1. The problem I’m having:
Hello everyone. I need to set up IPMI access to a server (I don’t have physical access to it, and I cannot modify its configuration) using a domain. The only information I have is its IP, and it’s in the same network as Caddy.
The IPMI itself has a self-signed certificate (other information can be seen in the curl logs), so I initially wanted to use tls_insecure_skip_verify (as I did in Proxmox) to solve my issue, but it didn’t work.
The problem: Caddy returns a 502 error (details in the logs), and I tried the following:
- Switching to HTTP/1
- Changing TLS protocols
- Changing encryption algorithms
None of these helped. However, if I access it directly using curl, it works, and I run curl inside the Caddy container.
Please help, the error remote error: tls: handshake failure is completely uninformative to me.
Curl to direct ip with https inside caddy docker container
❯ curl -vk https://192.168.1.62 --output - | gunzip -c
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.62:443...
* Connected to 192.168.1.62 (192.168.1.62) port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [81 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1055 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-SHA / UNDEF / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=US; ST=Georgia; L=Atlanta; O=American Megatrends Inc; OU=Service Processors; CN=AMI; emailAddress=support@ami.com
* start date: Jun 1 07:01:56 2016 GMT
* expire date: May 30 07:01:56 2026 GMT
* issuer: C=US; ST=Georgia; L=Atlanta; O=American Megatrends Inc; OU=Service Processors; CN=AMI; emailAddress=support@ami.com
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
} [5 bytes data]
> GET / HTTP/1.1
> Host: 192.168.1.62
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
{ [5 bytes data]
< HTTP/1.1 200 OK
< Content-Encoding: gzip
< X-Frame-Options: SAMEORIGIN
< Cache-Control: no-store, no-cache, must-revalidate, private
< Pragma: no-cache
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "1429461342"
< Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Length: 603
< Date: Wed, 11 Dec 2024 17:53:55 GMT
< Server: lighttpd
<
{ [5 bytes data]
100 603 100 603 0 0 1292 0 --:--:-- --:--:-- --:--:-- 1293
* Connection #0 to host 192.168.1.62 left intact
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>MegaRAC SPX</title>
<!-- Application styles. -->
<link rel="stylesheet" href="/styles.min.css">
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="/libs/js/html5shiv.js"></script>
<script src="/libs/js/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Processing Icon container. -->
<div class="processing_bg_outer" id="processing_layout" style="display:none">
<div class="processing_bg_inner"></div>
</div>
<div class="processing_img_outer" id="processing_image" style="display:none">
<div>
<img class="processing_img_inner" src="images/loading.GIF">
</div>
<div class="processing_content">Processing ... </div>
</div>
<!-- Application container. -->
<main role="main" id="main"></main>
<!-- Application source. -->
<script data-main="/app/main" src="/source.min.js"></script>
</body>
</html>#
Curl to caddy domain
❯ curl -vk https://i1.homein.de
* Host i1.homein.de:443 was resolved.
* IPv6: (none)
* IPv4: 5.166.105.184
* Trying 5.166.105.184:443...
* Connected to i1.homein.de (5.166.105.184) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=i1.homein.de
* start date: Dec 10 01:00:25 2024 GMT
* expire date: Mar 10 01:00:24 2025 GMT
* issuer: C=US; O=Let's Encrypt; CN=E5
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://i1.homein.de/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: i1.homein.de]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: i1.homein.de
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 502
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Wed, 11 Dec 2024 17:59:39 GMT
<
* Connection #0 to host i1.homein.de left intact
2. Error messages and/or full log output:
caddy | {"level":"info","ts":1733939764.7246702,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy | {"level":"info","ts":1733939764.7270849,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy | {"level":"info","ts":1733939764.7329395,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy | {"level":"info","ts":1733939764.7357655,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy | {"level":"debug","ts":1733939764.736301,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["i1.homein.de"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","transport":{"protocol":"http","tls":{"insecure_skip_verify":true},"versions":["1"]},"upstreams":[{"dial":"192.168.1.62:443"}]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["i1.homein.de"]},"cipher_suites":["TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"],"protocol_min":"tls1.1","protocol_max":"tls1.2"},{}],"automatic_https":{}}}}}
caddy | {"level":"info","ts":1733939764.739072,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy | {"level":"info","ts":1733939764.7404237,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy | {"level":"debug","ts":1733939764.740898,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
caddy | {"level":"info","ts":1733939764.741236,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy | {"level":"warn","ts":1733939764.7413325,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy | {"level":"debug","ts":1733939764.741612,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy | {"level":"warn","ts":1733939764.7419503,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy | {"level":"info","ts":1733939764.7420619,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy | {"level":"info","ts":1733939764.7421563,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["i1.homein.de"]}
caddy | {"level":"debug","ts":1733939764.7427523,"logger":"tls","msg":"loading managed certificate","domain":"i1.homein.de","expiration":1741568425,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
caddy | {"level":"debug","ts":1733939764.743741,"logger":"tls.cache","msg":"added certificate to cache","subjects":["i1.homein.de"],"expiration":1741568425,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8be3d2f298eb61278f46f04f19d422f8832bd5f820640ac5c9442d4f1df6063d","cache_size":1,"cache_capacity":10000}
caddy | {"level":"debug","ts":1733939764.7446318,"logger":"events","msg":"event","name":"cached_managed_cert","id":"634f6aaa-d95b-4fba-9757-24cc75db40ac","origin":"tls","data":{"sans":["i1.homein.de"]}}
caddy | {"level":"info","ts":1733939764.7449584,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy | {"level":"info","ts":1733939764.7450464,"msg":"serving initial configuration"}
caddy | {"level":"info","ts":1733939764.7474809,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000e2800"}
caddy | {"level":"info","ts":1733939764.7529278,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"08cf7d57-20cc-41f7-8082-fc1c01ca974b","try_again":1734026164.7529256,"try_again_in":86399.99999955}
caddy | {"level":"info","ts":1733939764.7530034,"logger":"tls","msg":"finished cleaning storage units"}
caddy | {"level":"debug","ts":1733939767.9077349,"logger":"events","msg":"event","name":"tls_get_certificate","id":"864f1de6-250f-4ba2-a422-8eaf108d2f0f","origin":"tls","data":{"client_hello":{"CipherSuites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"i1.homein.de","SupportedCurves":[43690,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"RemoteAddr":{"IP":"192.168.1.1","Port":49453,"Zone":""},"LocalAddr":{"IP":"192.168.1.102","Port":443,"Zone":""}}}}
caddy | {"level":"debug","ts":1733939767.907949,"logger":"tls.handshake","msg":"choosing certificate","identifier":"i1.homein.de","num_choices":1}
caddy | {"level":"debug","ts":1733939767.9079592,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"i1.homein.de","subjects":["i1.homein.de"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8be3d2f298eb61278f46f04f19d422f8832bd5f820640ac5c9442d4f1df6063d"}
caddy | {"level":"debug","ts":1733939767.9079723,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.1.1","remote_port":"49453","subjects":["i1.homein.de"],"managed":true,"expiration":1741568425,"hash":"8be3d2f298eb61278f46f04f19d422f8832bd5f820640ac5c9442d4f1df6063d"}
caddy | {"level":"debug","ts":1733939770.9103293,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.1.62:443","total_upstreams":1}
caddy | {"level":"debug","ts":1733939770.9731522,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.1.62:443","duration":0.06270778,"request":{"remote_ip":"192.168.1.1","remote_port":"49453","client_ip":"192.168.1.1","proto":"HTTP/2.0","method":"GET","host":"i1.homein.de","uri":"/","headers":{"Sec-Fetch-User":["?1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Cache-Control":["max-age=0"],"X-Forwarded-For":["192.168.1.1"],"X-Forwarded-Proto":["https"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["ru,en;q=0.9,en-GB;q=0.8,en-US;q=0.7"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Microsoft Edge\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""],"Sec-Fetch-Site":["none"],"X-Forwarded-Host":["i1.homein.de"],"Sec-Fetch-Dest":["document"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"],"Priority":["u=0, i"],"Accept-Encoding":["gzip, deflate, br, zstd"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"h2","server_name":"i1.homein.de"}},"error":"remote error: tls: handshake failure"}
caddy | {"level":"error","ts":1733939770.9733064,"logger":"http.log.error","msg":"remote error: tls: handshake failure","request":{"remote_ip":"192.168.1.1","remote_port":"49453","client_ip":"192.168.1.1","proto":"HTTP/2.0","method":"GET","host":"i1.homein.de","uri":"/","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["ru,en;q=0.9,en-GB;q=0.8,en-US;q=0.7"],"Sec-Fetch-Site":["none"],"Sec-Ch-Ua":["\"Microsoft Edge\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""],"Priority":["u=0, i"],"Sec-Fetch-Mode":["navigate"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"h2","server_name":"i1.homein.de"}},"duration":0.062943855,"status":502,"err_id":"pmijujmrb","err_trace":"reverseproxy.statusError (reverseproxy.go:1358)"}
3. Caddy version:
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
4. How I installed and ran Caddy:
Docker compose
a. System environment:
❯ uname -a && docker -v
Linux caddy 6.6.63-0-lts #1-Alpine SMP PREEMPT_DYNAMIC Mon, 25 Nov 2024 09:44:20 +0000 x86_64 Linux
Docker version 25.0.5, build d260a54c81efcc3f00fe67dee78c94b16c2f8692
b. Command:
docker-compose up -d
c. Service/unit/compose file:
services:
caddy:
container_name: caddy
image: caddy:latest
restart: unless-stopped
network_mode: host
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./caddy_data:/data
- ./caddy_config:/config
- ./caddy_logs:/var/log/caddy
d. My complete Caddy config:
{
debug
log debug {
output stdout
format console
include http.log.access
}
}
i1.homein.de {
reverse_proxy 192.168.1.62:443 {
transport http {
versions 1
tls_insecure_skip_verify
}
}
tls {
protocols tls1.1 tls1.2 tls1.3 ssl3.0
ciphers TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHA
}
}
