Tls internal in docker with hostname yields "no certificate available for 'DOMAIN'"

Help
1

1. Caddy version (caddy version): 2.4.0

2. How I run Caddy: I build a docker image from the caddy:2.4.0 base image, install certutils then copy my Caddyfile to /etc/caddy/Caddyfile

a. System environment: Docker on Ubuntu 20.04

b. Command:

caddy run

c. Service/unit/compose file:

FROM caddy:2.4.0
RUN apk add nss-tools
COPY configurations/Caddyfile /etc/caddy/Caddyfile

d. My complete Caddyfile or JSON config:

{
	debug
	admin off
	auto_https off
}

* {
	tls internal
}

my-domain-name.com {
	tls internal
	reverse_proxy my_service:80
}

3. The problem I’m having:

I’m getting 2021/05/21 14:04:05 http: TLS handshake error from 192.168.0.233:48470: no certificate available for 'my-domain-name.com'

4. Error messages and/or full log output:

* Rebuilt URL to: https://my-domain-name.com/
*   Trying 192.168.0.231...
* TCP_NODELAY set
* Connected to my-domain-name.com (192.168.0.231) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, Server hello (2):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

5. What I already tried:

I tried everything I could find on this forum.

6. Links to relevant resources:

2

The address * only matches a single label of a hostname, so it would match localhost or foo but it does not cross . boundaries. Using https:// is probably closer to what you want.

If you turn off auto_https, then you’re also turning off tls internal, so remove this. What you probably want instead is to use the local_certs global option which overrides all sites globally to use the internal issuer (which means you don’t need tls internal on each site).

3

That worked, thanks!

1 Like
4

This topic was automatically closed after 30 days. New replies are no longer allowed.