Tls self_signed not working

mk20158 · January 9, 2019, 8:00am

I have multiple server I have at my house I want to access remotely. Some are http some are https and ports are scattered all over the place (8000,8443, etc)

I am currently trying to set up access to my nagios server (which is https)

my server is only accessible from my work location so it is not publicly facing at all.

when I try to connect to the site over https the caddy log says no certs configured

root@caddy:~# openssl s_client -host localhost -port 2015
CONNECTED(00000003)
(CADDY LOG)2019/01/09 07:52:25 http: TLS handshake error from 127.0.0.1:55014: tls: no certificates configured
(OPEN SSL ERROR)140633690333632:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1399:SSL alert number 80

the the question is how do I fix this and how do I set it up as a sub domain?

Here is my caddy file:

*.localhost
tls self_signed
proxy / https://10.1.20.100 {
insecure_skip_verify
}

I

Whitestrake · January 9, 2019, 11:24am

With the command you used:

openssl s_client -host localhost -port 2015

you have not indicated the server name.

Caddy uses SNI to determine which certificate to serve, and later versions refuse to offer a certificate for an unconfigured hostname.

Try instead:

openssl s_client -connect localhost:2015 -servername foo.localhost

mk20158 · January 9, 2019, 12:25pm

looks like I got it working with adding an entry in /etc/hosts for nagios and

Caddy file

*.xxx.duckdns.org:8000
tls self_signed
proxy / https://nagios {
        insecure_skip_verify
}

how do I add subdomains so I can then access it from nagios.xxx.duckdns.org? so i could do splunk.xxx.duckdns.org? etc

Whitestrake · January 9, 2019, 1:01pm

With *.xxx.duckdns.org as your site address, Caddy will already respond to those subdomains with the site you’ve configured.

You will just have to make sure that those subdomains have the correct DNS records set to point to your Caddy server.

mk20158 · January 9, 2019, 1:29pm

I added the nagios and router entries to my /etc/hosts however when I access them I get error 404 and http2: server: error reading preface from client X.X.71.43:53799: remote error: tls: unknown certificate authority

*.XXX.duckdns.org:8000
tls self_signed
proxy / https://nagios.XXX.duckdns.org {
        insecure_skip_verify
}
proxy / https://router.XXX.duckdns.org {
        insecure_skip_verify
}

mk20158 · January 9, 2019, 2:17pm

Fixed it, I only put the hostname in the /etc/hosts not the fully qualified domain name. once i did that it started working. thanks.

root@caddy:~# cat /etc/hosts
127.0.0.1 localhost
10.1.20.100 nagios nagios.XXX.duckdns.org
10.1.1.1 router router.XXX.duckdns.org

Whitestrake · January 9, 2019, 11:06pm

Personally, I would simply point my proxies to https://10.1.20.100 (for Nagios) and https://10.1.1.1 (for the router) directly in the Caddyfile instead of maintaining a hosts file entry just for Caddy to reference.

mk20158 · January 10, 2019, 8:35am

question - if I have my CaddyFile like the below… I can access my router by goign to the FQDN… how do I access the 192 address without the FQDN? nagios.xxx.duckdns.org gets me nagios but i don’t think 192.168.1.1.xxx.duckdns.org would get me my other device

*.XXX.duckdns.org:443 {

tls self_signed
        proxy / https://nagios.xxx.duckdns.org {
                insecure_skip_verify
        }
        proxy / https://router.xxx.duckdns.org {
                insecure_skip_verify
        }
        proxy / https://192.168.1.1/ {
                insecure_skip_verify
        }
}

Whitestrake · January 10, 2019, 8:39am

When you stack proxies like that, only one of them will ever be used.

Try splitting them up so that Caddy serves one proxy for each subdomain:

nagios.scenetworks.duckdns.org {
  proxy / https://10.1.20.100 {
    insecure_skip_verify
  }
}

router.scenetworks.duckdns.org {
  proxy / https://192.168.1.1 {
    insecure_skip_verify
  }
}

mk20158 · January 10, 2019, 9:09am

I’ve tried all variations but I get unknown directive when I try to put your code in

Whitestrake · January 10, 2019, 9:49am

unknown directive error also lists exactly what line it encountered that it didn’t recognize. Can you post the full error? And the full Caddyfile you’re currently using?

mk20158 · January 10, 2019, 9:53am

root@caddy:~# cat Caddyfile
*.XXX.duckdns.org:443
tls self_signed
nagios.XXX.duckdns.org {
  proxy / https://10.1.20.100 {
    insecure_skip_verify
  }
}

router.XXX.duckdns.org {
  proxy / https://192.168.1.1 {
    insecure_skip_verify
  }
}
root@caddy:~# ./startcaddy
root@caddy:~# 2019/01/10 09:52:56 Caddyfile:3 - Error during parsing: Unknown directive 'nagios.XXX.duckdns.org'

mk20158 · January 10, 2019, 10:05am

i just had the aha moment. basically i removed the top line and gave the sites their own “server” per say

    https://nagios.XXX.duckdns.org {
            tls self_signed
            proxy / https://10.1.20.100 {
                    insecure_skip_verify
            }
    }
    https://router.XXX.duckdns.org {
    tls self_signed
      proxy / https://192.168.1.1 {
        insecure_skip_verify
      }
    }

system · April 10, 2019, 10:05am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.