curl -vk https://<public_ip>
yielded on the Caddy side:
2022/03/03 00:52:43.334 DEBUG http starting server loop {"address": "[::]:443", "http3": false, "tls": true}
2022/03/03 00:52:43.334 DEBUG http starting server loop {"address": "[::]:80", "http3": false, "tls": false}
2022/03/03 00:52:43.335 INFO http enabling automatic TLS certificate management {"domains": ["34.133.83.194"]}
2022/03/03 00:52:43.335 WARN tls stapling OCSP {"error": "no OCSP stapling for [34.133.83.194]: no OCSP server specified in certificate"}
2022/03/03 00:52:43.335 DEBUG tls.cache added certificate to cache {"subjects": ["34.133.83.194"], "expiration": "2022/03/03 06:33:16.000", "managed": true, "issuer_key": "local", "hash": "5857d59002978b446e8c39d1e80b1c99acd578be58f4e6b27e043792181b58f9", "cache_size": 1, "cache_capacity": 10000}
2022/03/03 00:52:43.336 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2022/03/03 00:52:43.336 INFO serving initial configuration
2022/03/03 00:52:51.720 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "10.128.0.3"}
2022/03/03 00:52:51.721 DEBUG tls.handshake no certificate matching TLS ClientHello {"server_name": "", "remote": "34.133.83.194:38190", "identifier": "10.128.0.3", "cipher_suites": [4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199, 158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161, 49171, 51, 157, 156, 61, 60, 53, 47, 255], "cert_cache_fill": 0.0001, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2022/03/03 00:52:51.721 DEBUG http.stdlib http: TLS handshake error from 34.133.83.194:38190: no certificate available for '10.128.0.3'
It looks like it’s trying to match on the internal IP despite me curling the public IP and returning no certificate available for '10.128.0.3'
(which is my internal IP). So I used the private IP Caddyfile again and with debug turned on.
This time, curl -vk https://<private_ip>
yielded as expected
2022/03/03 00:57:25.144 DEBUG tls.handshake choosing certificate {"identifier": "10.128.0.3", "num_choices": 1}
2022/03/03 00:57:25.144 DEBUG tls.handshake default certificate selection results {"identifier": "10.128.0.3", "subjects": ["10.128.0.3"], "managed": true, "issuer_key": "local", "hash": "86bce8c52a0937f83a03ea78be75068616a44dc663193ccf7f6a00cf04a96fb2"}
2022/03/03 00:57:25.144 DEBUG tls.handshake matched certificate in cache {"subjects": ["10.128.0.3"], "managed": true, "expiration": "2022/03/03 12:41:53.000", "hash": "86bce8c52a0937f83a03ea78be75068616a44dc663193ccf7f6a00cf04a96fb2"}
2022/03/03 00:57:25.148 INFO http.log.access handled request {"request": {"remote_addr": "10.128.0.3:56150", "proto": "HTTP/2.0", "method": "GET", "host": "10.128.0.3", "uri": "/", "headers": {"User-Agent": ["curl/7.64.0"], "Accept": ["*/*"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "proto_mutual": true, "server_name": ""}}, "common_log": "10.128.0.3 - - [03/Mar/2022:00:57:25 +0000] \"GET / HTTP/2.0\" 200 5", "user_id": "", "duration": 0.000163331, "size": 5, "status": 200, "resp_headers": {"Server": ["Caddy"], "Content-Type": []}}
But curl -vk https://<public_ip>
didn’t fail with the same error but returned no response, looks like HTTP status code 0.
2022/03/03 01:00:06.860 DEBUG tls.handshake choosing certificate {"identifier": "10.128.0.3", "num_choices": 1}
2022/03/03 01:00:06.860 DEBUG tls.handshake default certificate selection results {"identifier": "10.128.0.3", "subjects": ["10.128.0.3"], "managed": true, "issuer_key": "local", "hash": "86bce8c52a0937f83a03ea78be75068616a44dc663193ccf7f6a00cf04a96fb2"}
2022/03/03 01:00:06.860 DEBUG tls.handshake matched certificate in cache {"subjects": ["10.128.0.3"], "managed": true, "expiration": "2022/03/03 12:41:53.000", "hash": "86bce8c52a0937f83a03ea78be75068616a44dc663193ccf7f6a00cf04a96fb2"}
2022/03/03 01:00:06.863 INFO http.log.access handled request {"request": {"remote_addr": "34.133.83.194:38610", "proto": "HTTP/2.0", "method": "GET", "host": "34.133.83.194", "uri": "/", "headers": {"User-Agent": ["curl/7.64.0"], "Accept": ["*/*"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "proto_mutual": true, "server_name": ""}}, "common_log": "34.133.83.194 - - [03/Mar/2022:01:00:06 +0000] \"GET / HTTP/2.0\" 0 0", "user_id": "", "duration": 0.000019734, "size": 0, "status": 0, "resp_headers": {"Server": ["Caddy"]}}
Below is the curl output for curl -vk https://<public_ip>
* Expire in 0 ms for 6 (transfer 0x55926d605fb0)
* Trying 34.133.83.194...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55926d605fb0)
* Connected to 34.133.83.194 (34.133.83.194) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: [NONE]
* start date: Mar 3 00:41:53 2022 GMT
* expire date: Mar 3 12:41:53 2022 GMT
* issuer: CN=Caddy Local Authority - ECC Intermediate
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55926d605fb0)
> GET / HTTP/2
> Host: 34.133.83.194
> User-Agent: curl/7.64.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< server: Caddy
< content-length: 0
< date: Thu, 03 Mar 2022 01:00:41 GMT
<
* Connection #0 to host 34.133.83.194 left intact