I have caddy set up on an ec2 instance to proxy incoming https requests to a hasura graphql server I also have running on this same ec2 instance.
But for some reason, I am getting a TLS handshake error when trying to make POST requests to this server.
1. My Caddy version (caddy version
):
abiosoft/caddy:latest docker image
2. How I run Caddy:
a. System environment:
OS: Ubuntu 18.04.3 LTS
Docker version 19.03.6, build 369ce74a3c
b. Command:
docker-compose -f docker-compose.yaml.combined up -d
c. Service/unit/compose file:
My dockerfile: docker-compose.yaml.combined
version: '2'
services:
graphql-engine:
image: hasura/graphql-engine:latest
restart: always
environment:
HASURA_GRAPHQL_DATABASE_URL: postgres://postgres:postgres@name.number.us-west-1.rds.amazonaws.com:5432/
HASURA_GRAPHQL_ACCESS_KEY: accesskey
command:
- graphql-engine
- serve
- --enable-console
caddy:
image: abiosoft/caddy:latest
depends_on:
- "graphql-engine"
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/Caddyfile
- caddy_certs:/root/.caddy
volumes:
caddy_certs:
d. My complete Caddyfile or JSON config:
https://api.destinyload.com {
proxy / graphql-engine:8080 {
websocket
}
}
3. The problem I’m having:
When I make a graphql API call from my web frontend running at https://destinyload.com (this is running a render.com server, which is a server infrastructure service like heroku), the POST request fails with ERR_SSL_PROTOCOL_ERROR
.
4. Error messages and/or full log output:
docker logs <caddy docker id>
Activating privacy features... 2020/04/03 03:45:11 [INFO][cache:0xc0000327d0] Started certificate maintenance routine
2020/04/03 03:45:12 [INFO][api.destinyload.com] Obtain certificate
2020/04/03 03:45:12 [INFO] [api.destinyload.com] acme: Obtaining bundled SAN certificate
2020/04/03 03:45:12 [INFO] [api.destinyload.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3728777426
2020/04/03 03:45:12 [INFO] [api.destinyload.com] acme: Could not find solver for: tls-alpn-01
2020/04/03 03:45:12 [INFO] [api.destinyload.com] acme: use http-01 solver
2020/04/03 03:45:12 [INFO] [api.destinyload.com] acme: Trying to solve HTTP-01
2020/04/03 03:45:12 [INFO] [api.destinyload.com] Served key authentication
2020/04/03 03:45:12 [INFO] [api.destinyload.com] Served key authentication
2020/04/03 03:45:12 [INFO] [api.destinyload.com] Served key authentication
2020/04/03 03:45:12 [INFO] [api.destinyload.com] Served key authentication
2020/04/03 03:45:19 [INFO] [api.destinyload.com] The server validated our request
2020/04/03 03:45:19 [INFO] [api.destinyload.com] acme: Validations succeeded; requesting certificates
2020/04/03 03:45:19 [INFO] [api.destinyload.com] Server responded with a certificate.
done.
Serving HTTPS on port 443
https://api.destinyload.com
2020/04/03 03:45:20 [INFO] Serving https://api.destinyload.com
Serving HTTP on port 80
http://api.destinyload.com
2020/04/03 03:45:20 [INFO] Serving http://api.destinyload.com
2020/04/03 03:45:20 [WARNING] Sending telemetry (attempt 1): Post https://telemetry.caddyserver.com/v1/update/bf83e9bc-88b6-4d7f-9a99-ba28c007315a: dial tcp: lookup telemetry.caddyserver.com on 127.0.0.11:53: no such host - backing off and retrying
2020/04/03 03:45:28 [WARNING] Sending telemetry (attempt 2): Post https://telemetry.caddyserver.com/v1/update/bf83e9bc-88b6-4d7f-9a99-ba28c007315a: dial tcp: lookup telemetry.caddyserver.com on 127.0.0.11:53: no such host - backing off and retrying
2020/04/03 03:45:47 http: TLS handshake error from 47.18.104.197:63319: no certificate available for 'ec2-3-101-39-189.us-west-1.compute.amazonaws.com'
2020/04/03 03:45:55 [WARNING] Sending telemetry (attempt 3): Post https://telemetry.caddyserver.com/v1/update/bf83e9bc-88b6-4d7f-9a99-ba28c007315a: dial tcp: lookup telemetry.caddyserver.com on 127.0.0.11:53: no such host - backing off and retrying
2020/04/03 03:46:59 [ERROR] Sending telemetry: Post https://telemetry.caddyserver.com/v1/update/bf83e9bc-88b6-4d7f-9a99-ba28c007315a: dial tcp: lookup telemetry.caddyserver.com on 127.0.0.11:53: no such host
5. What I already tried:
I don’t understand why it errs about no certificate available for ‘ec2-3-101-39-189 .us-west-1.compute.amazonaws.com’. It should be looking for the cert from api.destinyload .com right? Why is it happening from amazonaws .com instead?
I already made sure that I set up the ANAME on my DNS to point api.destinyload. com to this EC2 instance’s ip.