Tls (on_demand) raises an untrackable error

Help
1

1. Caddy version (caddy version):

Tried on 2.0.0, 2.1.1, 2.2.0

2. How I run Caddy:

a. System environment:

Mac OS Catalina version 10.15.4

b. Command:

caddy run

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:



https:// {

	tls {
	
		on_demand
	
				
	}
	
	route /monopiny/media/* {
		
		root * /statics
		file_server
		
	}
	
	route /* {
		reverse_proxy { 
			to 127.0.0.1:3000
			header_up Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"
			header_up Host {http.request.host}
			header_up X-Real-IP {http.request.remote}
			header_up X-Forwarded-For {http.request.remote}
			header_up X-Forwarded-Port {http.request.port}
			header_up X-Forwarded-Proto {http.request.scheme}
		}
	}

}

3. The problem Iā€™m having:

I am trying to use the ā€˜catch all domainsā€™ as my website allows users to use their custom domain, and they need automatic certificates, but it does catch all the domain as you can see on the config file, but it doesnā€™t create a SSL. If I specify a domain name on the config file instead of just https:// or :443, it works, but when you do it like the config the error raises:

2020/09/04 23:29:53 http: TLS handshake error from 61.84.210.178:57673: no server TLS configuration available for ClientHello: &{CipherSuites:[6682 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:monopiny.net SupportedCurves:[10794 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[64250 772 771 770 769] Conn:0xc00069a230 config:0xc000602780}

Iā€™ve seen on some threads on this community that this issue was fixed on the latest version of Caddy, but I tried on three different versions of Caddy, but it happens the same. I donā€™t know what I am missing as I am not accustomed to Go & Caddy. It doesnā€™t seem to be clear about this on any posts Iā€™ve found on Google.

4. Error messages and/or full log output:

2020/09/04 23:29:53 http: TLS handshake error from 61.84.210.178:57673: no server TLS configuration available for ClientHello: &{CipherSuites:[6682 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:monopiny.net SupportedCurves:[10794 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[64250 772 771 770 769] Conn:0xc00069a230 config:0xc000602780}

5. What I already tried:

  1. I tried on multiple versions of Caddy: 2.0.0, 2.1.1, 2.2.0

6. Links to relevant resources:

2

Also, this issue is easy to reproduce. You may try this very basic config to see if thatā€™s working:

* {

	tls {
	
		on_demand
	
				
	}
	
	respond "Hello, world!"
}
3

This looks similar to errors reported here:

https://github.com/caddyserver/caddy/issues/3670

@matt FYI

4

Thanks for the information. Iā€™ve already checked this a while ago, and there seems to be no answers ! :blush: I wish heā€™d left a solution if he found oneā€¦ I forgot to mention that I am trying to use main certificates that I have in the local server, as well as the ones automatically generated by Letā€™s encrypt for custom domains that my clients have.

I tried multiple settings to see, and eventually gave up setting a config using CaddyFile. Instead, I am working on the json format.

I noticed this is something to do with the custom certificates that I load into the config file. If I set tls_connection_policies in the config it doesnā€™t work, returning the client hello error, but omitting it makes it work.

Caddy seems to load the certificates even if I omit ā€œtls_connection_policiesā€. Does Caddy automatically detect certificates, and load it onto the client?

{
  "tls": {
    "certificates": {
      "load_files": [
        {
          "certificate": "cert.crt",
          "key": "cert.key",
          "tags": [
            "cert1"
          ]
        }
      ]
    },
    "automation": {
      "policies": [
        {
          "on_demand": true
        }
      ]
    }
  }
}
1 Like
5

What are the respective configs for these behaviors?

"tls_connection_policies" is independent of loading certificates. Connection policies only specify how to handle TLS connections with clients (including cipher suites, client auth, and certificates to present to the client, etc). Loading and managing certificates is separate, which is configured through "tls/certificates" and "tls/automation" keys of the JSON config, as your config above shows. These establish how Caddy loads certificates it can use and how it will automate them.

6

This topic was automatically closed after 30 days. New replies are no longer allowed.