Tls internal in docker with hostname yields "no certificate available for 'DOMAIN'"

1. Caddy version (caddy version): 2.4.0

2. How I run Caddy: I build a docker image from the caddy:2.4.0 base image, install certutils then copy my Caddyfile to /etc/caddy/Caddyfile

a. System environment: Docker on Ubuntu 20.04

b. Command:

caddy run

c. Service/unit/compose file:

FROM caddy:2.4.0
RUN apk add nss-tools
COPY configurations/Caddyfile /etc/caddy/Caddyfile

d. My complete Caddyfile or JSON config:

	admin off
	auto_https off

* {
	tls internal
} {
	tls internal
	reverse_proxy my_service:80

3. The problem I’m having:

I’m getting 2021/05/21 14:04:05 http: TLS handshake error from no certificate available for ''

4. Error messages and/or full log output:

* Rebuilt URL to:
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, Server hello (2):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

5. What I already tried:

I tried everything I could find on this forum.

6. Links to relevant resources:

The address * only matches a single label of a hostname, so it would match localhost or foo but it does not cross . boundaries. Using https:// is probably closer to what you want.

If you turn off auto_https, then you’re also turning off tls internal, so remove this. What you probably want instead is to use the local_certs global option which overrides all sites globally to use the internal issuer (which means you don’t need tls internal on each site).

That worked, thanks!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.