sgasser
(Stefan Gasser)
February 1, 2022, 11:02am
1
1. Caddy version (caddy version
):
v2.2.1
2. How I run Caddy:
As service with command: /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
a. System environment:
Ubuntu on Digital Ocean
b. Command:
/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
c. Service/unit/compose file:
Ubuntu
d. My complete Caddyfile or JSON config:
*.domain1.com {
tls {
dns lego_deprecated dnsimple
}
reverse_proxy {
to https://*.target.com
header_up Host {http.retry_proxy.upstream.host}
header_up X-Forwarded-Host {host}
transport http {
tls
tls_insecure_skip_verify
}
}
}
sub.otherdomain.com {
reverse_proxy {
to https://sub.target.com
header_up Host sub.target.com
header_up X-Forwarded-Host sub.otherdomain.com
transport http {
tls
tls_insecure_skip_verify
}
}
}
There are more domains like the second one
3. The problem I’m having:
The wildcard domain works also on Mac / iOS but the second not wildcard is not.
SSL Check:
https://www.ssllabs.com/ssltest/analyze.html?d=staging.newsletter.additive-apps.tech
How can I fix that?
TobiX
(Tobias Gruetzmacher)
February 1, 2022, 2:05pm
2
Your certificate was revoked by Let’s Encrypt, probably due to
At 16:48 UTC on Tuesday Jan 25, 2022, a third party informed Let’s Encrypt / ISRG that, while examining the Boulder codebase, they had noticed two instances of specification non-compliance in our implementation of the “TLS Using ALPN” validation...
Reading time: 1 mins đź•‘
Likes: 34 ❤
See also previous discussion on this forum:
1. Caddy version (caddy version):
v2.4.6 h1
2. How I run Caddy:
Running Nextcloud on Caddy Webserver
a. System environment:
Debian 11
3. The problem I’m having:
The certificate was automatically renewed at the beginning of january. In a web browser like Microsoft Edge or Google Chrome on Windows 10 the certificate is secure. Some days ago i read that Let’s Encrypt was revoking certifiactes.
On an iPhone 13 (iOS 15.2) the certificate is insecure. I have found nothing about renewing (or …
You should have been informed via mail about this (if you didn’t forget to add a mail address to your Caddyfile)
Regards, Tobias
1 Like
sgasser:
1. Caddy version (caddy version
):
v2.2.1
Please upgrade to v2.4.6! That’s an old version.
sgasser:
to https://*.target.com
That’s not a valid upstream hostname… I’d be surprised if this actually worked.
That’s not a valid placeholder. The correct placeholder is {http.reverse_proxy.upstream.hostport}
, or if you upgrade to v2.4.6, you can use the shortcut {upstream_hostport}
.
sgasser:
tls_insecure_skip_verify
Are you sure you want this? This turns off all security offered by HTTPS between Caddy and the upstream. A man-in-the-middle attack could easily be performed, since Caddy will no longer trust that the certificate was signed by a good CA.
sgasser
(Stefan Gasser)
February 1, 2022, 6:50pm
4
Thank you for your help @TobiX and @francislavoie !
You are awesome!
1 Like
matt
(Matt Holt)
February 2, 2022, 6:49am
5
Thanks for the links @TobiX !
FYI, the latest versions of Caddy automatically replace revoked certificates for you (with even more robust support on the way ), which is why Francis suggests upgrading.
system
(system)
Closed
March 3, 2022, 11:02am
6
This topic was automatically closed after 30 days. New replies are no longer allowed.