Subject name does not qualify for certificate

1. Caddy version (caddy version):

$ caddy version
v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

systemd

a. System environment:

Ubuntu 18.04

d. My complete Caddyfile or JSON config:

{
  # This is pointing to Let's Encrypt Staging environment (for dev)
  # https://letsencrypt.org/docs/staging-environment/
  # This will allow you to get things right before issuing trusted
  # certificates and reduce the chance of your running up against rate limits.
  #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
  
  # causes all certificates to be issued internally by default,
  # rather than through a (public) ACME CA such as Let's Encrypt.
  # This is useful in development environments.
  local_certs
  
  # configure automatic HTTPS. It can either disable it entirely (off)
  # or disable only HTTP-to-HTTPS redirects (disable_redirects).
  # auto_https off
  auto_https disable_redirects

  debug
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

(SecurityHeaders) {
  header_up X-Real-IP {remote_host}
  header_up X-Forwarded-Proto {scheme}
}

:80, :443 {

  tls {
    on_demand
  }

  # Set this path to your site's directory.
  root * /opt/ivt/apps/6.0.0/packages/client/spa

  # Enable the static file server.
  file_server

  route /weather/* {
    uri replace /weather /socket.io
    reverse_proxy * http://localhost:3010 {
      import SecurityHeaders
    }
  }
  route /ptz/* {
    uri replace /ptz /socket.io
    reverse_proxy * http://localhost:3006 {
      import SecurityHeaders
    }
  }
  route /liveview/* {
    uri replace /liveview /socket.io
    reverse_proxy * http://localhost:3004 {
      import SecurityHeaders
    }
  }
  route /archive/* {
    uri replace /archive /socket.io
    reverse_proxy * http://localhost:3003 {
      import SecurityHeaders
    }
  }
  route /alarms/* {
    uri replace /alarms /socket.io
    reverse_proxy * http://localhost:3002 {
      import SecurityHeaders
    }
  }
  route /console_socket/* {
    uri replace /console_socket /console/socket.io
    reverse_proxy * http://localhost:3001 {
      import SecurityHeaders
    }
  }
  route /web_app_socket/* {
    uri replace /web_app_socket /web/socket.io
    reverse_proxy * http://localhost:3001 {
      import SecurityHeaders
    }
  }
  route /files/* {
    uri replace /files/ /
    reverse_proxy * http://localhost:3001 {
      import header_options
    }
  }
  route /api/* {
    reverse_proxy * http://localhost:3001 {
      import header_options
    }
  }
}

3. The problem I’m having:

In the journal, getting this message:

Dec 08 20:46:26 lance-ubuntu caddy[16093]: {"level":"debug","ts":1607485586.9103239,"logger":"http.stdlib",
"msg":"http: TLS handshake error from [fe80::b1d9:68f3:fcda:a150%enp0s31f6]:62373: 
subject name does not qualify for certificate: fe80::db67:46fb:e04e:5397%enp0s31f6"}

4. Error messages and/or full log output:

displayed above

5. What I already tried:

This should just be generating local certs. There’s no domain name used. It’s an IoT device.

6. Links to relevant resources:

Huh… I have never seen this before. TIL IPv6 addresses can have percent signs in them: Why is there a percent sign '%' in the IPv6 address? - Super User

Can you please file an issue? Sign in to GitHub · GitHub – and we’ll see about getting proper certs for IPs with scope IDs.

Done.

I was checking issue with this computer when I saw this. I am wondering if it’s related…
If you open chrome or firefox, and just http://localhost the page comes back immediately as Unauthorized. Have you heard of any issue like this before? Do you think this could be a preflight request (CORS) issue?

Thank you for filing; should be fixed on master in CertMagic (and in Caddy) now.

https://github.com/caddyserver/certmagic/commit/b726d1ed13c3f4aae8f7831792eb5690c81c9e27

I’m not sure what that error means, one word is not enough to go on. Please open a new issue and fill out the template to get help with that. Thanks

1 Like

I can confirm that the CertMagic fix works for the remote computer that was having the issue.

1 Like

Excellent, thank you for letting me know!

This topic was automatically closed after 30 days. New replies are no longer allowed.