TLS handshake error that prevent safari to connect

Voxanimus · June 6, 2025, 8:41am

1. The problem I’m having:

I have a webpage hosted on a remote machine. The webpage is exposed on an interface with the address 100.64.0.1. I obviously have a url that redirect to this ip: it’s greenbone.security4media.ebu.io. If I try to connect directly in http with the ip into the browser I have no problem, same If I use curl. It seems that this is a problem of certificate on safari side from the debug,

2. Error messages and/or full log output:

2025/06/06 08:36:56.630	INFO	using adjacent Caddyfile
2025/06/06 08:36:56.631	WARN	Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies	{"adapter": "caddyfile", "file": "Caddyfile", "line": 10}
2025/06/06 08:36:56.632	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["//127.0.0.1:2019", "//localhost:2019", "//[::1]:2019"]}
2025/06/06 08:36:56.633	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2025/06/06 08:36:56.633	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2025/06/06 08:36:56.633	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc00037ff10"}
2025/06/06 08:36:56.633	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2025/06/06 08:36:56.633	INFO	tls	cleaning storage unit	{"description": "FileStorage:/home/attacker/.local/share/caddy"}
2025/06/06 08:36:56.634	INFO	failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2025/06/06 08:36:56.634	DEBUG	http	starting server loop	{"address": "[::]:443", "tls": true, "http3": true}
2025/06/06 08:36:56.634	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/06/06 08:36:56.634	DEBUG	http	starting server loop	{"address": "[::]:80", "tls": false, "http3": false}
2025/06/06 08:36:56.634	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2025/06/06 08:36:56.634	INFO	http	enabling automatic TLS certificate management	{"domains": ["greenbone.security4media.ebu.io"]}
2025/06/06 08:36:56.634	WARN	tls	stapling OCSP	{"error": "no OCSP stapling for [greenbone.security4media.ebu.io]: no OCSP server specified in certificate", "identifiers": ["greenbone.security4media.ebu.io"]}
2025/06/06 08:36:56.634	DEBUG	tls.cache	added certificate to cache	{"subjects": ["greenbone.security4media.ebu.io"], "expiration": "2025/06/06 20:31:55.000", "managed": true, "issuer_key": "local", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964", "cache_size": 1, "cache_capacity": 10000}
2025/06/06 08:36:56.634	DEBUG	events	event	{"name": "cached_managed_cert", "id": "9de1258c-5b62-45f2-b829-6426f509aabe", "origin": "tls", "data": {"sans":["greenbone.security4media.ebu.io"]}}
2025/06/06 08:36:56.634	INFO	tls	finished cleaning storage units
2025/06/06 08:36:56.661	INFO	pki.ca.local	root certificate is already trusted by system	{"path": "storage:pki/authorities/local/root.crt"}
2025/06/06 08:36:56.661	INFO	autosaved config (load with --resume flag)	{"file": "/home/attacker/.config/caddy/autosave.json"}
2025/06/06 08:36:56.661	INFO	serving initial configuration
2025/06/06 08:36:59.789	DEBUG	events	event	{"name": "tls_get_certificate", "id": "d7e0deb7-c82a-4237-bec4-575ec024bebf", "origin": "tls", "data": {"client_hello":{"CipherSuites":[14906,4865,4866,4867],"ServerName":"greenbone.security4media.ebu.io","SupportedCurves":[10794,29,23,24,25],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[51914,772],"Extensions":[23130,0,10,16,5,13,18,51,45,43,57,27,2570],"Conn":{}}}}
2025/06/06 08:36:59.789	DEBUG	tls.handshake	choosing certificate	{"identifier": "greenbone.security4media.ebu.io", "num_choices": 1}
2025/06/06 08:36:59.789	DEBUG	tls.handshake	default certificate selection results	{"identifier": "greenbone.security4media.ebu.io", "subjects": ["greenbone.security4media.ebu.io"], "managed": true, "issuer_key": "local", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964"}
2025/06/06 08:36:59.789	DEBUG	tls.handshake	matched certificate in cache	{"remote_ip": "100.64.0.2", "remote_port": "50349", "subjects": ["greenbone.security4media.ebu.io"], "managed": true, "expiration": "2025/06/06 20:31:55.000", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964"}
2025/06/06 08:36:59.821	DEBUG	events	event	{"name": "tls_get_certificate", "id": "533a23ab-a03e-4553-8139-19a461855f59", "origin": "tls", "data": {"client_hello":{"CipherSuites":[23130,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"greenbone.security4media.ebu.io","SupportedCurves":[47802,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[19018,772,771,770,769],"Extensions":[10794,0,23,65281,10,11,16,5,13,18,51,45,43,27,43690,21],"Conn":{}}}}
2025/06/06 08:36:59.821	DEBUG	tls.handshake	choosing certificate	{"identifier": "greenbone.security4media.ebu.io", "num_choices": 1}
2025/06/06 08:36:59.821	DEBUG	tls.handshake	default certificate selection results	{"identifier": "greenbone.security4media.ebu.io", "subjects": ["greenbone.security4media.ebu.io"], "managed": true, "issuer_key": "local", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964"}
2025/06/06 08:36:59.821	DEBUG	tls.handshake	matched certificate in cache	{"remote_ip": "100.64.0.2", "remote_port": "60689", "subjects": ["greenbone.security4media.ebu.io"], "managed": true, "expiration": "2025/06/06 20:31:55.000", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964"}
2025/06/06 08:36:59.984	DEBUG	http.stdlib	http: TLS handshake error from 100.64.0.2:60689: remote error: tls: unknown certificate
2025/06/06 08:37:23.961	DEBUG	events	event	{"name": "tls_get_certificate", "id": "44495636-d0ee-46bb-8ba6-2c87e51d3222", "origin": "tls", "data": {"client_hello":{"CipherSuites":[56026,4865,4866,4867],"ServerName":"greenbone.security4media.ebu.io","SupportedCurves":[47802,29,23,24,25],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[27242,772],"Extensions":[14906,0,10,16,5,13,18,51,45,43,57,27,64250],"Conn":{}}}}
2025/06/06 08:37:23.961	DEBUG	tls.handshake	choosing certificate	{"identifier": "greenbone.security4media.ebu.io", "num_choices": 1}
2025/06/06 08:37:23.961	DEBUG	tls.handshake	default certificate selection results	{"identifier": "greenbone.security4media.ebu.io", "subjects": ["greenbone.security4media.ebu.io"], "managed": true, "issuer_key": "local", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964"}
2025/06/06 08:37:23.961	DEBUG	tls.handshake	matched certificate in cache	{"remote_ip": "100.64.0.2", "remote_port": "54084", "subjects": ["greenbone.security4media.ebu.io"], "managed": true, "expiration": "2025/06/06 20:31:55.000", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964"}
2025/06/06 08:37:24.099	DEBUG	events	event	{"name": "tls_get_certificate", "id": "a90ba74c-3fc1-4df3-9210-40fcf8655add", "origin": "tls", "data": {"client_hello":{"CipherSuites":[31354,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"greenbone.security4media.ebu.io","SupportedCurves":[14906,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[2570,772,771,770,769],"Extensions":[2570,0,23,65281,10,11,16,5,13,18,51,45,43,27,64250,21],"Conn":{}}}}
2025/06/06 08:37:24.099	DEBUG	tls.handshake	choosing certificate	{"identifier": "greenbone.security4media.ebu.io", "num_choices": 1}
2025/06/06 08:37:24.099	DEBUG	tls.handshake	default certificate selection results	{"identifier": "greenbone.security4media.ebu.io", "subjects": ["greenbone.security4media.ebu.io"], "managed": true, "issuer_key": "local", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964"}
2025/06/06 08:37:24.100	DEBUG	tls.handshake	matched certificate in cache	{"remote_ip": "100.64.0.2", "remote_port": "60691", "subjects": ["greenbone.security4media.ebu.io"], "managed": true, "expiration": "2025/06/06 20:31:55.000", "hash": "778476b81798ee635a29ad5c9e41c5a16f07435deb2ec20e3aaf2c683b22c964"}
2025/06/06 08:37:24.144	DEBUG	http.stdlib	http: TLS handshake error from 100.64.0.2:60691: remote error: tls: unknown certificate
...

3. Caddy version:

2.6.2

4. How I installed and ran Caddy:

use apt package

a. System environment:

Kali GNU/Linux Rolling x86_64, systemd

b. Command:

caddy run

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
	debug
}

greenbone.security4media.ebu.io {
	tls internal
	reverse_proxy 100.64.0.1:9392
	redir / /login
}

5. Links to relevant resources:

hmoffatt · June 9, 2025, 1:53am

You didn’t say what the problem with Safari is, but it probably doesn’t trust the self-signed certificate you have asked Caddy to use with tls internal.

Voxanimus · June 10, 2025, 9:37am

My bad, on safari the page is just keep loading a very long time before displaying me "Safari can’t open the […] because the server unexpectedly dropped the connection.