Tls: client offered only unsupported versions: [301]

1. My Caddy version (caddy version):

v2.0.0-rc.3 docker caddy:alpine

2. How I run Caddy:

docker run -d --name dev_caddy -p 80:80 -p 443:443 -p 2019:2019 -v $PWD/Caddyfile:/etc/caddy/Caddyfile -v dev_caddy:/data caddy:alpine

a. System environment:

Centos 7
Docker version 19.03.6, build 369ce74a3c

d. My complete Caddyfile or JSON config:

redserver.chuk.domain.com {
reverse_proxy {
to https://redserver.chuk.domain.local
transport http {
tls
tls_insecure_skip_verify
}
}
}

srv07.domain.com {
reverse_proxy {
to https://148.xx.xx.xx
transport http {
tls_insecure_skip_verify
}
}
}

wac.domain.com{
reverse_proxy {
to https://10.200.20.10
transport http {
tls_insecure_skip_verify
}
}
}

3. The problem I’m having:

wac.domain.com is not accessible:
" This site can’t provide a secure connection"

4. Error messages and/or full log output:

http: TLS handshake error from 95.xx.xx.28:50955: tls: client offered only unsupported versions: [301]
http: TLS handshake error from 95.xx.xx.28:50956: EOF

5. What I already tried:

I tried:
tls {protocols tls1.0}, but “tls1.0” is unsupported directive

Site wac.domain.com use self-signed certificate and work without caddy (in intranet).
WAC - is a latest Windows Admin Center (server 2019) with ntlm auth
$ echo | openssl s_client -connect 10.200.20.10:443 -tls1_2 2>&1 | grep Protocol
Protocol : TLSv1.2
I use Microsoft Edge or Google Chrome

Hi @thdonatello, welcome to the Caddy community.

Per the v2 tls directive docs: tls (Caddyfile directive) — Caddy Documentation

The correct usage should be:

example.com {
  tls {
    protocols tls1.0
  }
}

Edit: I’m informed Caddy v2 does not support TLS 1.0 at all, so the above will not work.

(See: caddy/values.go at d322de6b429e9f0bc589880b53373975dabcb997 · caddyserver/caddy · GitHub)

The error you’re getting:

indicates you may have put the directive in the wrong place. The tls directive must be within a site configuration block.

Ok! And how do I make this work with caddy?
It works well without caddy.

Upgrade your client to use modern, secure TLS protocols.

oh! Sorry, caddy did not receive a certificate LE :frowning:
Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.