guide you forwards - let me know where you get stuck.

donaldpooh · August 5, 2020, 10:51am

Hello, I seem to have understood your explanations, but after I have changed Caddyfile and curl command accordingly to use only http, it still redirected to https.

I changed the site url in Caddyfile to

:80

respond "Hello World!"

I then caddy adapt --config /etc/caddy/Caddyfile

Now if I do curl -vL http://localhost, I still get no respond but error messages:

*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://localhost/
< Server: Caddy
< Date: Wed, 05 Aug 2020 10:47:52 GMT
< Content-Length: 0
< 
* Closing connection 0
* Issue another request to this URL: 'https://localhost/'
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 1
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Finally, what’s wrong with the SSL certificate? Can it be solved as well if I do want to use https?

francislavoie · August 5, 2020, 2:50pm

Yep, that’s expected.

Now the error you’re seeing is because Caddy failed to install the root certificate in your system’s trust store. When running with localhost, Caddy will attempt to set up its own certificate authority such that you can test things out locally with HTTPS.

You can see where this went wrong in your logs (which are unfortunately truncated):

I think this is because Caddy is running as the caddy user as per your service file, and that user doesn’t have permission to add something to the trust store. Therefore since the root certificate isn’t trusted, curl gives an error that it “failed to verify the legitimacy of the server”.

I’m not sure of the best way to work around that issue right now - I’ll need to get back to you on that.

Anyways this issue only applies if you’re setting up local HTTPS, and not if you try to run your site with a real domain (strongly recommended) or with HTTP (i.e. only port 80).

donaldpooh · August 5, 2020, 3:11pm

Alright, we can leave it as it is for now since it doesn’t affect the real world situation. Much thanks for the help!

system · September 4, 2020, 3:05am

This topic was automatically closed after 30 days. New replies are no longer allowed.