tcurdt
December 2, 2023, 5:32pm
1
I am trying to run caddy with tls internal on nixOS. Instead of just getting an “untrusted cert” problem I get an internal error.
curl -k https://localhost -i -H "Host: example.org"
curl: (35) OpenSSL/3.0.12: error:0A000438:SSL routines::tlsv1 alert internal error
Given it’s a systemd service on nixOS - I am not quite sure how to run caddy trust exactly.
Also I don’t understand why it would be required if I am OK for testing with self-signed certs.
Dec 02 16:23:17 nixos systemd[1]: Starting Caddy...
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.8684616,"msg":"using provided configuration","confi>
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.886671,"msg":"warning: \"certutil\" is not availabl>
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.8866982,"msg":"define JAVA_HOME environment variabl>
Dec 02 16:23:17 nixos caddy[898]: {"level":"error","ts":1701534197.8867226,"logger":"pki.ca.local","msg":"failed to i>
caddy version
2.6.4
opened 11:22PM - 26 Nov 23 UTC
0.kind: bug
### Describe the bug
### Steps To Reproduce
Steps to reproduce the behav… ior:
1.
```
{ config, pkgs, ... }:
{
services.caddy = {
enable = true;
virtualHosts."example.org" = {
extraConfig = ''
respond "Hello, world!"
tls internal
'';
};
};
}
```
2.
```
curl -k -i -H "Host: example.org" https://localhost
curl: (35) OpenSSL/3.0.12: error:0A000438:SSL routines::tlsv1 alert internal error
```
### Expected behavior
The command `curl -k -i -H "Host: example.org" https://localhost` should return "Hello, world!".
### Screenshots
```
journalctl -u caddy
Nov 26 23:49:42 debian12arm systemd[1]: /nix/store/g5pvwdqa0ccyck8w8gvx60kzgr51zxc1-system-units/caddy.service.d/overrides.conf:22: Unknown key name 'RestartSecs' in section 'Service', ignoring.
Nov 26 23:49:43 debian12arm systemd[1]: Starting Caddy...
Nov 26 23:49:43 debian12arm caddy[18756]: {"level":"info","ts":1701038983.2202404,"msg":"using provided configuration","config_file":"/etc/caddy/caddy_config","config_adapter":"caddyfile"}
Nov 26 23:49:43 debian12arm caddy[18756]: {"level":"info","ts":1701038983.2356768,"msg":"warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\">
Nov 26 23:49:43 debian12arm caddy[18756]: {"level":"info","ts":1701038983.2357092,"msg":"define JAVA_HOME environment variable to use the Java trust"}
Nov 26 23:49:43 debian12arm caddy[18756]: {"level":"error","ts":1701038983.2357378,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"install is not supported on this system","certificate_>
Nov 26 23:49:43 debian12arm systemd[1]: Started Caddy.
```
### Notify maintainers
cc @fpletz @flokli @andir @Mic92 ?
### Metadata
```console
nix-shell -p nix-info --run "nix-info -m"
- system: `"aarch64-linux"`
- host os: `Linux 6.1.63, NixOS, 24.05 (Uakari), 24.05.20231124.5a09cb4`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.19.1`
- channels(root): `"nixos-23.05"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
```
### Priorities
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
nix-shell -p nix-info --run "nix-info -m"
- system: `"aarch64-linux"`
- host os: `Linux 6.1.63, NixOS, 24.05 (Uakari), 24.05.20231124.5a09cb4`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.19.1`
- channels(root): `"nixos-23.05"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
This is what systemd seems to be running (from ps)
/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy run --config /etc/caddy/caddy_config --adapter caddyfile
$ systemctl show -p FragmentPath caddy
FragmentPath=/etc/systemd/system/caddy.service
$ cat /etc/systemd/system/caddy.service
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
{
log {
level ERROR
}
}
example.org {
log {
output file /var/log/caddy/access-example.org.log
}
respond "OK"
tls internal
}
The problem is you’re making a request which has localhost in TLS SNI, so Caddy is trying to find a certificate for localhost and doesn’t find one.
You should use the --resolve option to fix this:
curl -k --resolve example.org:443:127.0.0.1 https://example.org
tcurdt
December 2, 2023, 8:26pm
3
Aaaargh! Sneaky - and now makes sense.@francislavoie to the rescues once again
One thing I still cannot figure out from the docs:
I found that part a little confusing when reading through the docs.
Yes, and adding the CA’s root cert to your system’s trust store is how you get clients on your local machine to trust the server. Clients read from the system’s trust store.
1 Like
system
January 1, 2024, 9:46pm
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
Thanks!