WildCard Certificate cannot connect to unspecified handle

Dogscodes · August 15, 2022, 11:19pm

1. Caddy version (`caddy version`):

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

a. System environment:

On Ubuntu 22.04.1 LTS with a oracle VM 12 GB and 2 vCores. Arm server

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddyfile or JSON config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.
api.voidmc.net {
	# Set this path to your site's directory.
	reverse_proxy 0.0.0.0:8080

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}
#dns.providers.cloudflare {
#	tls {
		#dns cloudflare (REDACTED CLOUDFLARE API_TOKEN)
#	}
#}

*.voidmc.net {
	tls {
		dns cloudflare (REDACTED CLOUDFLARE API_TOKEN)
	}
	@foo host foo.voidmc.net
	handle @foo {
		reverse_proxy 0.0.0.0:8080
	}

	handle {
		reverse_proxy 0.0.0.0:8080
	}
}

dogs.voidmc.net {
	reverse_proxy 0.0.0.0:8080
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

3. The problem I’m having:

When i attempt and go to https://test.voidmc.net/ for example i get a **test.voidmc.net** sent an invalid response. Althought when i go to something like one of the things listed Ex: api.voidmc.net or foo.voidmc.net it works as exspected.

4. Error messages and/or full log output:

5. What I already tried:

I attempted to look at the documentation and couldn’t really find anything on it (Common Caddyfile Patterns — Caddy Documentation)

6. Links to relevant resources:

francislavoie · August 15, 2022, 11:37pm

What’s in your logs? You didn’t post your logs.

If you don’t see anything relevant in the logs, please enable the debug global option by adding this at the top of your Caddyfile:

{
	debug
}

Then restart Caddy and post what you see in your logs.

Dogscodes · August 15, 2022, 11:49pm

Not 100% sure if this has anything that is needed but hopefully it does. ubuntu@node1:/var/www/API$ journalctl -u caddy -bAug 15 22:33:47 node1 systemd - Pastebin.com

francislavoie · August 16, 2022, 12:01am

Your logs are truncated. Notice the > at the end of most of the lines.

Use the command from the docs to see the full logs, without truncation:

Dogscodes · August 16, 2022, 12:06am

Not sure how much is needed i just went to where it started saying Started Caddy

Aug 15 23:43:40 node1 systemd[1]: Started Caddy.
Aug 15 23:49:09 node1 caddy[9151]: {"level":"debug","ts":1660607349.7145653,"logger":"tls.handshake","msg":"choosing certificate","identifier":"dogs.voidmc.net","num_choices":1}
Aug 15 23:49:09 node1 caddy[9151]: {"level":"debug","ts":1660607349.7146063,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"dogs.voidmc.net","subjects":["dogs.voidmc.net"],"managed
":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"d17bc209584aff9cceadbc076a5c3ef50ad8bfb37c311e4268c15fdbc129d173"}
Aug 15 23:49:09 node1 caddy[9151]: {"level":"debug","ts":1660607349.714616,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["dogs.voidmc.net"],"managed":true,"expiration":1668294828,"hash":"d1
7bc209584aff9cceadbc076a5c3ef50ad8bfb37c311e4268c15fdbc129d173"}
Aug 15 23:49:09 node1 caddy[9151]: {"level":"debug","ts":1660607349.7662923,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"0.0.0.0:8080","total_upstreams":1}
Aug 15 23:49:09 node1 caddy[9151]: {"level":"debug","ts":1660607349.767648,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"0.0.0.0:8080","duration":0.00130436,"request":{"remote_ip":"73.1
21.6.10","remote_port":"61605","proto":"HTTP/2.0","method":"GET","host":"dogs.voidmc.net","uri":"/api/user/testz","headers":{"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-Proto":["
https"],"Accept-Language":["en-US;q=0.7"],"Sec-Gpc":["1"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; 
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"X-Forwarded-For":[
"73.121.6.10"],"X-Forwarded-Host":["dogs.voidmc.net"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"dogs.voidmc.net"}},"headers":{"Content-Length":["21"],"Content-Type":["applic
ation/json"],"Vary":["Origin, Access-Control-Request-Method, Access-Control-Request-Headers"],"Date":["Mon, 15 Aug 2022 23:49:09 GMT"]},"status":200}
Aug 15 23:49:32 node1 caddy[9151]: {"level":"debug","ts":1660607372.6867578,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.0.244"}
Aug 15 23:49:32 node1 caddy[9151]: {"level":"debug","ts":1660607372.6867936,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":""}
Aug 15 23:49:32 node1 caddy[9151]: {"level":"debug","ts":1660607372.6868007,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"","remote":"185.7.214.117:46270","identifier":"10.0.0
.244","cipher_suites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53,49170,10,4865,4866,4867],"cert_cache_fill":0.0003,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
Aug 15 23:49:32 node1 caddy[9151]: {"level":"debug","ts":1660607372.6869025,"logger":"http.stdlib","msg":"http: TLS handshake error from 185.7.214.117:46270: no certificate available for '10.0.0.244'"}
Aug 15 23:51:50 node1 caddy[9151]: {"level":"debug","ts":1660607510.3758488,"logger":"http.stdlib","msg":"http: TLS handshake error from 205.210.31.28:58037: tls: client offered only unsupported versions: [302 301]"}```

francislavoie · August 16, 2022, 12:13am

Those logs don’t really show anything interesting. They just show that a bunch of (probably) bots hit your server and failed to connect because they didn’t connect with a specific IP address.

We need to see logs from the certificate issuance process, if any. Or isolate the logs to just a single request you make to the domain that’s failing to connect.

Dogscodes · August 16, 2022, 12:17am

Im not really sure what that means or really how to do that. I think im in over my head right now trying to accomplish something that is to big of a task. while i have little knowledge about web dev

Whitestrake · August 16, 2022, 12:54am

For issuance logs:

journalctl -u caddy --no-pager | grep tls.issuance

For isolating a single request:

journalctl -u caddy -fn0
Make a request to the problematic domain
Copy the fresh output
(Ctrl+C to exit journalctl when you’re done)

Dogscodes · August 16, 2022, 8:23pm

journalctl -u caddy --no-pager | grep tls.issuanceAug 13 19:56:34 node1 caddy[ - Pastebin.com there is the insurance logs

when making a request to the problematic domain it doesn’t output anything. So this makes me think this may be a cloudflare issue. And as im writing this it outputed something Aug 16 20:22:03 node1 caddy[9151]: {"level":"debug","ts":1660681323.7904484,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.0.0.244"} Aug 16 20:22:03 node1 caddy[9151]: {"level":"debug","ts":1660681323.7904875,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":""} Aug 16 20:22:03 node1 caddy[9151]: {"level":"debug","ts":1660681323.7904947,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"","remote":"212.102.40.218:27116","identifier":"10.0.0.244","cipher_suites":[49199,49200,49195,49196,52392,52393,49171,49161,49172,49162,156,157,47,53,49170,10],"cert_cache_fill":0.0003,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false} Aug 16 20:22:03 node1 caddy[9151]: {"level":"debug","ts":1660681323.7905507,"logger":"http.stdlib","msg":"http: TLS handshake error from 212.102.40.218:27116: no certificate available for '10.0.0.244'"} not 100% if this is part of it and its delayed badly or what but im pretty sure its not and just a random connection.

francislavoie · August 16, 2022, 9:11pm

Your domains resolve to different IP addresses, FWIW:

$ host test.voidmc.net
test.voidmc.net has address 150.136.49.116

$ host dogs.voidmc.net
dogs.voidmc.net has address 132.145.220.221

Dogscodes · August 16, 2022, 9:27pm

LOL i had test as a subdomain registered

system · September 14, 2022, 11:20pm

This topic was automatically closed after 30 days. New replies are no longer allowed.