Tls_trusted_ca_certs gives me 502

I have my own CA certificate and from it i create leaf certificates. This works on nginx proxy. I did some tests docker setup with caddy as proxy and nginx as upstream server. It worked too (caddy proxied connection when nginx cert was singed with cert pointed in tls_trusted_ca_certs, and didn’t when i used some other certs)

1. The problem I’m having:

I created leaf certs for my IPMI device. I uploaded them there. When i uncomment tls_trusted_ca_certs with CA cert i used to sign this cert it just gives 502 without any good track in log. If i switch to tls_insecure_skip_verify it works fine again.

Sidenote: i could not use nginx proxy to HTTPS at all with this IPMI panel. Only HTTP worked fine. The last update of this IPMI firmware was like from end of 2016.

2. Error messages and/or full log output:

(last parts of it)

{"level":"error","ts":1709230777.297701,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"32872","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"Cookie":[],"Cache-Control":["max-age=0"],"Upgrade-Insecure-Requests":["1"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Fetch-Mode":["navigate"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Gpc":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.593591133,"size":0,"status":502,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}
{"level":"info","ts":1709230898.2379928,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"43294","client_ip":"192.168.20.31","proto":"HTTP/1.1","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-US,en;q=0.9"],"Connection":["keep-alive"],"Upgrade-Insecure-Requests":["1"]}},"bytes_read":0,"user_id":"","duration":0.000040968,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://ipmi.domanweb.ovh/"]}}
{"level":"error","ts":1709230930.5117965,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"36894","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Fetch-User":["?1"],"Accept-Encoding":["gzip, deflate, br"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Google Chrome\";v=\"122\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.592870507,"size":0,"status":502,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}
{"level":"info","ts":1709231733.833617,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"35446","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"Sec-Fetch-Dest":["document"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Ch-Ua-Mobile":["?0"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Gpc":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.973773181,"size":3283,"status":200,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Length":["3283"],"Content-Type":["text/html"],"Date":["Thu, 29 Feb 2024 18:35:33 GMT"]}}
{"level":"info","ts":1709231735.1101668,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"35446","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/css/basic.css","headers":{"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Fetch-Mode":["no-cors"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Dest":["style"],"Referer":["https://ipmi.domanweb.ovh/"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["text/css,*/*;q=0.1"],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.5"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":1.241764584,"size":3416,"status":200,"resp_headers":{"Date":["Thu, 29 Feb 2024 18:35:33 GMT"],"Content-Type":["text/css"],"Accept-Ranges":["bytes"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Etag":["\"227435816\""],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"],"Content-Length":["3416"]}}
{"level":"info","ts":1709231735.4065282,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"35446","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/images/logo.gif","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept-Language":["en-US,en;q=0.5"],"Referer":["https://ipmi.domanweb.ovh/"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Gpc":["1"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Dest":["image"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":1.537926214,"size":2562,"status":200,"resp_headers":{"Content-Length":["2562"],"Date":["Thu, 29 Feb 2024 18:35:35 GMT"],"Content-Type":["image/gif"],"Accept-Ranges":["bytes"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Etag":["\"2091750424\""],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"]}}
{"level":"info","ts":1709231735.5386176,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"35446","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/js/utils.js","headers":{"Accept":["*/*"],"Sec-Gpc":["1"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["no-cors"],"Referer":["https://ipmi.domanweb.ovh/"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["script"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":1.670186581,"size":28761,"status":200,"resp_headers":{"Date":["Thu, 29 Feb 2024 18:35:35 GMT"],"Content-Type":["text/javascript"],"Accept-Ranges":["bytes"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Etag":["\"1804155033\""],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"],"Content-Length":["28761"]}}
{"level":"info","ts":1709231735.8100681,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"35446","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/js/prototype.js","headers":{"Sec-Fetch-Mode":["no-cors"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["same-origin"],"Cookie":[],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Dest":["script"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["*/*"],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.5"],"Referer":["https://ipmi.domanweb.ovh/"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.263511202,"size":73774,"status":200,"resp_headers":{"Date":["Thu, 29 Feb 2024 18:35:35 GMT"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Type":["text/javascript"],"Accept-Ranges":["bytes"],"Etag":["\"3918070424\""],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"],"Content-Length":["73774"]}}
{"level":"info","ts":1709231736.1468704,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"35446","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/js/lang/English/lang_str.js","headers":{"Referer":["https://ipmi.domanweb.ovh/"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":[],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["script"],"Sec-Fetch-Mode":["no-cors"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Gpc":["1"],"Sec-Fetch-Site":["same-origin"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Accept":["*/*"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Mobile":["?0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.598225507,"size":92281,"status":200,"resp_headers":{"Date":["Thu, 29 Feb 2024 18:35:35 GMT"],"Content-Type":["text/javascript"],"Accept-Ranges":["bytes"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Etag":["\"1072304795\""],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"],"Content-Length":["92281"]}}
{"level":"info","ts":1709231736.4259777,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"35446","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Cookie":[],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Dest":["image"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Fetch-Mode":["no-cors"],"Sec-Ch-Ua-Mobile":["?0"],"Referer":["https://ipmi.domanweb.ovh/"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.261844011,"size":3283,"status":200,"resp_headers":{"Content-Length":["3283"],"Content-Type":["text/html"],"Date":["Thu, 29 Feb 2024 18:35:36 GMT"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}
{"level":"info","ts":1709231831.5158,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"42266","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-User":["?1"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Gpc":["1"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.977947975,"size":3283,"status":200,"resp_headers":{"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Length":["3283"],"Content-Type":["text/html"],"Date":["Thu, 29 Feb 2024 18:37:11 GMT"],"Server":["Caddy"]}}
{"level":"info","ts":1709231832.7599049,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"42266","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/css/basic.css","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Accept":["text/css,*/*;q=0.1"],"Sec-Gpc":["1"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Dest":["style"],"Referer":["https://ipmi.domanweb.ovh/"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":1.208088136,"size":3416,"status":200,"resp_headers":{"Alt-Svc":["h3=\":443\"; ma=2592000"],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"],"Content-Length":["3416"],"Date":["Thu, 29 Feb 2024 18:37:11 GMT"],"Content-Type":["text/css"],"Accept-Ranges":["bytes"],"Etag":["\"227435816\""],"Server":["Caddy"]}}
{"level":"info","ts":1709231833.0036688,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"42266","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/images/logo.gif","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Dest":["image"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Gpc":["1"],"Referer":["https://ipmi.domanweb.ovh/"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":1.451468659,"size":2562,"status":200,"resp_headers":{"Accept-Ranges":["bytes"],"Etag":["\"2091750424\""],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"],"Content-Length":["2562"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Date":["Thu, 29 Feb 2024 18:37:12 GMT"],"Content-Type":["image/gif"]}}
{"level":"info","ts":1709231833.079379,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"42266","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/js/utils.js","headers":{"Referer":["https://ipmi.domanweb.ovh/"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Dest":["script"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["*/*"],"Sec-Fetch-Site":["same-origin"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":1.527404537,"size":28761,"status":200,"resp_headers":{"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Length":["28761"],"Date":["Thu, 29 Feb 2024 18:37:12 GMT"],"Content-Type":["text/javascript"],"Accept-Ranges":["bytes"],"Etag":["\"1804155033\""]}}
{"level":"info","ts":1709231833.2723022,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"50524","client_ip":"192.168.20.31","proto":"HTTP/3.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/js/prototype.js","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Mobile":["?0"],"Cookie":[],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Gpc":["1"],"Referer":["https://ipmi.domanweb.ovh/"],"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Dest":["script"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.187695637,"size":73774,"status":200,"resp_headers":{"Server":["Caddy"],"Content-Length":["73774"],"Date":["Thu, 29 Feb 2024 18:37:13 GMT"],"Content-Type":["text/javascript"],"Accept-Ranges":["bytes"],"Etag":["\"3918070424\""],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"]}}
{"level":"info","ts":1709231833.508555,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"50524","client_ip":"192.168.20.31","proto":"HTTP/3.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/js/lang/English/lang_str.js","headers":{"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Dest":["script"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["*/*"],"Referer":["https://ipmi.domanweb.ovh/"],"Cookie":[]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.422315348,"size":92281,"status":200,"resp_headers":{"Content-Type":["text/javascript"],"Accept-Ranges":["bytes"],"Etag":["\"1072304795\""],"Last-Modified":["Thu, 01 Jan 1970 00:00:00 GMT"],"Content-Length":["92281"],"Date":["Thu, 29 Feb 2024 18:37:13 GMT"],"Server":["Caddy"]}}
{"level":"info","ts":1709231833.7801886,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"50524","client_ip":"192.168.20.31","proto":"HTTP/3.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Gpc":["1"],"Sec-Fetch-Dest":["image"],"Referer":["https://ipmi.domanweb.ovh/"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["same-origin"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Mode":["no-cors"],"Cookie":[],"Sec-Ch-Ua-Mobile":["?0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.256876211,"size":3283,"status":200,"resp_headers":{"Content-Type":["text/html"],"Date":["Thu, 29 Feb 2024 18:37:13 GMT"],"Server":["Caddy"],"Content-Length":["3283"]}}
{"level":"error","ts":1709231881.8017359,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"40704","client_ip":"192.168.20.31","proto":"HTTP/3.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"Cache-Control":["max-age=0"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Fetch-Site":["none"],"Upgrade-Insecure-Requests":["1"],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":[],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Linux\""],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Fetch-User":["?1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.597591393,"size":0,"status":502,"resp_headers":{"Date":["Thu, 29 Feb 2024 18:38:01 GMT"],"Server":["Caddy"]}}
{"level":"error","ts":1709231890.418403,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.20.31","remote_port":"40704","client_ip":"192.168.20.31","proto":"HTTP/3.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Upgrade-Insecure-Requests":["1"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["cross-site"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Cookie":[],"Cache-Control":["max-age=0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Gpc":["1"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"ipmi.domanweb.ovh"}},"bytes_read":0,"user_id":"","duration":0.597187352,"size":0,"status":502,"resp_headers":{"Server":["Caddy"],"Date":["Thu, 29 Feb 2024 18:38:10 GMT"]}}

3. Caddy version:

2.7.6

4. How I installed and ran Caddy:

Docker compose

a. System environment:

Ubuntu 22.04, Docker version 24.0.7, build afdd53b

b. Command:

docker compose up -d

c. Service/unit/compose file:

version: "3.9"

services:
  caddy:
    container_name: caddy
    # https://hub.docker.com/_/caddy
    image: caddy-local:${DOCKER_WEBPROXY_VERSION}
    build:
      context: .
      dockerfile: docker/Dockerfile
      args:
        - DOCKER_WEBPROXY_VERSION
    cap_add:
      - NET_ADMIN
    environment:
      - CLOUDFLARE_API_TOKEN
      - ACME_AGREE=true
    volumes:
      - $PWD/src/Caddyfile:/etc/caddy/Caddyfile:ro
      - $PWD/src/enabled:/etc/caddy/enabled:ro
      - $PWD/src/imports:/etc/caddy/imports:ro
      - htpasswd-volume:/etc/caddy/passwords:ro
      # =================
      - ${DOCKER_VOLUME_CADDY_DATA}:/data
      - ${DOCKER_VOLUME_CADDY_CONFIG}:/config
      - ${DOCKER_VOLUME_CADDY_SSL}:/etc/caddy/ssl:ro
      # mkdir -p volumes/logs && chmod g+w volumes/logs && sudo chown 101:1000 volumes/logs 
      - ${DOCKER_VOLUME_CADDY_VHOST_LOGS}:/var/log/caddy
    ports:
      - "80:80" # TODO: set it to IP and use caddy only for closed services?
      - "443:443"
      - "443:443/udp"
    restart: always

volumes:
  htpasswd-volume:
# https://caddy.community/t/how-to-guide-caddy-v2-cloudflare-dns-01-via-docker/8007

ARG  DOCKER_WEBPROXY_VERSION


FROM caddy:builder AS builder
RUN caddy-builder github.com/caddy-dns/cloudflare


FROM caddy:${DOCKER_WEBPROXY_VERSION}
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

d. My complete Caddy config:

Caddyfile

import /etc/caddy/imports
import /etc/caddy/enabled/*

/etc/caddy/enabled/ipmi.domanweb.ovh

ipmi.domanweb.ovh:443 {
	log {
		output file /var/log/caddy/ipmi.domanweb.ovh.log
	}
    # import ssl_self_signed
    import ssl_letsencrypt_domanweb_ovh

    # you may use multiple imports
    @denied not { 
        import v20_ips
    }
    respond @denied "Access Denied" 403

    reverse_proxy {
        to 192.168.20.13:443
        transport http {
            tls
            # tls_insecure_skip_verify
            import proxy_verify 
        }
    }
}

/etc/caddy/imports

(v5_ips) {
    remote_ip 192.168.5.0/24
}

(v10_ips) {
    remote_ip 192.168.10.0/24
}

(v20_ips) {
    remote_ip 192.168.20.0/24
}

(ssl_self_signed) {
    tls internal
}

(proxy_verify) {
    tls_trusted_ca_certs /etc/caddy/ssl/domanCA.pem
}

(ssl_letsencrypt_domanweb_ovh) {
    tls domanpanda@gmail.com { 
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    }
}

leaf certificate on upstream server

# openssl x509 -in $LEAF_FILE_PATH.crt -noout -text


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6e:5c:92:8a:69:0f:0b:c9:32:a9:d3:2f:cd:22:0d:10:66:2e:81:b4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = PL, ST = Lubelskie, L = Lublin, O = Siec Homelab, CN = Siec Homelab
        Validity
            Not Before: Feb 29 17:53:43 2024 GMT
            Not After : Jul 13 17:53:43 2025 GMT
        Subject: C = PL, ST = Lubelskie, L = Lublin, O = Doman Corp, OU = Team Domana, CN = ipmi.domanweb.ovh
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:3e:00:45:71:d3:fc:58:f7:43:95:24:40:6c:
                    95:7b:aa:fa:15:9a:eb:5e:4e:22:e0:33:a0:b9:79:
                    1a:54:95:ff:e5:7d:f5:1c:dc:10:10:4a:35:f1:28:
                    56:24:fa:56:30:82:17:63:e1:ae:5e:c9:b4:fa:0c:
                    b4:fc:f7:2d:1a:db:d4:e6:e7:a8:d3:41:77:e1:c9:
                    89:2a:62:d5:f5:2b:fb:0a:5a:85:dd:f2:d2:08:be:
                    d4:41:8f:84:4e:60:5b:d0:ca:aa:d1:93:53:76:13:
                    9c:2f:b9:cc:93:18:be:96:99:b7:12:db:2e:1d:d9:
                    1d:af:3b:40:0a:5f:d1:00:93:a4:41:9e:db:27:a0:
                    91:ec:47:ff:53:d1:a8:b9:c0:06:ed:af:0f:42:0d:
                    7c:55:e2:e0:4d:7d:12:7b:c2:41:a7:64:e2:6e:af:
                    56:84:aa:10:b5:8f:ef:69:be:38:bf:02:35:81:9e:
                    a0:a6:fb:5c:c3:b5:d7:bb:df:fb:97:94:56:1b:fd:
                    b5:80:38:53:fc:bd:52:0d:01:9d:31:84:ab:52:f3:
                    ff:aa:42:1a:23:1c:0f:dd:f0:e2:5a:72:d8:cc:41:
                    a3:28:6e:e2:0e:37:53:e3:54:12:be:c9:61:c4:3b:
                    06:de:dd:cb:4f:7a:cd:1f:66:5c:e3:8f:8e:94:34:
                    59:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:ipmi.domanweb.lan, DNS:192.168.20.13
            X509v3 Subject Key Identifier: 
                3D:8D:A2:14:F6:BE:34:94:9B:01:6A:72:40:71:C5:2D:89:55:83:65
            X509v3 Authority Key Identifier: 
                4C:AA:A1:CD:D2:13:74:E5:7A:D3:9C:38:7E:DC:86:CD:3B:D2:3C:1C
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        98:5d:1f:a5:22:91:c4:8d:1c:c0:8b:a7:85:19:07:44:f7:d6:
        e6:52:4f:cc:b2:7c:00:d6:7f:9c:74:e1:06:7d:dd:24:b2:88:
        dc:f1:9a:99:cb:d3:da:3a:76:6d:9f:72:a0:d6:cc:5b:80:d2:
        d4:f5:3b:7a:1a:50:18:de:32:cc:56:e7:98:5d:b7:70:c6:4d:
        44:9c:a8:2a:f7:c8:44:a2:f8:d8:f9:d1:1a:e7:a1:7e:c0:1a:
        f3:00:1d:17:1e:a9:56:34:eb:76:fa:4f:68:93:0d:45:57:22:
        3e:8d:ae:fd:4a:9d:16:98:1e:5b:21:e2:88:aa:2a:8d:ba:8f:
        13:ca:e4:ab:6d:8b:d5:9e:44:5b:b7:c6:88:9d:ff:2d:6c:8c:
        fc:b6:8b:2c:27:b3:21:a9:ce:21:76:2d:15:1e:5f:6e:03:ab:
        18:25:25:bf:e8:ec:30:9a:f1:24:38:6e:a7:8a:c4:93:18:a9:
        5c:94:82:5d:c5:05:f1:8d:26:af:69:f6:89:1b:bc:5f:b7:cf:
        34:12:7f:53:23:d9:59:98:70:86:7d:57:d2:76:b9:7d:53:97:
        0e:65:ea:d6:7b:42:b6:21:63:0d:ac:a4:e9:f4:d2:be:10:db:
        45:71:57:29:90:68:07:f6:de:04:3f:e4:78:e9:df:89:38:92:
        17:a2:22:a4:47:4a:93:28:04:fe:49:9e:12:80:6b:bc:78:87:
        cf:0c:62:b2:32:39:93:85:69:1b:a4:e9:00:a1:91:d4:76:47:
        4d:1c:e4:ab:e7:82:2f:6a:8a:e7:c5:72:e0:f4:30:1f:34:da:
        46:74:d5:a8:92:09:c8:51:d2:41:80:f4:bb:86:17:21:eb:7c:
        35:8f:59:0c:a9:01:6f:45:5e:7f:b2:95:0b:0f:db:e0:89:a0:
        fa:fc:57:c3:fe:45:fa:5c:9a:01:2e:ec:d8:22:ba:86:68:8d:
        72:ee:6e:70:0a:2c:70:d8:1d:91:fb:b8:79:37:12:65:30:ee:
        ad:30:d4:de:f8:a4:90:47:8d:a2:a0:63:b3:7d:28:40:46:9d:
        79:ec:29:4e:62:f9:5e:af:70:32:ae:ea:c6:e1:d5:d9:b1:94:
        08:66:57:b0:88:9d:f5:49:a4:8a:b5:9d:68:4c:88:43:c4:c2:
        15:24:f6:cf:48:4d:a5:9e:0a:e8:27:c5:83:3b:87:17:5e:df:
        c8:16:78:92:ec:c4:31:0b:81:00:c4:26:06:c2:97:ea:ce:a3:
        f3:26:38:98:9a:37:b1:d3:9e:60:dd:7e:7b:dc:82:ff:cd:2c:
        68:b0:21:48:7d:07:7c:bf:2c:39:6f:81:51:90:88:60:e9:cf:
        19:61:35:14:98:20:23:68

Enable the debug global option, you should get some more detailed logs.

I only scanned this for lack of time at the moment, but it’s quite likely the CA configured to be trusted is not a correct match with what the backend is returning. Are you sure the PEM file contains the same root public key (certificate) of the CA that issued the backend’s certificate?

@matt
I think in such case would have something like

http.log.error.log0","msg":"tls: failed to verify certificate: x509: certificate signed by unknown authority

Ive seen that when i tested my “negative scenario” with wrong leaf certificate

@francislavoie
I enabled it and it complains about SANs field.

{"level":"debug","ts":1709279926.6979113,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.20.13:443","duration":0.603271175,"request":{"remote_ip":"192.168.20.31","remote_port":"35092","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"Sec-Gpc":["1"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Fetch-User":["?1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-Proto":["https"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Cache-Control":["max-age=0"],"Sec-Fetch-Dest":["document"],"X-Forwarded-For":["192.168.20.31"],"X-Forwarded-Host":["ipmi.domanweb.ovh"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Upgrade-Insecure-Requests":["1"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Fetch-Site":["none"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"error":"tls: failed to verify certificate: x509: cannot validate certificate for 192.168.20.13 because it doesn't contain any IP SANs"}
{"level":"error","ts":1709279926.6980555,"logger":"http.log.error.log0","msg":"tls: failed to verify certificate: x509: cannot validate certificate for 192.168.20.13 because it doesn't contain any IP SANs","request":{"remote_ip":"192.168.20.31","remote_port":"35092","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"ipmi.domanweb.ovh","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Gpc":["1"],"Accept-Encoding":["gzip, deflate, br"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Fetch-Site":["none"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"ipmi.domanweb.ovh"}},"duration":0.603388365,"status":502,"err_id":"wyr1rb5wt","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}

Ok im scratching my head even more because:

  1. why it isnt in output file log but it’s in general log docker log caddy? Should i enable some separate error stream for those like you do in nginx (access_log error_log)?

  2. SAN field do exist

  3. Ive copied CA cert and both leaf cert and key to my testing setup (nginx+caddy). And this works fine there - caddy proxies requests to nginx

docker-compose.yaml

version: "3.9"

services:
  proxy:
    container_name: caddy
    image: caddy:latest
    cap_add:
      - NET_ADMIN
    volumes:
      - $PWD/src/caddy/Caddyfile:/etc/caddy/Caddyfile

      - ./volumes/ssl:/etc/nginx/ssl2
    ports:
      - "80:80"
      - "443:443"

        
  www:
    container_name: ipmi.domanweb.lan
    image: nginx:latest
    hostname: ipmi.domanweb.lan
    volumes:
      - ./src/includes:/etc/nginx/includes
      - ./src/www/enabled:/etc/nginx/templates
      - ./volumes/ssl:/etc/nginx/ssl2
      - ./volumes/logs:/var/log/nginx
      - ./volumes/www/html:/var/www/html

Caddyfile

ipmi.domanweb.ovh:443 {
	tls internal
	log {
		output file /var/log/nginx/caddy-proxy.log
	}

    reverse_proxy {
		to ipmi.domanweb.lan:443
		transport http {
			tls
            tls_trusted_ca_certs /etc/nginx/ssl2/domanCA.pem
		}
	}
}

./src/www/enabled/0.www.conf.template

server {
    set $DN ipmi.domanweb.lan;
    server_name ipmi.domanweb.lan;
    
    include includes/ssl-on;
    include includes/ssl-common;
   
ssl_certificate /etc/nginx/ssl2/ipmi.domanweb.ovh.crt;
ssl_certificate_key /etc/nginx/ssl2/ipmi.domanweb.ovh.key;

    access_log /var/log/nginx/www.lan.access;
    error_log  /var/log/nginx/www.lan.error error;

    # serve static files
    location /  {
      root    /var/www/html;
      expires 30d;
    }
}

EDIT
I have the same symptoms with my netgear switch

{"level":"debug","ts":1709307366.6834517,"logger":"tls.handshake","msg":"choosing certificate","identifier":"netgear.domanweb.ovh","num_choices":1}
{"level":"debug","ts":1709307366.683463,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"netgear.domanweb.ovh","subjects":["netgear.domanweb.ovh"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"95bd773089bb1781cd136c6ebdbc6cb06562aba133c765a7dcdeec05a67f007d"}
{"level":"debug","ts":1709307366.6834695,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.20.31","remote_port":"34236","subjects":["netgear.domanweb.ovh"],"managed":true,"expiration":1714929074,"hash":"95bd773089bb1781cd136c6ebdbc6cb06562aba133c765a7dcdeec05a67f007d"}
{"level":"debug","ts":1709307366.689377,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.20.15:443","total_upstreams":1}
{"level":"debug","ts":1709307366.8600566,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.20.15:443","duration":0.17063092,"request":{"remote_ip":"192.168.20.31","remote_port":"34236","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"netgear.domanweb.ovh","uri":"/","headers":{"Sec-Gpc":["1"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Fetch-User":["?1"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Fetch-Mode":["navigate"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Fetch-Dest":["document"],"X-Forwarded-For":["192.168.20.31"],"X-Forwarded-Proto":["https"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"X-Forwarded-Host":["netgear.domanweb.ovh"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"netgear.domanweb.ovh"}},"error":"tls: failed to verify certificate: x509: cannot validate certificate for 192.168.20.15 because it doesn't contain any IP SANs"}
{"level":"error","ts":1709307366.8601277,"logger":"http.log.error.log1","msg":"tls: failed to verify certificate: x509: cannot validate certificate for 192.168.20.15 because it doesn't contain any IP SANs","request":{"remote_ip":"192.168.20.31","remote_port":"34236","client_ip":"192.168.20.31","proto":"HTTP/2.0","method":"GET","host":"netgear.domanweb.ovh","uri":"/","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["navigate"],"Sec-Ch-Ua":["\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Brave\";v=\"122\""],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.9"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"netgear.domanweb.ovh"}},"duration":0.170792526,"status":502,"err_id":"ftpyd1qcg","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"

Ok im stupid! I figured this out! Obviously IP is no DNS name!

So i fixed my configuration for certificate (and moved ipmi.domanweb.lan to CN) this way:
from

....
[alt_names]
DNS.1 = ipmi.domanweb.lan
DNS.2 = 192.168.20.13

to

...
[alt_names]
IP.1 = 192.168.20.13

and my -extfile $LEAF_FILE_PATH.txt file from

subjectAltName = DNS: ipmi.domanweb.lan, DNS:192.168.20.13

to just

subjectAltName = IP:192.168.20.13

Created certificates again and now it works!

However my question 1. to you @francislavoie is stil valid

  1. why it isnt in output file log but it’s in general log docker log caddy? Should i enable some separate error stream for those like you do in nginx (access_log error_log)?

The log directive (inside a site block) only configures access logs. The proxy debug logs are not access logs, they’re essentially runtime logs. You can configure loggers for runtime logs via the log global option.

You’re missing /data and /config volumes. That’s very important to avoid losing your certs and keys when your container is recreated.

You’re also missing UDP for HTTP/3 support.

See the docs for our recommended Docker Compose setup:

Thanks. Please ignore my second docker compose - it was only done for testing purposes. The proper docker compose is this first one.

Ahh shame that we cant get all relevant per-host logs separately as files.

Most IPMI of that era had self-signed RSA 2048 bit certificates, sometime they would create an internal CA in the BMC to sign the BMC’s IPMI Certificate.
And generally they didn’t support Certificate chains well, if at all.