V2: SSL no certificate available

1. My Caddy version (caddy version):

v2.0.0-beta.14 h1:QX1hRMfTA5sel53o5SuON1ys50at6yuSAnPr56sLeK8=

2. How I run Caddy:

a. System environment:

Ubuntu 18.04

b. Command:

caddy run --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=caddy
Group=caddy

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/home/caddy

; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/bin/caddy run --config=/etc/caddy/Caddyfile
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=4096

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

coconutpool.com. www.coconutpool.com {
        root * /home/caddy
        encode gzip
        php_fastcgi / unix//var/run/php/php7.3-fpm.sock php 
        file_server
}

3. The problem I’m having:

SSL not working. Moved domain to new server, used caddy before, followed same setup but website gets an error when you goto it:

This site can’t provide a secure connection ERR_SSL_PROTOCOL_ERROR

4. Error messages and/or full log output:

Feb 20 01:43:28 ns102521 caddy[23249]: 2020/02/20 01:43:28 [INFO][www.coconutpool.com] Served key authentication (HTTP challenge)
Feb 20 01:43:33 ns102521 caddy[23249]: 2020/02/20 01:43:33 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 01:43:42 ns102521 caddy[23249]: 2020/02/20 01:43:42 http: TLS handshake error from 107.77.211.5:51307: no certificate available for 'domain.com'

5. What I already tried:

  1. twiddling thumbs and wait for it it go away on its own
  2. cursing
  3. asking nicely for it to work
  4. permissions may be wrong somewhere?
  5. lots of google searches
  6. reload caddy, restart caddy, maybe it will go away?

6. Links to relevant resources:

not sure.

1 Like

The “command” is the command you type to run Caddy, in your case, caddy run --config /path/to/caddyfile

Can you please post your full and unredacted Caddyfile? And the full and unredacted logs. They are crucial to helping you with this problem since it is domain-name specific. Thanks!

ok updtaeds

Thanks. Logs too, please? It’s still redacted so I can’t make sense of what is happening in relation to the config.

Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] acme: Validations succeeded; requesting certificates
Feb 20 16:12:30 ns102521 caddy[16639]: 2020/02/20 16:12:30 [INFO] [www.coconutpool.com] Server responded with a certificate.
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:13095: no certificate available for 'coconutpool.com'
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:9919: no certificate available for 'coconutpool.com'

Almost there… can you post the full log output, please? There is surely more than that, as Caddy always starts with some initialization log output, for example. Only part of the puzzle is here…

theres not much to see. it just repeats that over and over again.

Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.042        INFO        using provided configuration        {"config_file": "/etc/caddy/Caddyfile", "confFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.043        INFO        admin        admin endpoint started        {"address": "localhost:2019", "enforceFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        server is listening only on the HTTPS port but has no TLS connection Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic TLS certificate management        {"domains": ["wwFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][cache:0xc00039a730] Started certificate maintenance routine
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        tls        cleaned up storage units
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.045        INFO        autosaved config        {"file": "/home/caddy/.config/caddy/autosave.json"}
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.045        INFO        serving initial configuration
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain certificate
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain: Waiting on rate limiter...
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain: Done waiting
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO] [www.coconutpool.com] acme: Obtaining bundled SAN certificate
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2919756322
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] acme: use tls-alpn-01 solver
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] acme: Trying to solve TLS-ALPN-01
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 http: TLS handshake error from 127.0.0.1:64508: EOF
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] acme: Validations succeeded; requesting certificates
Feb 20 16:12:30 ns102521 caddy[16639]: 2020/02/20 16:12:30 [INFO] [www.coconutpool.com] Server responded with a certificate.
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:13095: no certificate available for 'coconutpool.com'
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:9919: no certificate available for 'coconutpool.com'
Feb 20 16:12:45 ns102521 caddy[16639]: 2020/02/20 16:12:45 http: TLS handshake error from 107.77.211.5:10531: no certificate available for 'coconutpool.com'
Feb 20 16:12:45 ns102521 caddy[16639]: 2020/02/20 16:12:45 http: TLS handshake error from 107.77.211.5:61667: no certificate available for 'coconutpool.com'
Feb 20 16:13:38 ns102521 caddy[16639]: 2020/02/20 16:13:38 http: TLS handshake error from 107.77.211.5:60943: no certificate available for 'coconutpool.com'
Feb 20 16:13:38 ns102521 caddy[16639]: 2020/02/20 16:13:38 http: TLS handshake error from 107.77.211.5:6451: no certificate available for 'coconutpool.com'
Feb 20 16:14:15 ns102521 caddy[16639]: 2020/02/20 16:14:15.715        ERROR        http.log.error        making dial info: upstream php: invalid dial address php: Feb 20 16:27:21 ns102521 caddy[16639]: 2020/02/20 16:27:21 http: TLS handshake error from 107.77.211.5:51127: no certificate available for 'coconutpool.com'
Feb 20 16:27:21 ns102521 caddy[16639]: 2020/02/20 16:27:21 http: TLS handshake error from 107.77.211.5:31703: no certificate available for 'coconutpool.com'
Feb 20 16:27:50 ns102521 caddy[16639]: 2020/02/20 16:27:50 http: TLS handshake error from 107.77.211.5:19511: no certificate available for 'coconutpool.com'
Feb 20 16:27:50 ns102521 caddy[16639]: 2020/02/20 16:27:50 http: TLS handshake error from 107.77.211.5:60519: no certificate available for 'coconutpool.com'
Feb 20 16:35:42 ns102521 caddy[16639]: 2020/02/20 16:35:42 http: TLS handshake error from 107.77.211.5:13983: no certificate available for 'coconutpool.com'
Feb 20 16:35:42 ns102521 caddy[16639]: 2020/02/20 16:35:42 http: TLS handshake error from 107.77.211.5:56223: no certificate available for 'coconutpool.com'
Feb 20 16:40:27 ns102521 caddy[16639]: 2020/02/20 16:40:27 http: TLS handshake error from 34.217.100.109:41310: no certificate available for 'coconutpool.com'
Feb 20 16:45:19 ns102521 caddy[16639]: 2020/02/20 16:45:19 http: TLS handshake error from 107.77.211.5:19515: no certificate available for 'coconutpool.com'
Feb 20 16:45:26 ns102521 caddy[16639]: 2020/02/20 16:45:26 http: TLS handshake error from 107.77.211.5:27515: no certificate available for 'coconutpool.com'
Feb 20 16:45:26 ns102521 caddy[16639]: 2020/02/20 16:45:26 http: TLS handshake error from 107.77.211.5:18591: no certificate available for 'coconutpool.com'
Feb 20 16:47:04 ns102521 caddy[16639]: 2020/02/20 16:47:04 http: TLS handshake error from 54.225.5.202:53154: no certificate available for 'coconutpool.com'
Feb 20 16:47:11 ns102521 caddy[16639]: 2020/02/20 16:47:11.323        ERROR        http.log.error        making dial info: upstream php: invalid dial address php: Feb 20 16:51:15 ns102521 caddy[16639]: 2020/02/20 16:51:15 http: TLS handshake error from 107.77.211.5:44191: no certificate available for 'coconutpool.com'
Feb 20 16:51:15 ns102521 caddy[16639]: 2020/02/20 16:51:15 http: TLS handshake error from 107.77.211.5:61675: no certificate available for 'coconutpool.com'
Feb 20 16:58:34 ns102521 caddy[16639]: 2020/02/20 16:58:34 http: TLS handshake error from 107.77.211.5:46739: no certificate available for 'coconutpool.com'
Feb 20 16:58:34 ns102521 caddy[16639]: 2020/02/20 16:58:34 http: TLS handshake error from 107.77.211.5:49283: no certificate available for 'coconutpool.com'
Feb 20 17:12:22 ns102521 caddy[16639]: 2020/02/20 17:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 17:12:22 ns102521 caddy[16639]: 2020/02/20 17:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 17:31:32 ns102521 caddy[16639]: 2020/02/20 17:31:32 http: TLS handshake error from 70.39.117.18:54854: no certificate available for ''
Feb 20 17:56:26 ns102521 caddy[16639]: 2020/02/20 17:56:26 http: TLS handshake error from 172.58.38.244:39438: no certificate available for 'coconutpool.com'
Feb 20 17:56:41 ns102521 caddy[16639]: 2020/02/20 17:56:41 http: TLS handshake error from 172.58.38.244:63044: no certificate available for 'coconutpool.com'
Feb 20 17:57:07 ns102521 caddy[16639]: 2020/02/20 17:57:07 http: TLS handshake error from 172.58.38.244:25740: no certificate available for 'coconutpool.com'
Feb 20 18:12:22 ns102521 caddy[16639]: 2020/02/20 18:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 18:12:22 ns102521 caddy[16639]: 2020/02/20 18:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 18:15:02 ns102521 caddy[16639]: 2020/02/20 18:15:02 http: TLS handshake error from 198.108.66.161:28924: no certificate available for ''
Feb 20 19:12:22 ns102521 caddy[16639]: 2020/02/20 19:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 19:12:22 ns102521 caddy[16639]: 2020/02/20 19:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 20:12:22 ns102521 caddy[16639]: 2020/02/20 20:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 20:12:22 ns102521 caddy[16639]: 2020/02/20 20:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 20:33:14 ns102521 caddy[16639]: 2020/02/20 20:33:14 http: TLS handshake error from 54.218.118.123:58950: no certificate available for 'coconutpool.com'
Feb 20 21:12:22 ns102521 caddy[16639]: 2020/02/20 21:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 21:12:22 ns102521 caddy[16639]: 2020/02/20 21:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 21:37:08 ns102521 caddy[16639]: 2020/02/20 21:37:08 http: TLS handshake error from 93.174.95.106:50206: no certificate available for ''

I presume you’re navigating from the browser, right? Are you visiting coconutpool.com. on the browser address bar or coconutpool.com ? (mind the dot at the end). Caddy doesn’t seem to be able to find coconutpool.com, rightly so because it was configured for coconutpool.com. (with the dot at the end).

1 Like

Thank you!

What’s up with this first line though? It’s kind of mangled:

Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.042        INFO        using provided configuration        {"config_file": "/etc/caddy/Caddyfile", "confFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.043        INFO        admin        admin endpoint started        {"address": "localhost:2019", "enforceFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        server is listening only on the HTTPS port but has no TLS connection Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic TLS certificate management        {"domains": ["wwFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][cache:0xc00039a730] Started certificate maintenance routine

Did something happen there in copy+pasting it? Can you dump it to a file instead?

I know you said you’re not running it as a service, but the logs are prefixed with:

Feb 20 01:43:28 ns102521 caddy[23249]:

Which is not Caddy output.

The useful part is unfortunately being lost, potentially corrupted by the log manager you’re using or something gone horribly wrong with the copy+paste:

Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic TLS certificate management        {"domains": ["wwFeb 20 16:12:22 ns10252

Notice {"domains": ["wwFeb 20.

Are you really not running as a service?

i hadnt set it up as a service yet when this problem started.
try this: https://pastebin.com/JdCA5tJD

1 Like

Excellent, thanks!

This log line, now complete, confirms my suspicions:

Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic TLS certificate management        {"domains": ["www.coconutpool.com"]}

Caddy is only managing a certificate for www.coconutpool.com and not coconutpool.com because your Caddyfile has coconutpool.com. instead of coconutpool.com in it, like @Mohammed90 suggested. See https://caddyserver.com/docs/automatic-https#hostname-requirements

Fix the typo in your Caddyfile and you should be good to go!

Edit: Also, drop the php at the end of your php_fastcgi line. See syntax: https://caddyserver.com/docs/caddyfile/directives/php_fastcgi#syntax

1 Like

yup. i put . instead of ,

ok. it works. but i get an errror about the certificate: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

1 Like

hey its ok now. i guess it just needed some time. thanks for your help.

1 Like

This would happen when you’ve got a valid HTTPS certificate but Google can’t find its issuance in certificate transparency logs. That is, probably only in a very short window immediately following issuance.

1 Like

Excellent, glad we could figure that out. Thank you for providing the needed information!

LE did some maintenance on their CT logs today, I dunno but that may have had something to do with it. CT is hard, and sometimes it does take a few minutes…

1 Like

@dogpatchmedia Would you be able to upgrade to the latest on the v2 branch (newer than beta 18, will go out with beta 19)? I think I’ve fixed a bug today that was at least related to the hanging, if not the hanging itself. Did you notice that this only happens with the HTTP challenge? If so, it might very well have been fixed now… if not, meh, we’ll see. Let me know after you upgrade if it happens or doesn’t happen again!

After 20 trials I was unable to replicate the issue (which I have experienced before myself since your report).