Trying to enable client authentication with tls directive. The website is on the localhost and the authentication works if I use “localhost” in the browser URL (https://localhost:443). If I try to use the IP address (https://192.168.1.23:443) the certificate verifies but no web page presents. The output of caddy explains that “strict host matching: TLS ServerName() and HTTP Host (192.168.1.23) values differ” How do I get the TLS Server Name to match or how do I disable strict host matching with client authentication?
When you enable client auth, it implicitly enables strict SNI host matching. A comment in the code explains why:
So your request needs to exactly match the name in the server certificate. If your certificate is for localhost but you make a request with an IP address, that won’t work.
Also, it looks like you’re missing a closing } for the tls directive.
Sir–thank you for the response. I knew that Strict SNI was enabled by following the go code as well as forum discussions. But I figured I could map/rewrite/force the Host name or the TLS ServerName to be equal to each other through some caddyfile directive.
Or, for now, since I am generating self signed certificates for the server it would be fine to know what openssl generation setting I’d need to set to make the TLS ServerName equal to the host IP address entered into the browser if that is possible. Changing the cert CN didn’t seem to change anything so I am not sure what caddy is expecting to match against when I enter the IP address as the URL in the browser and how I can make that work through some technique
Thank you for the response. Yes, I was thinking so but I was having trouble adding a SAN extension to the certificate with openssl. I also wonder if SAN can be an IP address or does it have to be a domain or name. I will give it another look. Thanks again.
I have verified that my server certificate has the IP address as an alternative name but I still get the same error when I use the IP address as the URL:
“strict host matching: TLS ServerName() and HTTP Host (172.16.10.37) values differ”
But the server certificate used by caddy now has this output when I issue this command:
openssl x509 -noout -text -in server.pem | grep -A 1 “Subject Alternative Name”
X509v3 Subject Alternative Name:
IP Address:172.16.10.37
So I believe that the Server Name should be known by it’s IP address but Caddy still cannot find it. What server cert attribute should I be using to inform caddy that the server IP address is the TLS ServerName too?
I suppose the overarching question, given my reverse proxy setup, how might I do client authentication when the server I access is specified by an IP address which is a common situation for what I am addressing.
But I’d suggest you reconsider if you really need to use direct IP addresses for this, or whether you can just use a proper DNS hostname all the time, which wouldn’t have this problem.
Thank you again. I was afraid of that. It seems the default_sni only works if the browser doesn’t provide anything in the client hello which most seem to do these days.
I will examine the RFC closely but I did find here Steps to generate CSR for SAN certificate with openssl | GoLinuxCloud a way to provide IP addresses as alternative names in certificates and used the sample config file tailored to my needs. At least when reading the cert back it seemed to report the IP address as an alternative Name. Here is the relevant part of the config file:
For the particular needs I am faced with there is some requirement to authenticate clients in a closed network often without DNS service. The servers are identified with IP address only. If I could override strict SNI I would do so but Caddy enforces it if client authentication is being used. Is there a config way of turning it off?
Thanks for your help. It’s been exasperating but maybe it’s just not possible to do and knowing that at least I can stop banging my head against a wall
Excellent–thank you very much. I may try to synthesize a “hostname” and see if I can at least prove this out (i.e., document the mechanics of creating the certs according to the requirements of client authentication). I read the RFC 6066 and it repeats the same restrictions on hostname above.
Thanks again!
P.S. No matter what I did the TLS ServerName reported in the error message was always (). Is there a way to force this to be the IP address for testing purposes?