Tls self_signed not working


(Mk20158) #1

I have multiple server I have at my house I want to access remotely. Some are http some are https and ports are scattered all over the place (8000,8443, etc)

I am currently trying to set up access to my nagios server (which is https)

my server is only accessible from my work location so it is not publicly facing at all.

when I try to connect to the site over https the caddy log says no certs configured

root@caddy:~# openssl s_client -host localhost -port 2015
CONNECTED(00000003)
(CADDY LOG)2019/01/09 07:52:25 http: TLS handshake error from 127.0.0.1:55014: tls: no certificates configured
(OPEN SSL ERROR)140633690333632:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1399:SSL alert number 80

the the question is how do I fix this and how do I set it up as a sub domain?

Here is my caddy file:

*.localhost
tls self_signed
proxy / https://10.1.20.100 {
insecure_skip_verify
}

I


(Matthew Fay) #2

With the command you used:

openssl s_client -host localhost -port 2015

you have not indicated the server name.

Caddy uses SNI to determine which certificate to serve, and later versions refuse to offer a certificate for an unconfigured hostname.

Try instead:

openssl s_client -connect localhost:2015 -servername foo.localhost


(Mk20158) #3

looks like I got it working with adding an entry in /etc/hosts for nagios and

Caddy file

*.xxx.duckdns.org:8000
tls self_signed
proxy / https://nagios {
        insecure_skip_verify
}

how do I add subdomains so I can then access it from nagios.xxx.duckdns.org? so i could do splunk.xxx.duckdns.org? etc


(Matthew Fay) #4

With *.xxx.duckdns.org as your site address, Caddy will already respond to those subdomains with the site you’ve configured.

You will just have to make sure that those subdomains have the correct DNS records set to point to your Caddy server.


(Mk20158) #5

I added the nagios and router entries to my /etc/hosts however when I access them I get error 404 and http2: server: error reading preface from client X.X.71.43:53799: remote error: tls: unknown certificate authority

*.XXX.duckdns.org:8000
tls self_signed
proxy / https://nagios.XXX.duckdns.org {
        insecure_skip_verify
}
proxy / https://router.XXX.duckdns.org {
        insecure_skip_verify
}

(Mk20158) #6

Fixed it, I only put the hostname in the /etc/hosts not the fully qualified domain name. once i did that it started working. thanks.

root@caddy:~# cat /etc/hosts
127.0.0.1 localhost
10.1.20.100 nagios nagios.XXX.duckdns.org
10.1.1.1 router router.XXX.duckdns.org

(Matthew Fay) #7

Personally, I would simply point my proxies to https://10.1.20.100 (for Nagios) and https://10.1.1.1 (for the router) directly in the Caddyfile instead of maintaining a hosts file entry just for Caddy to reference.


(Mk20158) #8

question - if I have my CaddyFile like the below… I can access my router by goign to the FQDN… how do I access the 192 address without the FQDN? nagios.xxx.duckdns.org gets me nagios but i don’t think 192.168.1.1.xxx.duckdns.org would get me my other device

*.XXX.duckdns.org:443 {

tls self_signed
        proxy / https://nagios.xxx.duckdns.org {
                insecure_skip_verify
        }
        proxy / https://router.xxx.duckdns.org {
                insecure_skip_verify
        }
        proxy / https://192.168.1.1/ {
                insecure_skip_verify
        }
}

(Matthew Fay) #9

When you stack proxies like that, only one of them will ever be used.

Try splitting them up so that Caddy serves one proxy for each subdomain:

nagios.scenetworks.duckdns.org {
  proxy / https://10.1.20.100 {
    insecure_skip_verify
  }
}

router.scenetworks.duckdns.org {
  proxy / https://192.168.1.1 {
    insecure_skip_verify
  }
}

(Mk20158) #10

I’ve tried all variations but I get unknown directive when I try to put your code in


(Matthew Fay) #11

unknown directive error also lists exactly what line it encountered that it didn’t recognize. Can you post the full error? And the full Caddyfile you’re currently using?


(Mk20158) #12
root@caddy:~# cat Caddyfile
*.XXX.duckdns.org:443
tls self_signed
nagios.XXX.duckdns.org {
  proxy / https://10.1.20.100 {
    insecure_skip_verify
  }
}

router.XXX.duckdns.org {
  proxy / https://192.168.1.1 {
    insecure_skip_verify
  }
}
root@caddy:~# ./startcaddy
root@caddy:~# 2019/01/10 09:52:56 Caddyfile:3 - Error during parsing: Unknown directive 'nagios.XXX.duckdns.org'

(Mk20158) #13

i just had the aha moment. basically i removed the top line and gave the sites their own “server” per say

    https://nagios.XXX.duckdns.org {
            tls self_signed
            proxy / https://10.1.20.100 {
                    insecure_skip_verify
            }
    }
    https://router.XXX.duckdns.org {
    tls self_signed
      proxy / https://192.168.1.1 {
        insecure_skip_verify
      }
    }