Subject name does not qualify for certificate

Jeff_Galbraith · December 9, 2020, 3:26pm

1. Caddy version (`caddy version`):

$ caddy version
v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

systemd

a. System environment:

Ubuntu 18.04

d. My complete Caddyfile or JSON config:

{
  # This is pointing to Let's Encrypt Staging environment (for dev)
  # https://letsencrypt.org/docs/staging-environment/
  # This will allow you to get things right before issuing trusted
  # certificates and reduce the chance of your running up against rate limits.
  #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
  
  # causes all certificates to be issued internally by default,
  # rather than through a (public) ACME CA such as Let's Encrypt.
  # This is useful in development environments.
  local_certs
  
  # configure automatic HTTPS. It can either disable it entirely (off)
  # or disable only HTTP-to-HTTPS redirects (disable_redirects).
  # auto_https off
  auto_https disable_redirects

  debug
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

(SecurityHeaders) {
  header_up X-Real-IP {remote_host}
  header_up X-Forwarded-Proto {scheme}
}

:80, :443 {

  tls {
    on_demand
  }

  # Set this path to your site's directory.
  root * /opt/ivt/apps/6.0.0/packages/client/spa

  # Enable the static file server.
  file_server

  route /weather/* {
    uri replace /weather /socket.io
    reverse_proxy * http://localhost:3010 {
      import SecurityHeaders
    }
  }
  route /ptz/* {
    uri replace /ptz /socket.io
    reverse_proxy * http://localhost:3006 {
      import SecurityHeaders
    }
  }
  route /liveview/* {
    uri replace /liveview /socket.io
    reverse_proxy * http://localhost:3004 {
      import SecurityHeaders
    }
  }
  route /archive/* {
    uri replace /archive /socket.io
    reverse_proxy * http://localhost:3003 {
      import SecurityHeaders
    }
  }
  route /alarms/* {
    uri replace /alarms /socket.io
    reverse_proxy * http://localhost:3002 {
      import SecurityHeaders
    }
  }
  route /console_socket/* {
    uri replace /console_socket /console/socket.io
    reverse_proxy * http://localhost:3001 {
      import SecurityHeaders
    }
  }
  route /web_app_socket/* {
    uri replace /web_app_socket /web/socket.io
    reverse_proxy * http://localhost:3001 {
      import SecurityHeaders
    }
  }
  route /files/* {
    uri replace /files/ /
    reverse_proxy * http://localhost:3001 {
      import header_options
    }
  }
  route /api/* {
    reverse_proxy * http://localhost:3001 {
      import header_options
    }
  }
}

3. The problem I’m having:

In the journal, getting this message:

Dec 08 20:46:26 lance-ubuntu caddy[16093]: {"level":"debug","ts":1607485586.9103239,"logger":"http.stdlib",
"msg":"http: TLS handshake error from [fe80::b1d9:68f3:fcda:a150%enp0s31f6]:62373: 
subject name does not qualify for certificate: fe80::db67:46fb:e04e:5397%enp0s31f6"}

4. Error messages and/or full log output:

displayed above

5. What I already tried:

This should just be generating local certs. There’s no domain name used. It’s an IoT device.

6. Links to relevant resources:

matt · December 9, 2020, 4:44pm

Huh… I have never seen this before. TIL IPv6 addresses can have percent signs in them: Why is there a percent sign '%' in the IPv6 address? - Super User

Can you please file an issue? Sign in to GitHub · GitHub – and we’ll see about getting proper certs for IPs with scope IDs.

Jeff_Galbraith · December 9, 2020, 6:14pm

Done.

I was checking issue with this computer when I saw this. I am wondering if it’s related…
If you open chrome or firefox, and just http://localhost the page comes back immediately as Unauthorized. Have you heard of any issue like this before? Do you think this could be a preflight request (CORS) issue?

matt · December 9, 2020, 8:12pm

Thank you for filing; should be fixed on master in CertMagic (and in Caddy) now.

github.com/caddyserver/certmagic

Strip scope ID from IPv6 addresses

committed 07:58PM - 09 Dec 20 UTC

mholt

+26 -17

Should fix https://github.com/caddyserver/caddy/issues/3911 CertMagic does a sa…nity check before obtaining certs by checking names for invalid characters; and % is not a character that is accepted for IP addresses. I don't actually know how clients do validation on TLS connections to scoped IPs, but presumably we should just strip them before applying them to certificates server-side. Also unexport the needlessly-exported NormalizedName function, which is no longer known to be used by any external libraries. (It used to be used by Caddy but we've since better contained the relevant logic within CertMagic.)

I’m not sure what that error means, one word is not enough to go on. Please open a new issue and fill out the template to get help with that. Thanks

Jeff_Galbraith · January 4, 2021, 5:35pm

I can confirm that the CertMagic fix works for the remote computer that was having the issue.

matt · January 4, 2021, 6:07pm

Excellent, thank you for letting me know!

system · January 8, 2021, 3:26pm

This topic was automatically closed after 30 days. New replies are no longer allowed.