[v2]: can't get server to obtain cert

haneefmubarak · May 6, 2020, 5:46pm

1. My Caddy version (`caddy version`):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

a. System environment:

Ubuntu 20.04 LTS

b. Command:

caddy reload

c. Service/unit/compose file:

N/A? Using the apt package listed on the site to install, runs by default, haven’t found or edited anything.

d. My complete Caddyfile or JSON config:

haneefmubarak.com {
	reverse_proxy localhost:2368
}

media.haneefmubarak.com {
	root * /home/haneefmubarak/web/haneefmubarak.com/media
	file_server browse
}

3. The problem I’m having:

I set up the media.haneefmubarak.com site first. It took a minute or so but then worked fine, with the ACME cert successfully obtained and running (https://crt.sh/?q=haneefmubarak.com).

However, when I added the reverse-proxy for haneefmubarak.com, it did not obtain a reverse proxy.

I will note that both are sitting behind CloudFlare, although disabling CF and passing the IP through directly didn’t seem to make any difference whatsoever (media worked fine anyways behind CF, @ just doesn’t work either way).

4. Error messages and/or full log output:

The lack of certificate listed on https://crt.sh/?q=haneefmubarak.com and the page https://haneefmubarak.com/ throwing an SSL error.

EDIT: running openssl s_client -connect localhost:443 -servername haneefmubarak.com yields the following:

CONNECTED(00000003)
140438162974016:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1543:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

5. What I already tried:

I tried disabling CF, but that did not seem to help.

I also tried using

tls {
        on_demand
}

within the @ configuration on the hope that that would force a certificate acquisition, but to no avail.

I also tried specifying http:// on the localhost part after the reverse_proxy keyword, but that also did not seem to make a difference.

6. Links to relevant resources:

matt · May 6, 2020, 7:48pm

What is the output from Caddy’s logs? Cert issuance errors are always printed there.

francislavoie · May 6, 2020, 10:12pm

You can see your logs with sudo journalctl -u caddy

haneefmubarak · May 6, 2020, 11:20pm

@matt @francislavoie that was just the step I needed! Thank you so much.

It turned out that the challenges were blocking because of CF, but that when I did it for the media domain, it slipped through when I was finicking with the DNS settings. However, I apparently finicked too much with the @ domain, which triggered the ACME retry limits.

Waiting long enough and then redoing it with direct DNS made it work, after which I configured CF to be back on.

I do think it’d be useful to be able to acquire certs from behind CF, but I’m not quite sure how exactly that could be configured out correctly. I did see a module on the docs, but I’m not quite sure how to configure that, as both the docs and the repo seemed a bit sparse on usage directions.

Anyhow, thank y’all again for the help!

system · June 5, 2020, 11:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.