SSL Certificate Error

Niesyto · March 24, 2022, 1:33pm

1. Caddy version (`caddy version`):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

a. System environment:

Windows 8, running it from powerShell, installed with choco

b. Command:

caddy run

c. Service/unit/compose file:

I think it's not relevant here?

d. My complete Caddyfile or JSON config:

:8443 {
	tls internal {
        on_demand
    }
	reverse_proxy {
		to localhost:8444
		lb_policy round_robin
		
		transport http {

			tls tls_insecure_skip_verify
			
			
			
		}
	}
}

3. The problem I’m having:

What I want to achieve, is to proxy all request coming to 8443 to 8444. I have a backend server listening there. It’s using HTTPS, but it’s based on HTTP1. We’re planing to switch to HTTP2, but it will probably be done gradually, as not all services can be changed so easily.

Right now, sending request in any other way than curl (our tests which also use HTTP1, Postman) fails miserably with:

Error: write EPROTO 9624:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:c:\ws\deps\openssl\openssl\ssl\record\ssl3_record.c:332:

I know it’s Node’s error, not caddy’s but I’m really at a loss here.

From what I can understand, the communication between proxy I’ve created and backend works just fine, the only issue is that Caddy only accepts HTTP2 requests, thus blocking me from running tests, and seeing if it actually works as expected.

What would I need to change do make it accept both HTTP1 (probably http1.1) and HTTP2 requests?

On a further note, right now it can communicate with backend, but will this config work once we make the backend server use http2?

emilylange · March 24, 2022, 2:21pm

Hi

Are you trying to connect to :8443 via https://?

❯ curl https://localhost:8443
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

❯ curl http://localhost:8443
# works just fine

This is not true

If you want https:// for your :8443 {, you can use https://:8443 {
If your problem persists, please share the curl commands you ran.

Niesyto · March 25, 2022, 9:40am

That doesn’t work

$ caddy run
{"level":"info","ts":1648201118.8049076,"msg":"using adjacent Caddyfile"}
{"level":"warn","ts":1648201118.8059926,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"Caddyfile","line":3}
{"level":"info","ts":1648201118.8104246,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1648201118.8104246,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000378c40"}
{"level":"info","ts":1648201118.81149,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1648201118.8237078,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"warn","ts":1648201118.8237078,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
{"level":"info","ts":1648201118.8237078,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:C:\\Users\\Jarek\\AppData\\Roaming\\Caddy"}
{"level":"info","ts":1648201118.8237078,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1648201118.8237078,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000378c40"}
run: loading initial config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: <Here was something about accessing the port in a forbidden way, but it was in my national language>

And then caddy server stops.

Why does it try to bind to port 80 and not the port stated in Caddyfile?

Niesyto · March 25, 2022, 11:55am

Adding this helped

{
	auto_https disable_redirects
}

But I have no clue what it does

matt · March 28, 2022, 6:17pm

Because Caddy will automatically redirect HTTP requests to HTTPS, so it tries to bind to port 80. (Your OS provides error messages in your native language, hence the log you removed for some reason.) Most likely caddy does not have permission to bind to that port or the port is already in use.

So, disabling redirects will cause Caddy to not try enabling redirects, thus not binding to the HTTP port.

system · April 23, 2022, 1:34pm

This topic was automatically closed after 30 days. New replies are no longer allowed.