Reverse Proxy Config Getting ERR_SSL_PROTOCOL_ERROR

1. The problem I’m having:

Hi, I am getting ERR_SSL_PROTOCOL_ERROR when I am accessing any pages on my reverse proxy. When I use curl, I get this result.

*   Trying 45.119.154.104:8443...
* Connected to minecraftkm.asuscomm.com (45.119.154.104) port 8443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection 0
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

2. Error messages and/or full log output:

{"level":"info","ts":1679132143.6215494,"msg":"using adjacent Caddyfile"}
{"level":"warn","ts":1679132143.6225502,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"Caddyfile","line":2}
{"level":"info","ts":1679132143.6285508,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1679132143.6295326,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000226000"}
{"level":"info","ts":1679132143.6295326,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1679132143.6295326,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
{"level":"info","ts":1679132143.6305459,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
{"level":"info","ts":1679132143.6305459,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1679132143.631535,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8444"}
{"level":"info","ts":1679132143.631535,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
{"level":"info","ts":1679132143.631535,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1679132143.631535,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["minecraftkm.asuscomm.com"]}
{"level":"info","ts":1679132143.631535,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:C:\\Users\\Samuel Tee\\AppData\\Roaming\\Caddy"}
{"level":"info","ts":1679132143.632535,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1679132143.632535,"msg":"autosaved config (load with --resume flag)","file":"C:\\Users\\Samuel Tee\\AppData\\Roaming\\Caddy\\autosave.json"}
{"level":"info","ts":1679132143.632535,"msg":"serving initial configuration"}
{"level":"info","ts":1679132143.6395504,"logger":"tls.obtain","msg":"acquiring lock","identifier":"minecraftkm.asuscomm.com"}
{"level":"info","ts":1679132143.6456914,"logger":"tls.obtain","msg":"lock acquired","identifier":"minecraftkm.asuscomm.com"}
{"level":"info","ts":1679132143.6466682,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"minecraftkm.asuscomm.com"}
{"level":"info","ts":1679132144.827557,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["minecraftkm.asuscomm.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1679132144.827557,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["minecraftkm.asuscomm.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1679132145.2819724,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"minecraftkm.asuscomm.com","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1679132156.1264706,"logger":"http.acme_client","msg":"challenge failed","identifier":"minecraftkm.asuscomm.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"45.119.154.104: Fetching http://minecraftkm.asuscomm.com/.well-known/acme-challenge/5u-1cEfTOMsxAcgW_S8jexkbLIHwQ64zCyVtX048ljs: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1679132156.1270115,"logger":"http.acme_client","msg":"validating authorization","identifier":"minecraftkm.asuscomm.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"45.119.154.104: Fetching http://minecraftkm.asuscomm.com/.well-known/acme-challenge/5u-1cEfTOMsxAcgW_S8jexkbLIHwQ64zCyVtX048ljs: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1015208057/170786880547","attempt":1,"max_attempts":3}
{"level":"info","ts":1679132157.6051261,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"minecraftkm.asuscomm.com","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1679132158.8602135,"logger":"http.acme_client","msg":"challenge failed","identifier":"minecraftkm.asuscomm.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1679132158.8606596,"logger":"http.acme_client","msg":"validating authorization","identifier":"minecraftkm.asuscomm.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1015208057/170786902327","attempt":2,"max_attempts":3}
{"level":"error","ts":1679132158.8615136,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"minecraftkm.asuscomm.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"warn","ts":1679132158.8627477,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"info","ts":1679132160.4313283,"logger":"http","msg":"generated EAB credentials","key_id":"pDqXl--TmFe5Movao4JgTw"}
{"level":"info","ts":1679132162.1756687,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["minecraftkm.asuscomm.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1679132162.1762345,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["minecraftkm.asuscomm.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1679132163.8648388,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"minecraftkm.asuscomm.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1679132175.5259948,"logger":"http.acme_client","msg":"challenge failed","identifier":"minecraftkm.asuscomm.com","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}}
{"level":"error","ts":1679132175.5259948,"logger":"http.acme_client","msg":"validating authorization","identifier":"minecraftkm.asuscomm.com","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/mtoSedQLWuM46go1OveBnQ","attempt":1,"max_attempts":3}
{"level":"error","ts":1679132175.5265772,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"minecraftkm.asuscomm.com","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0  - "}
{"level":"error","ts":1679132175.5265772,"logger":"tls.obtain","msg":"will retry","error":"[minecraftkm.asuscomm.com] Obtain: [minecraftkm.asuscomm.com] solving challenge: minecraftkm.asuscomm.com: [minecraftkm.asuscomm.com] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":31.8799087,"max_duration":2592000}
{"level":"info","ts":1679132235.537468,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"minecraftkm.asuscomm.com"}
{"level":"info","ts":1679132237.104419,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"minecraftkm.asuscomm.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1679132238.284125,"logger":"http.acme_client","msg":"challenge failed","identifier":"minecraftkm.asuscomm.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1679132238.2843885,"logger":"http.acme_client","msg":"validating authorization","identifier":"minecraftkm.asuscomm.com","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/93799474/7810273744","attempt":1,"max_attempts":3}
{"level":"info","ts":1679132239.7490246,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"minecraftkm.asuscomm.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1679132250.046415,"logger":"http.acme_client","msg":"challenge failed","identifier":"minecraftkm.asuscomm.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"45.119.154.104: Fetching http://minecraftkm.asuscomm.com/.well-known/acme-challenge/xGyJNS_kqbc0EDrudHuEBaosNnhMmHCDeVB-HwBr1vI: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1679132250.0470784,"logger":"http.acme_client","msg":"validating authorization","identifier":"minecraftkm.asuscomm.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"45.119.154.104: Fetching http://minecraftkm.asuscomm.com/.well-known/acme-challenge/xGyJNS_kqbc0EDrudHuEBaosNnhMmHCDeVB-HwBr1vI: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/93799474/7810274264","attempt":2,"max_attempts":3}
{"level":"error","ts":1679132250.047793,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"minecraftkm.asuscomm.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 45.119.154.104: Fetching http://minecraftkm.asuscomm.com/.well-known/acme-challenge/xGyJNS_kqbc0EDrudHuEBaosNnhMmHCDeVB-HwBr1vI: Timeout during connect (likely firewall problem)"}
{"level":"info","ts":1679132253.4974916,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"minecraftkm.asuscomm.com","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1679132266.138996,"logger":"http.acme_client","msg":"challenge failed","identifier":"minecraftkm.asuscomm.com","challenge_type":"http-01","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]}}
{"level":"error","ts":1679132266.1395974,"logger":"http.acme_client","msg":"validating authorization","identifier":"minecraftkm.asuscomm.com","problem":{"type":"","title":"","detail":"","instance":"","subproblems":[]},"order":"https://acme.zerossl.com/v2/DV90/order/5Ac3aTkKd_2GVVV98tMw-A","attempt":1,"max_attempts":3}
{"level":"error","ts":1679132266.1402748,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"minecraftkm.asuscomm.com","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 0  - "}
{"level":"error","ts":1679132266.140334,"logger":"tls.obtain","msg":"will retry","error":"[minecraftkm.asuscomm.com] Obtain: [minecraftkm.asuscomm.com] solving challenge: minecraftkm.asuscomm.com: [minecraftkm.asuscomm.com] authorization failed: HTTP 0  -  (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":122.4936655,"max_duration":2592000}
{"level":"info","ts":1679132347.9955878,"msg":"shutting down","signal":"SIGINT"}
{"level":"warn","ts":1679132347.995725,"msg":"exiting; byeee!! 👋","signal":"SIGINT"}
{"level":"info","ts":1679132348.0005145,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000226000"}
{"level":"info","ts":1679132348.0005145,"logger":"tls.obtain","msg":"releasing lock","identifier":"minecraftkm.asuscomm.com"}
{"level":"info","ts":1679132348.0025349,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
{"level":"info","ts":1679132348.0032532,"msg":"shutdown complete","signal":"SIGINT","exit_code":0}

3. Caddy version:

v2.6.3 h1:QRVBNIqfpqZ1eJacY44I6eUC1OcxQ8D04EKImzpj7S8=

4. How I installed and ran Caddy:

Downloaded from release from GitHub.

a. System environment:

Windows 10 Pro. Caddy Windows Executable.

b. Command:

caddy run

d. My complete Caddy config:

minecraftkm.asuscomm.com:8443 {
    route /mcmap* {
        reverse_proxy localhost:25540
    }

    route /navidrome* {
        reverse_proxy localhost:4533
    }

    route /ombi* {
        reverse_proxy localhost:3579
    }

    route /speedtest* {
        reverse_proxy localhost:3000
    }

    handle_path /requests* {
        redir https://minecraftkm.asuscomm.com:8444{uri}
    }

    file_server
}

minecraftkm.asuscomm.com:8444 {
    reverse_proxy localhost:5055
}

I have tried deleting the %appdata%/Caddy folder to clear whatever configuration Caddy stored and the result is still the same.

Caddy isn’t able to get certificates for your site. You need to have ports 80 and 443 open and port forwarded, and that your ISP allows traffic on those ports if you’re running a home server. If you use port 8443, you still need port 80 open to solve the ACME HTTP challenge. ACME CAs only support port 80 and 443 exactly.

Hmm weird how this was working for a few months before the certificate expired and it stopped working. Am I supposed to just port forward 80 and 443 to the caddy server? I have tried that and is still producing the same error.

I use port 443 for another application, so setting it to port forward to caddy isn’t really an option, although I don’t mind doing it occasionally to generate the certificate.

Is there another way to bypass this? I don’t really need a certificate that’s valid. Just need something to make https work.

Okay nevermind. So my Asus router helps me get a certificate from Let’s Encrypt. All I have to do is use the tls directive to point caddy to the cert.pem and key.pem files.

You could instead have that other service run on a different port, then proxy to it using Caddy.

I recommend using a subdomain for each service instead of subpaths as you currently have. It’s more flexible and reliable. See:

That’s fine too I guess. But Caddy’s ACME client is probably much higher quality.

Yeah wanted to use subdomains, but the problem is the asuscomm DDNS doesn’t allow subdomains D:. It’s a subdomain provided by my built-in Asus router.

I am currently running a SSTP VPN (SoftEther VPN) on port 443, so not really the usual https traffic. I’m not sure how to reverse proxy that in Caddy.

At the moment, I’m trying to setup an OpenSpeedTest server and it doesn’t support changing the base-url. The solution I have right now is to use a new port for every application that doesn’t support changing the base-url , and making Caddy redirect /speedtest to the port instead. I’m thinking of getting into the whole header rewriting thing, but seems a bit advanced.

Eventually, I can get my own domain and use sub-domains and wouldn’t have this problem.

Caddy can do Dynamic DNS for you with this plugin GitHub - mholt/caddy-dynamicdns: Caddy app that keeps your DNS records (A/AAAA) pointed at itself.

You can use any domain name, you could get a free one from DuckDNS for example.

Ah, awkward. Well, you could move that away to a different port anyway I think, there shouldn’t be a hard-requirement that your VPN uses port 443, it should be able to use any port.

But the ACME protocol has a hard-requirement of port 80 or 443, if you use the HTTP or TLS-ALPN challenges. The DNS challenge doesn’t require that though.

But also using the default ports for your webserver makes using it in your web browser much nicer because you don’t need to specify a port number when loading the site, if you use the default HTTP/HTTPS ports.

Ah yeah that’s true. The reason I use port 443 for the VPN server is to disguise my VPN traffic as https traffic. This allows me to bypass strong firewalls that blocks VPN access.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.