Tls (on_demand) raises an untrackable error

1. Caddy version (caddy version):

Tried on 2.0.0, 2.1.1, 2.2.0

2. How I run Caddy:

a. System environment:

Mac OS Catalina version 10.15.4

b. Command:

caddy run

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:



https:// {

	tls {
	
		on_demand
	
				
	}
	
	route /monopiny/media/* {
		
		root * /statics
		file_server
		
	}
	
	route /* {
		reverse_proxy { 
			to 127.0.0.1:3000
			header_up Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"
			header_up Host {http.request.host}
			header_up X-Real-IP {http.request.remote}
			header_up X-Forwarded-For {http.request.remote}
			header_up X-Forwarded-Port {http.request.port}
			header_up X-Forwarded-Proto {http.request.scheme}
		}
	}

}


3. The problem I’m having:

I am trying to use the ‘catch all domains’ as my website allows users to use their custom domain, and they need automatic certificates, but it does catch all the domain as you can see on the config file, but it doesn’t create a SSL. If I specify a domain name on the config file instead of just https:// or :443, it works, but when you do it like the config the error raises:

2020/09/04 23:29:53 http: TLS handshake error from 61.84.210.178:57673: no server TLS configuration available for ClientHello: &{CipherSuites:[6682 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:monopiny.net SupportedCurves:[10794 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[64250 772 771 770 769] Conn:0xc00069a230 config:0xc000602780}

I’ve seen on some threads on this community that this issue was fixed on the latest version of Caddy, but I tried on three different versions of Caddy, but it happens the same. I don’t know what I am missing as I am not accustomed to Go & Caddy. It doesn’t seem to be clear about this on any posts I’ve found on Google.

4. Error messages and/or full log output:

2020/09/04 23:29:53 http: TLS handshake error from 61.84.210.178:57673: no server TLS configuration available for ClientHello: &{CipherSuites:[6682 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:monopiny.net SupportedCurves:[10794 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[64250 772 771 770 769] Conn:0xc00069a230 config:0xc000602780}

5. What I already tried:

  1. I tried on multiple versions of Caddy: 2.0.0, 2.1.1, 2.2.0

6. Links to relevant resources:

Also, this issue is easy to reproduce. You may try this very basic config to see if that’s working:

* {

	tls {
	
		on_demand
	
				
	}
	
	respond "Hello, world!"
}

This looks similar to errors reported here:

https://github.com/caddyserver/caddy/issues/3670

@matt FYI

Thanks for the information. I’ve already checked this a while ago, and there seems to be no answers ! :blush: I wish he’d left a solution if he found one… I forgot to mention that I am trying to use main certificates that I have in the local server, as well as the ones automatically generated by Let’s encrypt for custom domains that my clients have.

I tried multiple settings to see, and eventually gave up setting a config using CaddyFile. Instead, I am working on the json format.

I noticed this is something to do with the custom certificates that I load into the config file. If I set tls_connection_policies in the config it doesn’t work, returning the client hello error, but omitting it makes it work.

Caddy seems to load the certificates even if I omit “tls_connection_policies”. Does Caddy automatically detect certificates, and load it onto the client?

{
  "tls": {
    "certificates": {
      "load_files": [
        {
          "certificate": "cert.crt",
          "key": "cert.key",
          "tags": [
            "cert1"
          ]
        }
      ]
    },
    "automation": {
      "policies": [
        {
          "on_demand": true
        }
      ]
    }
  }
}
1 Like

What are the respective configs for these behaviors?

"tls_connection_policies" is independent of loading certificates. Connection policies only specify how to handle TLS connections with clients (including cipher suites, client auth, and certificates to present to the client, etc). Loading and managing certificates is separate, which is configured through "tls/certificates" and "tls/automation" keys of the JSON config, as your config above shows. These establish how Caddy loads certificates it can use and how it will automate them.

This topic was automatically closed after 30 days. New replies are no longer allowed.