V2: SSL no certificate available

dogpatchmedia · February 20, 2020, 3:50pm

1. My Caddy version (`caddy version`):

v2.0.0-beta.14 h1:QX1hRMfTA5sel53o5SuON1ys50at6yuSAnPr56sLeK8=

2. How I run Caddy:

a. System environment:

Ubuntu 18.04

b. Command:

caddy run --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=caddy
Group=caddy

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/home/caddy

; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/bin/caddy run --config=/etc/caddy/Caddyfile
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=4096

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

coconutpool.com. www.coconutpool.com {
        root * /home/caddy
        encode gzip
        php_fastcgi / unix//var/run/php/php7.3-fpm.sock php 
        file_server
}

3. The problem I’m having:

SSL not working. Moved domain to new server, used caddy before, followed same setup but website gets an error when you goto it:

This site can’t provide a secure connection ERR_SSL_PROTOCOL_ERROR

4. Error messages and/or full log output:

Feb 20 01:43:28 ns102521 caddy[23249]: 2020/02/20 01:43:28 [INFO][www.coconutpool.com] Served key authentication (HTTP challenge)
Feb 20 01:43:33 ns102521 caddy[23249]: 2020/02/20 01:43:33 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 01:43:42 ns102521 caddy[23249]: 2020/02/20 01:43:42 http: TLS handshake error from 107.77.211.5:51307: no certificate available for 'domain.com'

5. What I already tried:

twiddling thumbs and wait for it it go away on its own
cursing
asking nicely for it to work
permissions may be wrong somewhere?
lots of google searches
reload caddy, restart caddy, maybe it will go away?

6. Links to relevant resources:

not sure.

matt · February 20, 2020, 4:32pm

The “command” is the command you type to run Caddy, in your case, caddy run --config /path/to/caddyfile

Can you please post your full and unredacted Caddyfile? And the full and unredacted logs. They are crucial to helping you with this problem since it is domain-name specific. Thanks!

dogpatchmedia · February 20, 2020, 4:56pm

ok updtaeds

matt · February 20, 2020, 5:23pm

Thanks. Logs too, please? It’s still redacted so I can’t make sense of what is happening in relation to the config.

dogpatchmedia · February 20, 2020, 6:24pm

Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] acme: Validations succeeded; requesting certificates
Feb 20 16:12:30 ns102521 caddy[16639]: 2020/02/20 16:12:30 [INFO] [www.coconutpool.com] Server responded with a certificate.
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:13095: no certificate available for 'coconutpool.com'
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:9919: no certificate available for 'coconutpool.com'

matt · February 20, 2020, 7:29pm

Almost there… can you post the full log output, please? There is surely more than that, as Caddy always starts with some initialization log output, for example. Only part of the puzzle is here…

dogpatchmedia · February 20, 2020, 9:48pm

theres not much to see. it just repeats that over and over again.

Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.042        INFO        using provided configuration        {"config_file": "/etc/caddy/Caddyfile", "confFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.043        INFO        admin        admin endpoint started        {"address": "localhost:2019", "enforceFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        server is listening only on the HTTPS port but has no TLS connection Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic TLS certificate management        {"domains": ["wwFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][cache:0xc00039a730] Started certificate maintenance routine
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        tls        cleaned up storage units
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.045        INFO        autosaved config        {"file": "/home/caddy/.config/caddy/autosave.json"}
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.045        INFO        serving initial configuration
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain certificate
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain: Waiting on rate limiter...
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][www.coconutpool.com] Obtain: Done waiting
Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO] [www.coconutpool.com] acme: Obtaining bundled SAN certificate
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2919756322
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] acme: use tls-alpn-01 solver
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO] [www.coconutpool.com] acme: Trying to solve TLS-ALPN-01
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 http: TLS handshake error from 127.0.0.1:64508: EOF
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:23 ns102521 caddy[16639]: 2020/02/20 16:12:23 [INFO][www.coconutpool.com] Served key authentication certificate (TLS-ALPN challenge)
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] The server validated our request
Feb 20 16:12:29 ns102521 caddy[16639]: 2020/02/20 16:12:29 [INFO] [www.coconutpool.com] acme: Validations succeeded; requesting certificates
Feb 20 16:12:30 ns102521 caddy[16639]: 2020/02/20 16:12:30 [INFO] [www.coconutpool.com] Server responded with a certificate.
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:13095: no certificate available for 'coconutpool.com'
Feb 20 16:12:42 ns102521 caddy[16639]: 2020/02/20 16:12:42 http: TLS handshake error from 107.77.211.5:9919: no certificate available for 'coconutpool.com'
Feb 20 16:12:45 ns102521 caddy[16639]: 2020/02/20 16:12:45 http: TLS handshake error from 107.77.211.5:10531: no certificate available for 'coconutpool.com'
Feb 20 16:12:45 ns102521 caddy[16639]: 2020/02/20 16:12:45 http: TLS handshake error from 107.77.211.5:61667: no certificate available for 'coconutpool.com'
Feb 20 16:13:38 ns102521 caddy[16639]: 2020/02/20 16:13:38 http: TLS handshake error from 107.77.211.5:60943: no certificate available for 'coconutpool.com'
Feb 20 16:13:38 ns102521 caddy[16639]: 2020/02/20 16:13:38 http: TLS handshake error from 107.77.211.5:6451: no certificate available for 'coconutpool.com'
Feb 20 16:14:15 ns102521 caddy[16639]: 2020/02/20 16:14:15.715        ERROR        http.log.error        making dial info: upstream php: invalid dial address php: Feb 20 16:27:21 ns102521 caddy[16639]: 2020/02/20 16:27:21 http: TLS handshake error from 107.77.211.5:51127: no certificate available for 'coconutpool.com'
Feb 20 16:27:21 ns102521 caddy[16639]: 2020/02/20 16:27:21 http: TLS handshake error from 107.77.211.5:31703: no certificate available for 'coconutpool.com'
Feb 20 16:27:50 ns102521 caddy[16639]: 2020/02/20 16:27:50 http: TLS handshake error from 107.77.211.5:19511: no certificate available for 'coconutpool.com'
Feb 20 16:27:50 ns102521 caddy[16639]: 2020/02/20 16:27:50 http: TLS handshake error from 107.77.211.5:60519: no certificate available for 'coconutpool.com'
Feb 20 16:35:42 ns102521 caddy[16639]: 2020/02/20 16:35:42 http: TLS handshake error from 107.77.211.5:13983: no certificate available for 'coconutpool.com'
Feb 20 16:35:42 ns102521 caddy[16639]: 2020/02/20 16:35:42 http: TLS handshake error from 107.77.211.5:56223: no certificate available for 'coconutpool.com'
Feb 20 16:40:27 ns102521 caddy[16639]: 2020/02/20 16:40:27 http: TLS handshake error from 34.217.100.109:41310: no certificate available for 'coconutpool.com'
Feb 20 16:45:19 ns102521 caddy[16639]: 2020/02/20 16:45:19 http: TLS handshake error from 107.77.211.5:19515: no certificate available for 'coconutpool.com'
Feb 20 16:45:26 ns102521 caddy[16639]: 2020/02/20 16:45:26 http: TLS handshake error from 107.77.211.5:27515: no certificate available for 'coconutpool.com'
Feb 20 16:45:26 ns102521 caddy[16639]: 2020/02/20 16:45:26 http: TLS handshake error from 107.77.211.5:18591: no certificate available for 'coconutpool.com'
Feb 20 16:47:04 ns102521 caddy[16639]: 2020/02/20 16:47:04 http: TLS handshake error from 54.225.5.202:53154: no certificate available for 'coconutpool.com'
Feb 20 16:47:11 ns102521 caddy[16639]: 2020/02/20 16:47:11.323        ERROR        http.log.error        making dial info: upstream php: invalid dial address php: Feb 20 16:51:15 ns102521 caddy[16639]: 2020/02/20 16:51:15 http: TLS handshake error from 107.77.211.5:44191: no certificate available for 'coconutpool.com'
Feb 20 16:51:15 ns102521 caddy[16639]: 2020/02/20 16:51:15 http: TLS handshake error from 107.77.211.5:61675: no certificate available for 'coconutpool.com'
Feb 20 16:58:34 ns102521 caddy[16639]: 2020/02/20 16:58:34 http: TLS handshake error from 107.77.211.5:46739: no certificate available for 'coconutpool.com'
Feb 20 16:58:34 ns102521 caddy[16639]: 2020/02/20 16:58:34 http: TLS handshake error from 107.77.211.5:49283: no certificate available for 'coconutpool.com'
Feb 20 17:12:22 ns102521 caddy[16639]: 2020/02/20 17:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 17:12:22 ns102521 caddy[16639]: 2020/02/20 17:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 17:31:32 ns102521 caddy[16639]: 2020/02/20 17:31:32 http: TLS handshake error from 70.39.117.18:54854: no certificate available for ''
Feb 20 17:56:26 ns102521 caddy[16639]: 2020/02/20 17:56:26 http: TLS handshake error from 172.58.38.244:39438: no certificate available for 'coconutpool.com'
Feb 20 17:56:41 ns102521 caddy[16639]: 2020/02/20 17:56:41 http: TLS handshake error from 172.58.38.244:63044: no certificate available for 'coconutpool.com'
Feb 20 17:57:07 ns102521 caddy[16639]: 2020/02/20 17:57:07 http: TLS handshake error from 172.58.38.244:25740: no certificate available for 'coconutpool.com'
Feb 20 18:12:22 ns102521 caddy[16639]: 2020/02/20 18:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 18:12:22 ns102521 caddy[16639]: 2020/02/20 18:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 18:15:02 ns102521 caddy[16639]: 2020/02/20 18:15:02 http: TLS handshake error from 198.108.66.161:28924: no certificate available for ''
Feb 20 19:12:22 ns102521 caddy[16639]: 2020/02/20 19:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 19:12:22 ns102521 caddy[16639]: 2020/02/20 19:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 20:12:22 ns102521 caddy[16639]: 2020/02/20 20:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 20:12:22 ns102521 caddy[16639]: 2020/02/20 20:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 20:33:14 ns102521 caddy[16639]: 2020/02/20 20:33:14 http: TLS handshake error from 54.218.118.123:58950: no certificate available for 'coconutpool.com'
Feb 20 21:12:22 ns102521 caddy[16639]: 2020/02/20 21:12:22 [INFO][cache:0xc00039a730] Scanning for stale OCSP staples
Feb 20 21:12:22 ns102521 caddy[16639]: 2020/02/20 21:12:22 [INFO][cache:0xc00039a730] Done checking OCSP staples
Feb 20 21:37:08 ns102521 caddy[16639]: 2020/02/20 21:37:08 http: TLS handshake error from 93.174.95.106:50206: no certificate available for ''

Mohammed90 · February 20, 2020, 10:04pm

I presume you’re navigating from the browser, right? Are you visiting coconutpool.com. on the browser address bar or coconutpool.com ? (mind the dot at the end). Caddy doesn’t seem to be able to find coconutpool.com, rightly so because it was configured for coconutpool.com. (with the dot at the end).

matt · February 20, 2020, 10:15pm

Thank you!

What’s up with this first line though? It’s kind of mangled:

Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.042        INFO        using provided configuration        {"config_file": "/etc/caddy/Caddyfile", "confFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.043        INFO        admin        admin endpoint started        {"address": "localhost:2019", "enforceFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        server is listening only on the HTTPS port but has no TLS connection Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic TLS certificate management        {"domains": ["wwFeb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22 [INFO][cache:0xc00039a730] Started certificate maintenance routine

Did something happen there in copy+pasting it? Can you dump it to a file instead?

I know you said you’re not running it as a service, but the logs are prefixed with:

Feb 20 01:43:28 ns102521 caddy[23249]:

Which is not Caddy output.

The useful part is unfortunately being lost, potentially corrupted by the log manager you’re using or something gone horribly wrong with the copy+paste:

Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic TLS certificate management        {"domains": ["wwFeb 20 16:12:22 ns10252

Notice {"domains": ["wwFeb 20.

Are you really not running as a service?

dogpatchmedia · February 20, 2020, 10:53pm

i hadnt set it up as a service yet when this problem started.
try this: https://pastebin.com/JdCA5tJD

matt · February 20, 2020, 11:03pm

Excellent, thanks!

This log line, now complete, confirms my suspicions:

Feb 20 16:12:22 ns102521 caddy[16639]: 2020/02/20 16:12:22.044        INFO        http        enabling automatic TLS certificate management        {"domains": ["www.coconutpool.com"]}

Caddy is only managing a certificate for www.coconutpool.com and not coconutpool.com because your Caddyfile has coconutpool.com. instead of coconutpool.com in it, like @Mohammed90 suggested. See Automatic HTTPS — Caddy Documentation

Fix the typo in your Caddyfile and you should be good to go!

Edit: Also, drop the php at the end of your php_fastcgi line. See syntax: php_fastcgi (Caddyfile directive) — Caddy Documentation

dogpatchmedia · February 21, 2020, 2:34am

yup. i put . instead of ,

ok. it works. but i get an errror about the certificate: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

dogpatchmedia · February 21, 2020, 3:06am

hey its ok now. i guess it just needed some time. thanks for your help.

Whitestrake · February 21, 2020, 3:35am

This would happen when you’ve got a valid HTTPS certificate but Google can’t find its issuance in certificate transparency logs. That is, probably only in a very short window immediately following issuance.

matt · February 21, 2020, 4:25am

Excellent, glad we could figure that out. Thank you for providing the needed information!

matt · February 21, 2020, 4:25am

LE did some maintenance on their CT logs today, I dunno but that may have had something to do with it. CT is hard, and sometimes it does take a few minutes…

matt · March 20, 2020, 3:35pm

@dogpatchmedia Would you be able to upgrade to the latest on the v2 branch (newer than beta 18, will go out with beta 19)? I think I’ve fixed a bug today that was at least related to the hanging, if not the hanging itself. Did you notice that this only happens with the HTTP challenge? If so, it might very well have been fixed now… if not, meh, we’ll see. Let me know after you upgrade if it happens or doesn’t happen again!

After 20 trials I was unable to replicate the issue (which I have experienced before myself since your report).

system · June 18, 2020, 3:35pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.