Ah very sorry, that is my template how i generate my caddyfiles. Updated it to represent an example.
The output of a curl -v https://api.name.kube.example.com
look like…
Trying 130.61.92.35:443...
* TCP_NODELAY set
* Connected to api.name.kube.example.com (130.61.92.35) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=api.athena.k8s.erpf.de
* start date: May 2 17:08:47 2022 GMT
* expire date: Jul 31 17:08:46 2022 GMT
* subjectAltName: host "api.name.kube.example.com" matched cert's "api.name.kube.example.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5631ec4aa800)
> GET / HTTP/2
> Host: api.name.kube.example.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 403
< audit-id: 5a49ee54-c7a4-436a-9d95-797e2e3fa049
< cache-control: no-cache, private
< content-type: application/json
< date: Wed, 04 May 2022 18:47:40 GMT
< server: Caddy
< x-content-type-options: nosniff
< x-kubernetes-pf-flowschema-uid: 2c8cb18e-abdb-4777-9796-ce893501080d
< x-kubernetes-pf-prioritylevel-uid: 4614b8ed-a4b7-47f0-9e57-950bc7b07054
< content-length: 217
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {},
"code": 403
* Connection #0 to host api.name.kube.example.com left intact
and the appropiate log output is…
{"level":"error","ts":1651690060.5785034,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_addr":"130.61.92.35:58974","proto":"HTTP/2.0","method":"GET","host":"api.name.kube.example.com","uri":"/","headers":{"User-Agent":["curl/7.68.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"api.name.kube.example.com"}},"common_log":"130.61.92.35 - - [04/May/2022:18:47:40 +0000] \"GET / HTTP/2.0\" 403 217","user_id":"","duration":3.142099836,"size":217,"status":403,"resp_headers":{"Server":["Caddy"],"X-Content-Type-Options":["nosniff"],"X-Kubernetes-Pf-Prioritylevel-Uid":["4614b8ed-a4b7-47f0-9e57-950bc7b07054"],"Content-Length":["217"],"Cache-Control":["no-cache, private"],"X-Kubernetes-Pf-Flowschema-Uid":["2c8cb18e-abdb-4777-9796-ce893501080d"],"Date":["Wed, 04 May 2022 18:47:40 GMT"],"Audit-Id":["5a49ee54-c7a4-436a-9d95-797e2e3fa049"],"Content-Type":["application/json"]}}
The json I get in return actually looks like, the https requests reaches the kubernetes api.