Problems with certificate issue

1. The problem I’m having:

Hi.

• Caddy is behind the LB (HAProxy)
• LB is configured for TCP mode
• Caddy is running inside the Kubernetes
• In our service we give users the opportunity to link their any domain. To set up the domain, they specify the IP of our LB

After starting Caddy, it tries to issue a certificate by specifying IP as the domain name. This is the IP (10.0.0.146) address where Caddy is running. Backend returns an error and Caddy tries again and so on endlessly.

{"level":"debug","time":"2023-11-15T08:54:03.268Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.0.146","error":"10.0.0.146: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}

HTTP works fine. HTTPS doesn’t work, no certificate is issued, it keeps trying to verify 10.0.0.146

2. Error messages and/or full log output:

{"level":"info","ts":1700037313.960676,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","time":"2023-11-15T08:35:13.964Z","logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","time":"2023-11-15T08:35:13.964Z","logger":"caddy.storage.s3","msg":"use secret_key and access_id for credentials"}
{"level":"warn","time":"2023-11-15T08:35:13.965Z","logger":"http.auto_https","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv1"}
{"level":"debug","time":"2023-11-15T08:35:13.965Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"on_demand":true}],"on_demand":{"ask":"https://…/check-domain","rate_limit":{"interval":120000000000,"burst":5}}}},"http":{"servers":{"srv0":{"listen":[":3599"],"listener_wrappers":[{"timeout":5000000000,"wrapper":"proxy_protocol"},{"wrapper":"tls"}],"routes":[{"handle":[{"body":"http: Hello World!","handler":"static_response"}]}],"automatic_https":{"disable_redirects":true}},"srv1":{"listen":[":3600"],"listener_wrappers":[{"timeout":5000000000,"wrapper":"proxy_protocol"},{"wrapper":"tls"}],"routes":[{"handle":[{"handler":"reverse_proxy","headers":{"request":{"set":{"X-Real-Ip":["{http.reverse-proxy.upstream.address}"]}},"response":{"set":{"Strict-Transport-Security":["max-age=31536000;"]}}},"transport":{"protocol":"http","tls":{}},"upstreams":[{"dial":"…"}]}]}],"tls_connection_policies":[{}],"automatic_https":{"disable_redirects":true}}}}}
{"level":"info","time":"2023-11-15T08:35:13.965Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002d4000"}
{"level":"info","time":"2023-11-15T08:35:13.965Z","logger":"tls","msg":"cleaning storage unit","description":"S3 Storage Host: …, Bucket: …, Prefix: ssl-data"}
{"level":"info","time":"2023-11-15T08:35:13.965Z","logger":"http","msg":"enabling HTTP/3 listener","addr":":3600"}
{"level":"info","ts":1700037313.9656556,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"debug","time":"2023-11-15T08:35:13.965Z","logger":"http","msg":"starting server loop","address":"[::]:3600","tls":true,"http3":true}
{"level":"info","time":"2023-11-15T08:35:13.965Z","logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
{"level":"debug","time":"2023-11-15T08:35:13.965Z","logger":"http","msg":"starting server loop","address":"[::]:3599","tls":false,"http3":false}
{"level":"info","time":"2023-11-15T08:35:13.965Z","logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","time":"2023-11-15T08:35:13.966Z","msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","time":"2023-11-15T08:35:13.966Z","msg":"serving initial configuration"}
{"level":"info","time":"2023-11-15T08:35:14.039Z","logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","time":"2023-11-15T08:35:14.354Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"dbeed643-8a43-4012-af3a-1865da8c05e9","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{"Conn":{}}}}}
{"level":"debug","time":"2023-11-15T08:35:14.354Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.0.146"}
{"level":"debug","time":"2023-11-15T08:35:14.827Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"a012f158-6632-4f61-8e0a-2dafd01342a3","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{"Conn":{}}}}}
{"level":"debug","time":"2023-11-15T08:35:14.827Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.0.146"}
{"level":"debug","time":"2023-11-15T08:35:15.593Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.0.146:41234: EOF"}
{"level":"debug","time":"2023-11-15T08:35:15.606Z","logger":"tls","msg":"response from ask endpoint","domain":"10.0.0.146","url":"https://…/check-domain?domain=10.0.0.146","status":400}
{"level":"debug","time":"2023-11-15T08:35:15.606Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.0.146","error":"10.0.0.146: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-15T08:35:15.606Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.3.145:53072: certificate is not allowed for server name 10.0.0.146: decision func: 10.0.0.146: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-15T08:35:15.607Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.0.146"}

3. Caddy version:

v2.7.5

4. How I installed and ran Caddy:

a. System environment:

Kubernetes / Docker

b. Command:

-

c. Service/unit/compose file:

-

d. My complete Caddy config:

{
  debug

  log {
    level DEBUG

    format filter {
      wrap json {
        time_key time
        time_format iso8601
      }
    }
  }

  servers {
    listener_wrappers {
      proxy_protocol {
        timeout 5s
      }

      tls
    }
  }

  auto_https disable_redirects

  storage s3 {
    …
  }

  on_demand_tls {
    ask      https://…/check-domain
    interval 2m
    burst    5
  }
}

:3599 {
  respond "http: Hello World!"
}

:3600 {
  tls {
    on_demand
  }

  reverse_proxy https://… {
    header_up X-Real-IP {http.reverse-proxy.upstream.address}
    header_down Strict-Transport-Security max-age=31536000;
  }
}

5. Links to relevant resources:

-

That’s because your downstream proxy (HAProxy) isn’t making a request to Caddy with SNI.

You should be able to configure HAProxy to set SNI for health checks and whatnot, which I assume is what that request came from.

Or you can set the default_sni global option to set one for requests that lack it. Use a domain you own/control.

Thank you. If I specify default_sni I get this:

{"level":"debug","time":"2023-11-15T10:33:56.065Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"c829faf0-1265-466f-b58b-5ec89777879d","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{"Conn":{}}}}}
{"level":"debug","time":"2023-11-15T10:33:56.065Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.0.146"}
{"level":"debug","time":"2023-11-15T10:33:56.065Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.….com"}
{"level":"debug","time":"2023-11-15T10:33:56.075Z","logger":"tls","msg":"response from ask endpoint","domain":"10.0.0.146","url":"https://…/check-domain?domain= 10.0.0.146","status":400}
{"level":"debug","time":"2023-11-15T10:33:56.075Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.0.146","error":"10.0.0.146: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-15T10:33:56.075Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.3.145:62950: certificate is not allowed for server name 10.0.0.146: decision func: 10.0.0.146: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}

As you can see it now uses SNI by default, but for some reason not for all such requests. I’ll try to set SNI on HAProxy…

Full logs:

{"level":"debug","time":"2023-11-15T11:23:53.133Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"3c9585e3-68e8-4318-b0a6-a306c95c8b36","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{"Conn":{}}}}}
{"level":"debug","time":"2023-11-15T11:23:53.133Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.3.18"}
{"level":"debug","time":"2023-11-15T11:23:53.133Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.….com"}
{"level":"debug","time":"2023-11-15T11:23:53.142Z","logger":"tls","msg":"response from ask endpoint","domain":"10.0.3.18","url":"https://…/check-domain?domain=10.0.3.18","status":400}
{"level":"debug","time":"2023-11-15T11:23:53.142Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.3.18","error":"10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-15T11:23:53.142Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.0.223:21292: certificate is not allowed for server name 10.0.3.18: decision func: 10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-15T11:23:54.082Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"1985a9a7-0ee0-4ed9-8a6b-d6aea541bc59","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{"Conn":{}}}}}
{"level":"debug","time":"2023-11-15T11:23:54.082Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.3.18"}
{"level":"debug","time":"2023-11-15T11:23:54.082Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.….com"}
{"level":"debug","time":"2023-11-15T11:23:54.093Z","logger":"tls","msg":"response from ask endpoint","domain":"10.0.3.18","url":"https://…/check-domain?domain=10.0.3.18","status":400}
{"level":"debug","time":"2023-11-15T11:23:54.093Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.3.18","error":"10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-15T11:23:54.093Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.3.145:47446: certificate is not allowed for server name 10.0.3.18: decision func: 10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-15T11:23:54.146Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"b39212ec-7057-4514-a233-687a07600496","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{"Conn":{}}}}}
{"level":"debug","time":"2023-11-15T11:23:54.146Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.3.18"}
{"level":"debug","time":"2023-11-15T11:23:54.146Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.….com"}
{"level":"debug","time":"2023-11-15T11:23:54.157Z","logger":"tls","msg":"response from ask endpoint","domain":"10.0.3.18","url":"https://…/check-domain?domain=10.0.3.18","status":400}
{"level":"debug","time":"2023-11-15T11:23:54.157Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.3.18","error":"10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-15T11:23:54.157Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.0.223:21294: certificate is not allowed for server name 10.0.3.18: decision func: 10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}

Is it normal that Caddy does not try to ask and release cert for test…com ?

Yes, actually – that’s the current implementation: default_sni is only used for retrieving loaded certs from memory to serve, but not for obtaining new certificates.

That’s because the original feature request had that use case.

Your use case for default_sni is a little different.

We can consider using it for certificate issuance, but I’ll need to think about the implications.

@matt I just don’t understand why it doesn’t even try to issue a certificate for the correct domain?

{"level":"info","time":"2023-11-16T08:30:03.263Z","logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"10.40.25.221","remote_port":"55960","client_ip":"10.40.25.221","proto":"HTTP/1.1","method":"GET","host":"dmitryblohin.pro","uri":"/","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"If-Modified-Since":["Sat, 21 Oct 2023 00:11:12 GMT"],"Upgrade-Insecure-Requests":["1"],"Dnt":["1"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-US,en;q=0.9,ru;q=0.8"],"If-None-Match":["\"s2ur6oebt\""],"Connection":["keep-alive"],"Cache-Control":["max-age=0"]}},"bytes_read":0,"user_id":"","duration":0.000181251,"size":0,"status":304,"resp_headers":{"Server":["Caddy"],"Etag":["\"s2ur6oebt\""]}}

full logs:

{"level":"debug","time":"2023-11-16T08:30:03.076Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.3.18","error":"10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-16T08:30:03.076Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.3.145:48566: certificate is not allowed for server name 10.0.3.18: decision func: 10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-16T08:30:03.263Z","logger":"http.handlers.file_server","msg":"sanitized path join","site_root":"/usr/share/caddy","request_path":"/","result":"/usr/share/caddy"}
{"level":"debug","time":"2023-11-16T08:30:03.263Z","logger":"http.handlers.file_server","msg":"located index file","filename":"/usr/share/caddy/index.html"}
{"level":"debug","time":"2023-11-16T08:30:03.263Z","logger":"http.handlers.file_server","msg":"opening file","filename":"/usr/share/caddy/index.html"}
{"level":"info","time":"2023-11-16T08:30:03.263Z","logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"10.40.25.221","remote_port":"55960","client_ip":"10.40.25.221","proto":"HTTP/1.1","method":"GET","host":"dmitryblohin.pro","uri":"/","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"If-Modified-Since":["Sat, 21 Oct 2023 00:11:12 GMT"],"Upgrade-Insecure-Requests":["1"],"Dnt":["1"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-US,en;q=0.9,ru;q=0.8"],"If-None-Match":["\"s2ur6oebt\""],"Connection":["keep-alive"],"Cache-Control":["max-age=0"]}},"bytes_read":0,"user_id":"","duration":0.000181251,"size":0,"status":304,"resp_headers":{"Server":["Caddy"],"Etag":["\"s2ur6oebt\""]}}
{"level":"debug","time":"2023-11-16T08:30:03.613Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"76acce91-1bd1-4708-b3ee-514c01ee1368","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{"Conn":{}}}}}
{"level":"debug","time":"2023-11-16T08:30:03.613Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.3.18"}
{"level":"debug","time":"2023-11-16T08:30:03.632Z","logger":"tls","msg":"response from ask endpoint","domain":"10.0.3.18","url":"https://…/check-domain?domain=10.0.3.18","status":400}
{"level":"debug","time":"2023-11-16T08:30:03.632Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.3.18","error":"10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-16T08:30:03.632Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.0.223:51830: certificate is not allowed for server name 10.0.3.18: decision func: 10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}
{"level":"debug","time":"2023-11-16T08:30:04.078Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"d0ce106b-6c1d-4dc9-ac48-9971dd0bcbbf","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"Conn":{"Conn":{}}}}}
{"level":"debug","time":"2023-11-16T08:30:04.078Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.3.18"}
{"level":"debug","time":"2023-11-16T08:30:04.100Z","logger":"tls","msg":"response from ask endpoint","domain":"10.0.3.18","url":"https://…/check-domain?domain=10.0.3.18","status":400}
{"level":"debug","time":"2023-11-16T08:30:04.100Z","logger":"tls","msg":"certificate issuance denied","ask_endpoint":"https://…/check-domain","domain":"10.0.3.18","error":"10.0.3.18: certificate not allowed by ask endpoint https://…/check-domain - non-2xx status code 400"}

Config

{
  debug

  log {
    level DEBUG

    format filter {
      wrap json {
        time_key time
        time_format iso8601
      }
    }
  }

  servers {
    listener_wrappers {
      proxy_protocol {
        timeout 5s
      }

      tls
    }
  }

  auto_https disable_redirects

  on_demand_tls {
    ask      https://…/check-domain
    interval 2m
    burst    5
  }
}

:3599 {
  log {
    level DEBUG

    format filter {
      wrap json {
        time_key time
        time_format iso8601
      }
    }
  }

  root * /usr/share/caddy
  file_server
}

:3600 {
  log {
    level DEBUG

    format filter {
      wrap json {
        time_key time
        time_format iso8601
      }
    }
  }

  tls {
    on_demand
  }

  reverse_proxy https://… {
    header_up X-Real-IP {http.reverse-proxy.upstream.address}
    header_down Strict-Transport-Security max-age=31536000;
  }
}

Because like he said, default_sni isn’t wired up to work with On-Demand TLS. I thought it was, but it isn’t.

Did you try to configure HAProxy to send SNI? It should be possible and trivial to do that.

Because the client isn’t sending a ServerName in the TLS handshake, and as Francis said, default_sni is only wired up to help with choosing a certificate that’s already in memory, not for on-demand or issuance.

It’s something we could change, but I’d definitely recommend seeing if you can get the client to send the ServerName (SNI) in the first place.

Thank you @matt @francislavoie I’ll try to set SNI on HAProxy.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.