Ssl error when connect to https caddy container

ziat · June 8, 2023, 1:33pm

1. The problem I’m having:

I deploy my app on a VPS with php and caddy docker. I have my https automatic on the url so that’s great. But there are a problem when my php call https on caddy container. So, with curl on php container curl https://caddy/.well-known/mercure -vvv I got this errors:

2. Error messages and/or full log output:

*   Trying 192.168.240.6:443...
* Connected to caddy (192.168.240.6) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.1.1: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) OpenSSL/3.1.1: error:0A000438:SSL routines::tlsv1 alert internal error

3. Caddy version:

Caddy: v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
PHP: php:8.2-fpm-alpine

My complete Caddy config:

{
    # Debug
    {$CADDY_DEBUG}
}

{$SERVER_NAME}

{$CADDY_EXTRA_CONFIG}

log

route {
    root * /srv/app/public
    mercure {
        # Transport to use (default to Bolt)
        transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
        # Publisher JWT key
        publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
        # Subscriber JWT key
        subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
        # Allow anonymous subscribers (double-check that it's what you want)
        anonymous
        # Enable the subscription API (double-check that it's what you want)
        subscriptions
        # Extra directives
        {$MERCURE_EXTRA_DIRECTIVES}
    }
    vulcain
    php_fastcgi unix//var/run/php/php-fpm.sock
    encode zstd gzip
    file_server
}

What I did

My guess is there are no certificate between php and caddy container so I was trying to copy manually the root.crt from /data/caddy/pki/authorities/local/root.crt (from caddy container) to /usr/local/share/ca-certificates/root.crt (php container) and also paste it into /etc/ssl/certs/ca-certificates.crt (php container) but still not works.
Another behavior that I remark is if I call with http: curl http://caddy/.well-known/mercure -vvv, I will have the 308 Permanent Redirect to https. So what I have to do to run https to caddy container ?

Thanks in advance.

francislavoie · June 8, 2023, 3:23pm

I think typically you do want to connect with HTTP, not HTTPS, from one container to the other. Setting up HTTPS is complicated, because you need to establish trust between them (i.e. trust the root CA certificate Caddy used to sign the certs). So make sure your site address has http://caddy. I think the default SERVER_NAME has caddy:80 in it, so keep that.

ziat · June 9, 2023, 12:10am

@francislavoie
Thank you for that very useful instruction. I indeed really want to use http between container. My docker compose caddy set SERVER_NAME: ${SERVER_NAME:-localhost, caddy:80} so with a real SERVER_NAME , turn out I lost the caddy:80. So I just modify it with `SERVER_NAME: $SERVER_NAME, caddy:80. And I have exactly what I need :)) You saved my day.

system · July 9, 2023, 12:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.