This site can’t provide a secure connection

xpt · May 12, 2019, 6:52pm

First of all, the site search isn’t working for me with my Chromium Version 67.0.3396.99 (Official Build) Built on Ubuntu , running on Ubuntu 18.04 (64-bit)
So I’m sorry if it has been asked before.

The thing is, I’ve been following the excellent article
from Installing Caddy Server on Ubuntu
word for word, but I can’t get HTTPS working for any obvious reasons.

So let me walk my attempts step by step here.

Step 2: Testing Your Website

Yeah, I got that step right – I can visit localhost:2015 and see my own Website.

Step 3 : Setting up HTTPS

This is where I’m having trouble. Here are the detailed logs, with everything real…

… content dramatically remove in order to survive the 4-link max new user posing rule …

caddy -host mydomain.example.com

Everything looks good when visiting my site (99.241.42.221) via HTTP:

I can see

404 Site 99.241.42.221 is not served on this interface

which I presume is served from/by caddy.

Now, when visiting my site with HTTPS, https://99.241.42.221/, I get:

This site can’t provide a secure connection
99.241.42.221 sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

What’s wrong?
Is it that caddy doesn’t support visiting sites by IP?

Thx.

Whitestrake · May 13, 2019, 12:24am

Hey @xpt, welcome to the Caddy community.

You can put your content in code blocks (triple backticks, ```) and they won’t count as links. This makes Caddyfiles, logs, etc. much easier to read, too.

Caddy’s not serving requests for the hostname 9.241.42.221, it’s serving mydomain.example.com. This is why you get this response:

404 Site 99.241.42.221 is not served on this interface

Instead of, say, file not found.

Now, when it comes time to check HTTPS, one thing you should know right off the bat is that outside of https://1.1.1.1, you’ll rarely/never see valid HTTPS certificates issued for IP addresses. LetsEncrypt definitely won’t, so unless you get one through your own methods and provide it, Caddy can’t serve an IP address with valid HTTPS. In fact, using an IP address as the hostname for your site will disable Automatic HTTPS.

The other thing you should know is that if Caddy receives a HTTPS request for a site it doesn’t serve, it will refuse to send a HTTPS certificate, which will break TLS negotiation and cause your browser to show an error.

Now you’ve got, realistically, two options:

Start browsing to mydomain.example.com instead of your IP.
Change your Caddyfile to serve your IP address with a self-signed certificate.

The latter looks like this:

99.241.42.221 {
  tls self_signed
}

Or, if you’re not using a Caddyfile, you can invoke Caddy like this to achieve the same result:

caddy -host 99.241.42.221 "tls self_signed"

This still won’t be valid, but Caddy will serve the site when you browse to https://99.241.42.221, so you’ll need to click through a browser warning about the invalid certificate.

xpt · May 13, 2019, 3:12am

Thank you @Whitestrake for your extremely comprehensive explanation.

Now I felt guilty for not having posted the full log, which shows that everything looks good from the log.

… (no) valid HTTPS certificates issued for IP addresses…using an IP address as the hostname for your site will disable Automatic HTTPS

Gotya. THX a lot!

system · August 11, 2019, 3:12am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.