caddy: v2: if custom TLS certificate is set, Let's Encrypt sites break
example.com {
root * /var/www/example.com/public
file_server
tls /etc/ssl/certs/example.com.pem /etc/ssl/private/example.com.key
}
cdn.example.com {
root * /var/www/cdn.example.com/public
file_server
tls /etc/ssl/certs/example.com.pem /etc/ssl/private/example.com.key
}
example.org {
respond "example.org"
}
In this case, example.com and cdn.example.com work, but example.org returns error message in browsers (in Firefox, SSL_ERROR_INTERNAL_ERROR_ALERT) and into Caddy’s logs.
If I remove the example.com blocks, example.org works.
caddy[1228]: 2020/01/26 02:22:18 http: TLS handshake error from CLIENTIP:CLIENTPORT: no server TLS configuration available for ClientHello: &{CipherSuites:[19018 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:example.org SupportedCurves:[56026 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[43690 772 771 770 769] Conn:0xc0000f2028}
$ caddy version
v2.0.0-beta.13 h1:QL0JAepFvLVtOatABqniuDRQ4HmtvWuuSWZW24qVVtk=
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 2
- Comments: 17 (8 by maintainers)
Commits related to this issue
- caddyfile: tls: Ensure there is always a catch-all conn policy (#3005) If user provides their own certs or makes any hostname-specific TLS connection policy, it means that no TLS connection would be ... — committed to caddyserver/caddy by mholt 4 years ago
- tls: Fix panic loading automation management modules (fix #3004) When AutomationPolicy was turned into a pointer, we continued passing a double pointer to LoadModule, oops. — committed to caddyserver/caddy by mholt 4 years ago
- httpcaddyfile: Combine repeated cert loaders (fix #3004) Also only append 1 catch-all TLS connection policy to a server, even if multiple site blocks contribute to that server. — committed to caddyserver/caddy by mholt 4 years ago
- httpcaddyfile: tls: Load repeated cert files only once, with one tag See end of issue #3004. Loading the same certificate file multiple times with different tags will result in it being de-duplicated... — committed to caddyserver/caddy by mholt 4 years ago
@Henrocker Fixed in 99f91c4c6f812ebfae505a8c29a750965af0cfcb – please test, thanks!
PS. Your use of actual domain names and not redacting any information really made this quick and easy. I hope more people will report bugs the way you do… too many people like to change and hide their configs before posting it, and we can’t help them. Seriously it happens every day.
@mholt Wow, that was really quick! Thanks, my complete setup works like a charm now.
I really feel the post scriptum part, and thanks to bcrypt for auth, one doesn’t even have to look into Caddyfile again before posting it publicly, yay! 😃
Thanks! I just found the problem… might be a little tricky to fix. I’ll see about it today if I can.
Somehow I need to prevent cert files that are used repeatedly from being loaded twice:
It’s looking for cert0, even though cert1 overwrote cert0 in the cache.
@Henrocker Hmm, I can’t reproduce it.
I generated a certificate just like yours (two SAN names,
test-1.lightcodelabs.comand*.lightcodelabs.com) and then used your Caddyfile except loading my certificates and replacing your domains with mine.curl -v --insecure "https://test-1.lightcodelabs.com/"works just fine for all my domains and subdomains that I’m testing with. When I try with some other hostname, likecurl -v --insecure "https://localhost/", then I see theno certificate available for 'localhost'error.In other words, things are working as expected.
I suppose I’ll need your help to further debug.
Can you put
log.Printf()statements in certmagic/handshake.go (do a search for “no certificate available for”) and just kind of see why it can’t find your certificate?Edit: Oooh, I found a way to reproduce it. Still, your help would be greatly appreciated if you can spare a few minutes! 😃
@Henrocker Tricky, tricky… fixed in 0005e3acdc7f0bc89f7a8bb15a1e23295986a3b7, I believe. Sigh. Kind of hacky but that’s how it’s going to be I guess. I still maintain that the Caddyfile adapter is the hardest part of building Caddy 2.
Oops, thanks for the full stack trace @Henrocker that made it quick to find the problem. Fixed, I think, please try again!