Yet another 400 for SSL (Docker)

rasori · October 22, 2024, 7:41pm

1. The problem I’m having:

I am working on setting up my reverse proxy to access some of my internal services with my domain name (brensinger.net) and subdomains. The first of these services is thelounge for IRC, but since I hit this problem I’ve even just reduced the footprint to static responses from caddy itself.

Caddy is in a docker container as are the other services.

The problem is that the SSL handshake isn’t working. I’m getting the age-old 400 timeout (likely firewall) situation. I can access everything just fine from my cell phone without wifi if I set the TLS to internal (of course with warnings about the untrustable cert), but SSL errors for days if I try to use actual certs.

The error is pretty adamant that this is a firewall issue but I don’t understand how that can be the case if my cell network can access the resources (with an untrusted cert) using tls internal. Still, I’m not sure how to 100% rule it out; my ISP claims they are not filtering any ports, I use firewalla as router and DNS server, the ports are forwarded in firewalla (80, 443, and 443/udp), and the issue is not resolved when I put the server into “emergency access” mode (disabling all firewalla routing rules). I have reset the DNS server to cloudflare and google just to rule out any weird filitering on firewalla’s part.

2. Error messages and/or full log output:

I don’t get any logs with the suggested command in the container nor on the host, so I exported them from Portainer. The complete logs I get that way are ridiculously redundant (like the error message is being built up step by step and each step is printed) so I tried to pare it down to what looks like the unique stuff. It was still too long to post so this is just through the end of the first errors - similar messaging repeats for retries. ZeroSSL might be worth posting separately as I don’t actually see any error coming from that side, but I still can’t connect.

DBG ts=1729622143.873199 logger=tls.issuance.acme.acme_client msg=http request method=POST url=https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223 headers={"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]} response_headers={"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:43 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7JJT4QilCQ_e-4f_-9zgaLtM4TJg9IW9KAWfTCxJodL4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]} status_code=200
DBG ts=1729622144.19578 logger=tls.issuance.acme.acme_client msg=http request method=POST url=https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223 headers={"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]} response_headers={"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:44 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7Fa0ypMCv25zuWCT-xMhT2cGhYXxz1r9u0ElGLar9Dsk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]} status_code=200

{"level":"debug","ts":1729622144.5189824,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:44 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Mxxe5XbP3cPjeoTNmyWFIZMPJwhb7byK7bwcRODASfnOwoiOz4I"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622144.8469765,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:44 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Mxxe5XbPA2uOp65YSHASjkgH-Gm1GAZr2bFg_eZxcTG_TouOpCM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622145.1758244,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:45 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7tFNDzOsvnM4JOllcqC6nsiBfOaEkCjztzGeqSZ4oub0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
DBG ts=1729622145.497003 logger=tls.issuance.acme.acme_client msg=http request method=POST url=https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223 headers={"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]} response_headers={"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:45 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Mxxe5XbPta6AOmjpp8OgUHeM2RJDGDlpaIAJQ0Q4ceKpVoxDuxk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]} status_code=200

{"level":"debug","ts":1729622145.8214753,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:45 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E70-wu4cL1t7vQc5Zzfo9atZnEzJomIx-o1yxJFeZEIV8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622146.1445563,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:46 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7beZ_E5yAZ7uMEIlb9_l0v47bPUd9T2LPlm9gxEKa7lg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622146.4665804,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:46 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7DV_xz3xEnrYRq5XMTWq9OnMHQI6zcnL6C1mih7zUu8M"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622146.7889798,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:46 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7oMQ5xH7xR-RImhpvShx8nxUJYpqJHZCK2gqnsT4NQWY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622147.1226642,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:47 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Mxxe5XbPoQ3_vOu_dM6Bt6SJeXRqxJxkDVRkziJN1Ui5lftbGpw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622147.4486928,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:47 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Mxxe5XbP1uvqWmbIcnjaM_9zF3pE6tUijcUP1-X_hi1yKFhatZE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622147.7718122,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:47 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7vr6fwHTuyVBrGMpcGxac9T1SudmAh9CKmdO02aGSLpY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622148.1051173,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:48 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Mxxe5XbPn88sVXVdqeBe6CNDpc43vEE8a7W4NdBuh1nOiMaBuDw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}

{"level":"debug","ts":1729622148.4413064,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:48 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7bk-zmaao0tJt2OkTWO9Jo3xrfJD7SqB3K_BE8yuuOZg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
DBG ts=1729622148.7614417 logger=tls.issuance.acme.acme_client msg=http request method=POST url=https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14544592223 headers={"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]} response_headers={"Boulder-Requester":["168116113"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["1118"],"Content-Type":["application/json"],"Date":["Tue, 22 Oct 2024 18:35:48 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["AsXtR2E7m7ZHhpDOFHqb_Y5q_vljUFDEssJlq2heli3lfKWirOo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]} status_code=200
ERR ts=1729622148.761981 logger=tls.issuance.acme.acme_client msg=challenge failed identifier=lounge.brensinger.net challenge_type=http-01 problem={"type":"urn:ietf:params:acme:error:connection","title":"","detail":"During secondary validation: 32.216.175.43: Fetching http://lounge.brensinger.net/.well-known/acme-challenge/PwcDxOfYWTzIHeszVJyDXn_roUbzptfIdLg9TDzjWgY: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}
ERR ts=1729622148.7620494 logger=tls.issuance.acme.acme_client msg=validating authorization identifier=lounge.brensinger.net problem={"type":"urn:ietf:params:acme:error:connection","title":"","detail":"During secondary validation: 32.216.175.43: Fetching http://lounge.brensinger.net/.well-known/acme-challenge/PwcDxOfYWTzIHeszVJyDXn_roUbzptfIdLg9TDzjWgY: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]} order=https://acme-staging-v02.api.letsencrypt.org/acme/order/168116113/19915238683 attempt=1 max_attempts=3

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Headless ubuntu amd64 host
Docker version 25.0.3, build 4debf41
DockSTARTer
DockSTARTer manages compose files for common services automatically. Caddy is not one of those services, but I can add “unsupported” services using docker-compose.override.yml which is where caddy lives

b. Command:

ds -c up caddy

This is supposed to be equivalent to docker compose up caddy. Running it through dockSTARTer makes sure environment variables are correct/shared across the docker network.

c. Service/unit/compose file:

name: compose
services:
  caddy:
    image: caddy
    container_name: caddy
    hostname: caddy
    restart: unless-stopped
    env_file: /home/charlie/.docker/compose/.env
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - /home/charlie/caddy:/srv
      - /home/charlie/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /home/charlie/.config/appdata/caddy:/config
      - /home/charlie/storage/caddy:/data  
    network_mode: host
networks:
  default:
    name: $DOCKER_MY_NETWORK
    external: true

DOCKER_MY_NETWORK is caddy_net and Portainer indeed shows all the other services on caddy_net. Perhaps worth noting that if I enable the reverse_proxy to thelounge with internal tls, everything works as expected, so that’s why I’ve pared this down to just the caddy config.

d. My complete Caddy config:

{
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        debug
}

brensinger.net {
        tls internal
        respond "Welcome!! @"
}

www.brensinger.net {
        tls internal
        redir https://brensinger.net{uri}
}

jf.brensinger.net {
        tls internal
        respond "jf"
}

media.brensinger.net {
        tls internal
        respond "media"
}

lounge.brensinger.net {
        tls admin@brensinger.net
        #       reverse_proxy thelounge:9000 
        respond "TLS?"
}

rasori · October 22, 2024, 7:54pm

Sorry, edited now but just to clarify, I’ve been toggling back and forth between network_mode: host and default; in the current state, where these logs were pulled from, it is in host mode.

francislavoie · October 22, 2024, 8:24pm

This means that your server couldn’t be reached on port 80 to validate the ACME challenge. Make sure port 80 and open and forwarded on your router/firewall. Make sure your ISP doesn’t block use of ports 80 and 443.

The problem isn’t with Caddy itself, it’s with networking somewhere in front of Caddy. You’ll need to dig deeper.

rasori · October 22, 2024, 8:27pm

@francislavoie My port is open according to online portcheckers and I can access the “tls internal” version from external networks. Can I configure caddy in some way to explicitly serve an http version of the content so I can prove or disprove that the port is open?

francislavoie · October 22, 2024, 8:38pm

I can’t connect to your server, it times out:

$ curl -v http://media.brensinger.net
*   Trying 32.216.175.43:80...

rasori · October 22, 2024, 8:44pm

I don’t understand. I just connected my laptop to my phone’s hotspot and I’m getting:

curl -v http://media.brensinger.net
VERBOSE: GET with 0-byte payload
curl : The remote server returned an error: (308) Permanent Redirect.
At line:1 char:1
+ curl -v http://media.brensinger.net
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

That’s very different from no connection.

Whitestrake · October 23, 2024, 1:10am

Do you have some kind of geoblocking WAF, perhaps?

I’m in Australia and cannot access your site.

~
➜ curl -v http://media.brensinger.net
* Host media.brensinger.net:80 was resolved.
* IPv6: (none)
* IPv4: 32.216.175.43
*   Trying 32.216.175.43:80...
* connect to 32.216.175.43 port 80 from 192.168.0.153 port 51625 failed: Operation timed out
* Failed to connect to media.brensinger.net port 80 after 75004 ms: Could not connect to server
* closing connection #0
curl: (28) Failed to connect to media.brensinger.net port 80 after 75004 ms: Could not connect to server

Neither can these guys: https://downforeveryoneorjustme.com/media.brensinger.net

rasori · October 23, 2024, 3:58am

Firewalla is configured to do some geo blocking, but I’ve turned it off and see no changes. More importantly, even with it active, it’s not blocking the inbound connection. Whenever I run https://downforeveryoneorjustme.com/media.brensinger.net (or for any of the other domains) I see the request in the caddy logs.

DBG ts=1729655016.6208503 logger=events msg=event name=tls_get_certificate id=b9beb1af-d3a1-44f1-970b-bb6f24e64e51 origin=tls data={"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"ServerName":"media.brensinger.net","SupportedCurves":[29,23,24,25,25497,65074],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513,1539],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"162.158.154.233","Port":32972,"Zone":""},"LocalAddr":{"IP":"192.168.135.78","Port":443,"Zone":""}}}

DBG ts=1729655016.6215234 logger=tls.handshake msg=choosing certificate identifier=media.brensinger.net num_choices=1

DBG ts=1729655016.6218197 logger=tls.handshake msg=default certificate selection results identifier=media.brensinger.net subjects=["media.brensinger.net"] managed=true issuer_key=local hash=48c01ed54322221758dc7f89a1c9b60936e8330f263a03233c4faedaa4b4aabe

DBG ts=1729655016.6219554 logger=tls.handshake msg=matched certificate in cache remote_ip=162.158.154.233 remote_port=32972 subjects=["media.brensinger.net"] managed=true expiration=1729682138 hash=48c01ed54322221758dc7f89a1c9b60936e8330f263a03233c4faedaa4b4aabe

DBG ts=1729655054.6167748 logger=events msg=event name=tls_get_certificate id=d102feec-3fb4-4b13-b21c-37a58a533d43 origin=tls data={"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,49199,49200,49171,49192,156,157,47,53,10],"ServerName":"media.brensinger.net","SupportedCurves":[29,23,24,25,25497,65074],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513,1539],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"162.158.155.138","Port":35406,"Zone":""},"LocalAddr":{"IP":"192.168.135.78","Port":443,"Zone":""}}}

DBG ts=1729655054.616863 logger=tls.handshake msg=choosing certificate identifier=media.brensinger.net num_choices=1

DBG ts=1729655054.6169233 logger=tls.handshake msg=default certificate selection results identifier=media.brensinger.net subjects=["media.brensinger.net"] managed=true issuer_key=local hash=48c01ed54322221758dc7f89a1c9b60936e8330f263a03233c4faedaa4b4aabe

DBG ts=1729655054.6169472 logger=tls.handshake msg=matched certificate in cache remote_ip=162.158.155.138 remote_port=35406 subjects=["media.brensinger.net"] managed=true expiration=1729682138 hash=48c01ed54322221758dc7f89a1c9b60936e8330f263a03233c4faedaa4b4aabe

So it seems to me the requests are making it all the way to the caddy container (as expected thanks to port forwarding) but apparently not back out?

rasori · October 23, 2024, 4:20am

Alright, made progress here. I’m not really sure how the behavior I got meshes up with this being the seeming resolution, but I updated Firewalla’s port forwards. Apparently they were created by default limited to the US (or I selected that thinking it was fine and promptly forgot) and now that I’ve updated them we’re able to get certs going.

I saw some record of configuring port forwards to be explicitly bidirectional in firewalla, but it doesn’t appear to be an option in the port forward rule itself anymore, and doesn’t seem to be necessary. It was just important that I allow traffic from all sources, not just specific geo regions.

Now, what’s the process for updating from staging certs to prod? I’ve removed the staging line, but the cert I generated for lounge.brensinger.net on staging is still stored in the cert cache so that one isn’t working. I proved that the connection is working by updating media.brensinger.net from internal so that one subdomain seems to be fully operational.

francislavoie · October 23, 2024, 8:51am

Delete them from Caddy’s storage then restart Caddy.

rasori · October 23, 2024, 6:26pm

Thank you!

system · November 22, 2024, 6:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.