Using new Caddy but old Caddyfile from past success, but now my sites are not SSL secured

Help
1

1. Caddy version (caddy version):

Caddy v2.4.3

2. How I run Caddy:

a. System environment:

HassOS (Linux - AMD64 VM) on MAC using VirtualBox
Docker install of HA (preinstalled in OS)

b. Command:

HA add-on of Caddy2

c. Service/unit/compose file:

HomeAssistant add-on of Caddy2

d. My complete Caddyfile or JSON config:

{   
	email username@mail.com
}
(common) {
        tls {
                dns duckdns {env.DUCKDNS_TOKEN}
        }
        header {
                Strict-Transport-Security "max-age=31536000; includeSubdomains"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "same-origin"
                -Server
                Content-Security-Policy "frame-ancestors *.home-dtw.duckdns.org:10500"
		Permissions-Policy "geolocation=(self), microphone=()"
        }
}
https://ha.home-dtw.duckdns.org:10500 {
    import common
    reverse_proxy localhost:8123 {
    }
}

3. The problem I’m having:

The cert is completing, but https does not work - only http is accessible for the sites and states not secure on the browser.

4. Error messages and/or full log output:

{"level":"info","ts":1629306286.4848493,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"ha.home-dtw.duckdns.org","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"info","ts":1629306290.9622422,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/SyeibHNn6qerU8PAH3ETNw"}
{"level":"info","ts":1629306307.1248104,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme.zerossl.com/v2/DV90/cert/MWbHp4seMiWUG1nve5fDoA"}
{"level":"info","ts":1629306307.1260618,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"ha.home-dtw.duckdns.org"}
{"level":"info","ts":1629306307.12614,"logger":"tls.obtain","msg":"releasing lock","identifier":"ha.home-dtw.duckdns.org"}

5. What I already tried:

  • I have had SSL working in the past but have now used the Caddy from the download button on Caddyserver site and I’m wondering if I should be using the “new v2” Caddy
  • I download adding of lego deprecated and duckdns to a Linux AMD64 version of Caddy
  • tried adding https:// to the external site reference in the Caddyfile
  • had my file reviewed by HA community and it is shown to be correct, but the members there said bring it to the group here…why I’m now approaching this community for advice.

6. Links to relevant resources:

2

What do you mean by “does not work”? Please be specific.

Try using curl -v to make the requests, and show us what it reports.

3

Hi Francis,

This is what it got - I’m having trouble getting https to actually be established, when I go to the site it times out when https is called at the front of the external address in Caddyfile or just errors out right away as website is unavailable if https not used (the http site is reachable but states not secure of course) - this is an http display of results for the connection using curl -v:

Screen Shot 2021-08-20 at 12.17.08 AM
Screen Shot 2021-08-20 at 12.17.08 AM1026Ă—607 38.2 KB

Sorry it is a screenshot because the VM does not allow text capture and the instance of HassOS I can not find the Samba shares to store an output file.

Thank you,
Daniel

4

That output looks fine. I don’t see any evidence of a problem there. That looks like HomeAssistant’s home page to me.

What I wanted to see is the curl -v output when trying to connect over HTTPS.

5

Hi Francis,

This is what I got

Screen Shot 2021-08-20 at 10.10.36 AM

Does this mean that there is something blocking it or is there a deeper problem here?

6

Screen Shot 2021-08-20 at 10.11.03 AM

And this is the final statement from the curl.

7

Please show the actual command you ran, and the full message. That tiny truncated screenshot really doesn’t tell us much.

Please be as thorough as possible with the information you give us, it’s wasting time otherwise.

8

Hi Francis,

this is the full message as complete as possible. please note that the subdomain can be interchangeable for anything that the group would like to place in there:
Screen Shot 2021-08-20 at 10.31.07 AM

Thank you for your help,
Daniel

9

Are you sure you have that port forwarded? Make sure you don’t have some firewall blocking connections on that port.

10

what’s weird is that http opens up the site fully, but https gets refused - I have 59202 port forwarded to 8123 as evidenced by the HA coming up on http. I am getting for only some of the sites an OCSP error in stapling coming up:
{“level”:“warn”,“ts”:1629482383.1682518,“logger”:“tls”,“msg”:“stapling OCSP”,“error”:“no OCSP stapling for [ha.domain.duckdns.org]: parsing OCSP response: ocsp: error from server: unauthorized”}.

Could that be leading to the issues - I recreated the port forward rule on Router - have a Unifi router and removed any rejection rules. Firewall… I don’t believe that I have anything set up either local or on the router, but how can I check if there is a firewall blocking SSL connections?

11

I don’t think this is relevant to your issues, that’s a warning, not an error, from the perspective of Caddy (although there is an “error message” it’s a warning level log).

Well, it depends what client you’re making the request from, and where the server is. I don’t know the specifics of your network setup. You’ll need to trace what your network is doing.

Using ports 80 and 443 greatly simplifies things, generally.

12

I have a pi-hole and apparently that wreaks havoc on https. Any solutions out there?

13

Pihole is just a DNS server, that doesn’t have anything to do with HTTPS. Not sure where you read that :thinking:

14

I moved the pi-hole to 1080, just to be sure. I had a more tech savvy friend curl the site and it says curl: (35) error:1400410B: SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

He’s saying it is issuing a TLS cert that is version 1.1 instead of 1.2 or higher.

15

Certificates don’t have versions. TLS versions are software implementations for TLS handshakes. Caddy only supports TLS 1.2 and 1.3, older versions are deprecated and potentially insecure.

What that error tells me is that you’re probably not hitting Caddy with your request, but instead some other server which is intercepting the request.

16

I’m using the caddy server file and a caddyfile to serve it through version 1.04 of Caddy 2 in HA, I’m not sure what kind of controls I have to alter this approach - can you think of ways to implement and ensure I’m hitting the correct CA servers?

17

Is there a way to explicitly call out TLS 1.2 - I see some reference in TLS docs but am a bit unsure how to implement?

18

I added protocols tls1.3 to the tls section and still no success the protocol still says it is 1.1 or lower. Any hints to try? Do I need to put an email in after the tls section, currently I have
{
email username@mail.com
}

Or should I have something like

tls username@mail.com {
protocols tls1.3
dns duckdns {api_token DUCKDNS_token
}

19

What do I do if a site is intercepting the activity?

20

Make sure that the path from the outside network (Internet) to your server is clear and properly routed/forwarded.