Tls internal not working

1. The problem I’m having:

I am trying to run caddy with tls internal on nixOS. Instead of just getting an “untrusted cert” problem I get an internal error.

curl -k https://localhost -i -H "Host:"
curl: (35) OpenSSL/3.0.12: error:0A000438:SSL routines::tlsv1 alert internal error

Given it’s a systemd service on nixOS - I am not quite sure how to run caddy trust exactly.

Also I don’t understand why it would be required if I am OK for testing with self-signed certs.

2. Error messages and/or full log output:

Dec 02 16:23:17 nixos systemd[1]: Starting Caddy...
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.8684616,"msg":"using provided configuration","confi>
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.886671,"msg":"warning: \"certutil\" is not availabl>
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.8866982,"msg":"define JAVA_HOME environment variabl>
Dec 02 16:23:17 nixos caddy[898]: {"level":"error","ts":1701534197.8867226,"logger":"","msg":"failed to i>

3. Caddy version:

caddy version

4. How I installed and ran Caddy:

a. System environment:

nix-shell -p nix-info --run "nix-info -m"
 - system: `"aarch64-linux"`
 - host os: `Linux 6.1.63, NixOS, 24.05 (Uakari), 24.05.20231124.5a09cb4`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.19.1`
 - channels(root): `"nixos-23.05"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

b. Command:

This is what systemd seems to be running (from ps)

/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy run --config /etc/caddy/caddy_config --adapter caddyfile

c. Service/unit/compose file:

$ systemctl show -p FragmentPath caddy

$ cat /etc/systemd/system/caddy.service


ExecStart=/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy reload --config /etc/caddy/Caddyfile --force


d. My complete Caddy config:

	log {
		level ERROR
} {
	log {
		output file /var/log/caddy/

	respond "OK"
	tls internal

5. Links to relevant resources:

The problem is you’re making a request which has localhost in TLS SNI, so Caddy is trying to find a certificate for localhost and doesn’t find one.

You should use the --resolve option to fix this:

curl -k --resolve

Aaaargh! Sneaky - and now makes sense.
@francislavoie to the rescues once again :slight_smile: Thanks!

One thing I still cannot figure out from the docs:
Why would the internal root CA need to be registered to be trusted - or as seems not at all after all. Isn’t this all about who the client trust?

I found that part a little confusing when reading through the docs.

Yes, and adding the CA’s root cert to your system’s trust store is how you get clients on your local machine to trust the server. Clients read from the system’s trust store.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.