1. The problem I’m having:
I deploy my app on a VPS with php and caddy docker. I have my https automatic on the url so that’s great. But there are a problem when my php call https on caddy container. So, with curl on php container curl https://caddy/.well-known/mercure -vvv
I got this errors:
2. Error messages and/or full log output:
* Trying 192.168.240.6:443...
* Connected to caddy (192.168.240.6) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.1.1: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) OpenSSL/3.1.1: error:0A000438:SSL routines::tlsv1 alert internal error
3. Caddy version:
Caddy: v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
PHP: php:8.2-fpm-alpine
My complete Caddy config:
{
# Debug
{$CADDY_DEBUG}
}
{$SERVER_NAME}
{$CADDY_EXTRA_CONFIG}
log
route {
root * /srv/app/public
mercure {
# Transport to use (default to Bolt)
transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
# Publisher JWT key
publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
# Subscriber JWT key
subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
# Allow anonymous subscribers (double-check that it's what you want)
anonymous
# Enable the subscription API (double-check that it's what you want)
subscriptions
# Extra directives
{$MERCURE_EXTRA_DIRECTIVES}
}
vulcain
php_fastcgi unix//var/run/php/php-fpm.sock
encode zstd gzip
file_server
}
What I did
My guess is there are no certificate between php and caddy container so I was trying to copy manually the root.crt from /data/caddy/pki/authorities/local/root.crt
(from caddy container) to /usr/local/share/ca-certificates/root.crt
(php container) and also paste it into /etc/ssl/certs/ca-certificates.crt
(php container) but still not works.
Another behavior that I remark is if I call with http: curl http://caddy/.well-known/mercure -vvv, I will have the 308 Permanent Redirect to https. So what I have to do to run https to caddy container ?
Thanks in advance.