SSL Errors - ERR_SSL_PROTOCOL_ERROR (DNS resolver i/o timeout)

sidneyvega · July 27, 2022, 3:54am

I have about 10 sites. Five are working, but I’m getting this message on the other five:
"Secure Connection Failed

An error occurred during a connection to sub.domain.net. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT"

I’m assuming it’s an SSL issue, but Caddy is not resolving it. Any ideas?

All domains are the same except for the extension
i.e. sub1.dommain.com
sub2.dommain.com
sub3.dommain.com

Any ideas on how to fix this?

francislavoie · July 27, 2022, 4:38am

No, you just did the code blocks incorrectly.

You need to put the backticks on their own lines, before and after the entire config. Only two sets, one before and one after. Not in the middle of the config or at the end of lines.

Please fill out the help topic template, as per the forum rules.

We need to see what’s in your logs. If Caddy failed to issue certificates for those domains, it would have logged about it.

sidneyvega · July 27, 2022, 4:50am

Thank you for the information about posting, I’ll make sure I correct this in future postings.

I’ve looked in the documentation, but I honestly can’t find out where to get the logs. Can you help me with that, I’ll post them.

francislavoie · July 27, 2022, 5:11am

It depends how you’re running Caddy, which you haven’t said (that question is part of the help topic template, which is why we require it). But in general, Caddy emits its logs to stdout.

matt · July 27, 2022, 6:58pm

I also do not know how to help you with the information posted.

Please start a new topic and fill out the template. It has comments that tell you how to get the logs and how to format your post properly. Please use the forum’s formatting buttons over the textbox and use the preview pane to see what it will look like. Also familiarize yourself with Markdown if needed: Markdown Reference

That is all we can suggest until we have the necessary information. Logs and curl -v output will be crucial.

sidneyvega · July 27, 2022, 10:14pm

I’ve recreated the topic and put additional effort into ensuring I created it properly. I wasn’t sure of the protocol at first, but I think I did everything correctly this time.

https://caddy.community/t/ssl-errors-caddy-err-ssl-protocol-error/16694

sidneyvega · July 27, 2022, 10:12pm

1. Output of `caddy version`:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

a. System environment:

I’m running Caddy on Ubuntu via Proxmox 7.2-3 and all relevant virtual machines are running TurnKey WordPress websites and are also hosted on the same proxmox server.

b. Command:

caddy version

sudo systemctl start caddy

To edit file:

sudo nano /etc/caddy/Caddyfile

& after edit:

sudo systemctl reload caddy

c. Service/unit/compose file:

Not sure what is being asked. Running on Ubuntu Container in Proxmox.

d. My complete Caddy config:

testing1.sidneyvega.net {
        reverse_proxy 192.168.3.101
}

testing2.sidneyvega.net {
        reverse_proxy 192.168.3.102
}

testing3.sidneyvega.net {
        reverse_proxy 192.168.3.103
}

testing4.sidneyvega.net {
        reverse_proxy 192.168.3.104
}

testing5.sidneyvega.net {
        reverse_proxy 192.168.3.105
}

archive1.sidneyvega.net {
        reverse_proxy 192.168.3.51
}

archive2.sidneyvega.net: {
        reverse_proxy 192.168.3.52
}

archive3.sidneyvega.net {
        reverse_proxy 192.168.3.53
}

archive4.sidneyvega.net {
        reverse_proxy 192.168.3.54
}

archive5.sidneyvega.net {
        reverse_proxy 192.168.3.55
}

archive6.sidneyvega.net {
        reverse_proxy 192.168.3.56
}

archive7.sidneyvega.net {
        reverse_proxy 192.168.3.57
}

archive8.sidneyvega.net {
        reverse_proxy 192.168.3.58
}

3. The problem I’m having:

All Domains point to the proper ISP provided IP address Domains are configured correctly.
If I try to access from WAN (not on same network/IP), these addresses:

testing1.sidneyvega.net
testing2.sidneyvega.net
testing3.sidneyvega.net
testing4.sidneyvega.net
testing5.sidneyvega.net

Everything works, SSL is working, Website can be accessed etc.

However, If I try to access from WAN (not on same network/IP), these addresses:

archive1.sidneyvega.net
archive2.sidneyvega.net
archive3.sidneyvega.net
archive4.sidneyvega.net
archive5.sidneyvega.net
archive6.sidneyvega.net
archive7.sidneyvega.net
archive8.sidneyvega.net

It’s my understanding that Caddy will generate SSL certificates automatically but I get the following error in Chrome:
“This site can’t provide a secure connection archive1.sidneyevega.net sent an invalid response. ERR_SSL_PROTOCAL_ERROR”
Similar error message in other browsers like Firefox, for example.

4. Error messages and/or full log output:

Jul 27 22:02:29 caddy caddy[128]: {"level":"error","ts":1658959349.68464,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"archive4.sidneyvega.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[archive4.sidneyvega.net] creating new order: provisioning client: performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 192.168.1.2:53: read udp 192.168.3.200:49431->192.168.1.2:53: i/o timeout (ca=https://acme-v02.api.letsencrypt.org/directory)"}
Jul 27 22:02:29 caddy caddy[128]: {"level":"warn","ts":1658959349.6847599,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
Jul 27 22:02:49 caddy caddy[128]: {"level":"warn","ts":1658959369.688755,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 192.168.1.2:53: read udp 192.168.3.200:57528->192.168.1.2:53: i/o timeout"}
Jul 27 22:02:49 caddy caddy[128]: {"level":"error","ts":1658959369.6887608,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"archive4.sidneyvega.net","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": dial tcp: lookup api.zerossl.com on 192.168.1.2:53: read udp 192.168.3.200:40788->192.168.1.2:53: i/o timeout"}
Jul 27 22:02:49 caddy caddy[128]: {"level":"error","ts":1658959369.6888556,"logger":"tls.obtain","msg":"will retry","error":"[archive4.sidneyvega.net] Obtain: account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": dial tcp: lookup api.zerossl.com on 192.168.1.2:53: read udp 192.168.3.200:40788->192.168.1.2:53: i/o timeout","attempt":1,"retrying_in":60,"elapsed":443.609917546,"max_duration":2592000}
Jul 27 22:03:09 caddy caddy[128]: {"level":"warn","ts":1658959389.9475734,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 192.168.1.2:53: read udp 192.168.3.200:48710->192.168.1.2:53: i/o timeout"}
Jul 27 22:03:30 caddy caddy[128]: {"level":"warn","ts":1658959410.2018473,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 192.168.1.2:53: read udp 192.168.3.200:53658->192.168.1.2:53: i/o timeout"}
Jul 27 22:03:30 caddy caddy[128]: {"level":"error","ts":1658959410.201952,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"archive1.sidneyvega.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[archive1.sidneyvega.net] creating new order: provisioning client: performing request: Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 192.168.1.2:53: read udp 192.168.3.200:53658->192.168.1.2:53: i/o timeout (ca=https://acme-v02.api.letsencrypt.org/directory)"}
Jul 27 22:03:30 caddy caddy[128]: {"level":"warn","ts":1658959410.2021196,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
Jul 27 22:03:50 caddy caddy[128]: {"level":"warn","ts":1658959430.204212,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 192.168.1.2:53: read udp 192.168.3.200:43614->192.168.1.2:53: i/o timeout"}
Jul 27 22:03:50 caddy caddy[128]: {"level":"error","ts":1658959430.204239,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"archive1.sidneyvega.net","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": dial tcp: lookup api.zerossl.com on 192.168.1.2:53: read udp 192.168.3.200:37190->192.168.1.2:53: i/o timeout"}
Jul 27 22:03:50 caddy caddy[128]: {"level":"error","ts":1658959430.2042603,"logger":"tls.obtain","msg":"will retry","error":"[archive1.sidneyvega.net] Obtain: account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": dial tcp: lookup api.zerossl.com on 192.168.1.2:53: read udp 192.168.3.200:37190->192.168.1.2:53: i/o timeout","attempt":1,"retrying_in":60,"elapsed":504.125273963,"max_duration":2592000}

5. What I already tried:

I’ve tried changing port numbers on the Caddy config file, I’ve tried moving the redirect of testing5 to archive1’s IP address example:

testing5.sidneyvega.net {
        reverse_proxy 192.168.3.51
}

(This does work).

I’ve researched the problem with similar errors on Google, Reddit, Caddy Forum. Nothing I try works.

I’m suspecting there is maybe a limit to SSL certs? Or maybe I need a wildcard -I don’t know how to do this at all. I tried to learn how, but the documentation is not helping and I didn’t want to attempt it and break what is already working.

I’ve read the log file, but I don’t really know how to fix it because I’m not 100% sure what the problem is or where to go with it.

### 6. Links to relevant resources:
I do not have any further information.

francislavoie · July 27, 2022, 10:35pm

Looks like there’s a problem with your local DNS server. It’s not able to resolve the Let’s Encrypt domain to an IP address.

emilylange · July 27, 2022, 10:47pm

Since you are running Proxmox VE, there are two places you want to look at:

Your containers’ DNS settings, which can be set in the WebUI when selecting your container and clicking on the DNS tab right between Network and Options. Those default to your PVE host’s settings.
Your PVE hosts’ DNS settings, which can be set in the WebUI when selecting your PVE host and clicking on System (between Shell and Updates) and DNS.

Do not edit the /etc/resolv.conf file in your PVE/LXC container manually.

If you aren’t running a DNS server on 192.168.1.2, consider changing it cloudflare’s 1.1.1.1, Google’s 8.8.8.8 or any other public DNS resolver

You could also further debug your DNS with tools like dig, nslookup, dog, etc.

sidneyvega · July 27, 2022, 10:55pm

I’m going to check the settings you mentioned. I want to ask while I’m looking into this, If the other sites are working with the same DNS settings (all of these sites are clones from an original template), why could the archive ones be giving me these errors? Will be back with my findings.

sidneyvega · July 27, 2022, 10:55pm

Interesting, I’ll check into this.

sidneyvega · July 27, 2022, 11:03pm

Indeed, this is what was wrong:

192.168.1.2

PiHole…
Now Changed to:

1.1.1.1

All sites working now.

system · August 26, 2022, 3:55am

This topic was automatically closed after 30 days. New replies are no longer allowed.