VPS behind NAT, error:400 on SSL request

NanoG6 · March 28, 2019, 3:00am

Hi, currently I’m setting up a smokeping server on a NAT VPS, and for HTTP there is no problem listening on custom port 7001 (tls off).
But when I set HTTPS with tls, there are error:400

Mar 28 09:50:24 host systemd: Starting Caddy HTTP/2 web server...
Mar 28 09:50:24 host caddy: Caddyfile is valid
Mar 28 09:50:24 host systemd: Started Caddy HTTP/2 web server.
Mar 28 09:50:24 host caddy: Activating privacy features... 2019/03/28 09:50:24 [INFO][FileStorage:/var/lib/caddy] Started certificate maintenance routine
Mar 28 09:50:24 host caddy: 2019/03/28 09:50:24 [INFO] [smoke.domain.com] acme: Obtaining bundled SAN certificate
Mar 28 09:50:25 host caddy: 2019/03/28 09:50:25 [INFO] [smoke.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/fc146apWQjJhKGF6FpS34mlmlBlQj6LcwyVxfF7eyng
Mar 28 09:50:25 host caddy: 2019/03/28 09:50:25 [INFO] [smoke.domain.com] acme: use tls-alpn-01 solver
Mar 28 09:50:25 host caddy: 2019/03/28 09:50:25 [INFO] [smoke.domain.com] acme: Trying to solve TLS-ALPN-01
Mar 28 09:50:26 host caddy: 2019/03/28 09:50:26 [smoke.domain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
Mar 28 09:50:26 host caddy: [smoke.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url:
Mar 28 09:50:26 host systemd: caddy.service: main process exited, code=exited, status=1/FAILURE
Mar 28 09:50:26 host systemd: Unit caddy.service entered failed state.
Mar 28 09:50:26 host systemd: caddy.service failed.

Here is my caddyfile conf:

smoke.domain.com:7001 {
        tls email@domain.com
        log stdout
        errors
        root /usr/share/smokeping/htdocs
        fastcgi / unix:/var/run/fcgiwrap.socket {
                env SCRIPT_FILENAME /usr/share/smokeping/cgi/smokeping.fcgi
        }
}

smoke.domain.com:7001/images {
        tls email@domain.com
        root /var/lib/smokeping/images
}

smoke.domain.com:7001/cropper {
        tls email@domain.com
        root /usr/share/smokeping/htdocs/cropper
}

I believe I can set custom HTTPS port? Any help would be greatly appreciated.

Whitestrake · March 28, 2019, 3:17am

Hi @NanoG6, welcome to the Caddy community.

ACME validation requires that you complete the challenges on standard HTTP(S) ports.

That means Caddy must bind 80 and/or 443, and those ports must be open at the network edge to reach Caddy.

The alternative is to use DNS validation.

NanoG6 · March 28, 2019, 3:28am

Hmm… did you mean this? enabling-the-dns-challenge

Thanks for the info, I’ll check it!

Whitestrake · March 28, 2019, 3:31am

Yes, the DNS challenge lets you validate that you own the domain without needing to use a HTTP challenge (requires port 80) or a TLS-ALPN challenge (requires port 443).

NanoG6 · March 28, 2019, 4:20am

Hi thanks… I can successfully setup the TLS using DNS challenge. Here are the full config in case anyone need it:

# cat /usr/lib/systemd/system/caddy.service 
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network.target

[Service]
User=caddy
Group=caddy
Environment=CADDYPATH=/var/lib/caddy
EnvironmentFile=-/etc/caddy/envfile
ExecStartPre=/usr/bin/caddy -conf /etc/caddy/caddy.conf -validate
ExecStart=/usr/bin/caddy -conf /etc/caddy/caddy.conf -log stdout -root /tmp -agree
ExecReload=/usr/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectHome=true
ProtectSystem=full
ReadWriteDirectories=/var/lib/caddy
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

.

# cat /etc/caddy/envfile 
CLOUDFLARE_EMAIL=email@domain.com
CLOUDFLARE_API_KEY=7d47d11f9b81b30d6666665bee32f3c59d612

.

# cat /etc/caddy/conf.d/smoke.domain.com.conf 
smoke.domain.com:7001 {
        tls {
        dns cloudflare
        }
        log stdout
        errors
        root /usr/share/smokeping/htdocs
        fastcgi / unix:/var/run/fcgiwrap.socket {
                env SCRIPT_FILENAME /usr/share/smokeping/cgi/smokeping.fcgi
        }
}

smoke.domain.com:7001/images {
        tls {
        dns cloudflare
        }
        root /var/lib/smokeping/images
}

smoke.domain.com:7001/cropper {
        tls {
        dns cloudflare
        }
        root /usr/share/smokeping/htdocs/cropper
}

system · June 26, 2019, 4:20am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.