SSL not working on Mac / iOS

1. Caddy version (caddy version):

v2.2.1

2. How I run Caddy:

As service with command: /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

a. System environment:

Ubuntu on Digital Ocean

b. Command:

/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

Ubuntu

d. My complete Caddyfile or JSON config:

*.domain1.com {
    tls {
        dns lego_deprecated dnsimple
    }

    reverse_proxy {
        to https://*.target.com
        header_up Host {http.retry_proxy.upstream.host}
        header_up X-Forwarded-Host {host}
        transport http {
            tls
            tls_insecure_skip_verify
        }
    }
}
sub.otherdomain.com {
            reverse_proxy {
                to https://sub.target.com
                header_up Host sub.target.com
                header_up X-Forwarded-Host sub.otherdomain.com
                transport http {
                    tls
                    tls_insecure_skip_verify
                }
            }
        }

There are more domains like the second one

3. The problem I’m having:

The wildcard domain works also on Mac / iOS but the second not wildcard is not.

SSL Check:
https://www.ssllabs.com/ssltest/analyze.html?d=staging.newsletter.additive-apps.tech

How can I fix that?

Your certificate was revoked by Let’s Encrypt, probably due to

See also previous discussion on this forum:

You should have been informed via mail about this (if you didn’t forget to add a mail address to your Caddyfile)

Regards, Tobias

1 Like

Please upgrade to v2.4.6! That’s an old version.

That’s not a valid upstream hostname… I’d be surprised if this actually worked.

That’s not a valid placeholder. The correct placeholder is {http.reverse_proxy.upstream.hostport}, or if you upgrade to v2.4.6, you can use the shortcut {upstream_hostport}.

Are you sure you want this? This turns off all security offered by HTTPS between Caddy and the upstream. A man-in-the-middle attack could easily be performed, since Caddy will no longer trust that the certificate was signed by a good CA.

Thank you for your help @TobiX and @francislavoie !

You are awesome!

1 Like

Thanks for the links @TobiX !

FYI, the latest versions of Caddy automatically replace revoked certificates for you (with even more robust support on the way), which is why Francis suggests upgrading.

This topic was automatically closed after 30 days. New replies are no longer allowed.