Caddy: ERR_SSL_PROTOCOL_ERROR - On-demand TLS

Created on 3 Nov 2016  路  7Comments  路  Source: caddyserver/caddy

(Are you asking for help with using Caddy? Please use our forum instead: https://forum.caddyserver.com. If you are filing a bug report, please answer the following questions. If your issue is not a bug report, you do not need to use this template. Either way, please consider donating if we've helped you. Thanks!)

1. What version of Caddy are you running (caddy -version)?

Caddy 0.9.3

2. What are you trying to do?

Add the vhost "*.mysite.com" with on-demand tls set up

3. What is your entire Caddyfile?

#pi3.myddns.me {
#   root firstsite/
#   ext .html .htm .php
#}

*.raspbi.tk:https {
    tls {
        max_certs 1024
    }
    errors {
        404 error_pages/404.html
    }
}

assets.raspbi.tk:https {
    root raspbi_assets/
    ext .html .htm .php
    errors {
        404 ../error_pages/404.html
    }
}

raspbi.tk:https {
    root homepage/
    fastcgi / 127.0.0.1:900 php
    ext .html .htm .php
    errors {
        404 ../error_pages/404.html
    }
}

firstsite.raspbi.tk:https {
    root firstsite/
    fastcgi / 127.0.0.1:9000 php
    ext .html .htm .php
    errors {
        404 ../error_pages/404.html
    }
}

status.raspbi.tk:https {
    root status/
    fastcgi / 127.0.0.1:9000 php
    ext .html .htm .php
    errors {
        404 ../error_pages/404.html
    }
}

php.raspbi.tk:https {
    root phptest/
    fastcgi / 127.0.0.1:9000 php
    ext .html .htm .php
    errors {
        404 ../error_pages/404.html
    }
}

4. How did you run Caddy (give the full command and describe the execution environment)?

In my home folder ther's a folder called "web_server"
from a terminal in that directory: sudo ./caddy
I think it's worth mentioning that I'm with optus and they block port 80.

5. What did you expect to see?

The 404 error page when I went to any subdomain that wasn't set up.

6. What did you see instead (give full error messages and/or log)?

Some browsers just took a while to load eventually and said there was a problem. Others took a while to load and eventually gave the error "ERR_SSL_PROTOCOL_ERROR" (Screenshot from chrome here)

7. How can someone who is starting from scratch reproduce this behavior as minimally as possible?

Maybe try making a * entry in your dns settings and the creating a *.yoursite.com vhost with on-demand tls

picture hacker1024

Most helpful comment

The choice of challenge is random, so your experiments were just lucky. ;)

picture mholt on 3 Nov 2016
😄2 👀1 😕1

All 7 comments

If port 80 is blocked, then Caddy won't be able to obtain certificates when it uses the HTTP challenge, resulting in protocol errors (because there is no cert available to send to the client). You'll have to open port 80.

mholt picture mholt on 3 Nov 2016

I usually set the port to 443 on each vhost first to get the certificate, that way it only tries port 443. After, when I have got the certificate, I change it to https. It works. So I tried changing *.raspbi.tk:https to *.raspbi.tk:443. It didn't work. I tried changing ALL vhosts to port 443, because that's what they should be on anyway. it sill isn't working.

hacker1024 picture hacker1024 on 3 Nov 2016

The choice of challenge is random, so your experiments were just lucky. ;)

mholt picture mholt on 3 Nov 2016
😄2 👀1 😕1

Oh, I didn't relize. is there any way to specify wich challenge to use?
Also, is there any way to submit a feature request?

hacker1024 picture hacker1024 on 3 Nov 2016

There isn't... unless you use the DNS challenge. Mostly because there hasn't been a need. Websites generally have access to ports 80 and 443. I guess we could look into adding this feature, however... I'm not sure how it would work and keep it congruent with the dns challenge configuration. In other words:

tls {
    challenges http tls-sni
}

(specifying both is the same as the default) doesn't apply to the dns challenge because there's a separate dns subdirective for that. I kind of hate having special cases...

mholt picture mholt on 3 Nov 2016

I don't quite understand. How would I use the DNS challenge?

hacker1024 picture hacker1024 on 4 Nov 2016

You use it with the dns property of the tls directive: https://caddyserver.com/docs/tls

But what you want is to simply prevent Caddy from trying the tls-sni challenge, which currently isn't really possible. (This reminds me, Caddy should try a different challenge if it fails to serve one of them... but maybe that change should be made upstream in lego...)

mholt picture mholt on 4 Nov 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mikolysz picture mikolysz  路  3Comments
wayneashleyberry picture wayneashleyberry  路  3Comments
lorddaedra picture lorddaedra  路  3Comments
klaasel picture klaasel  路  3Comments
PhilmacFLy picture PhilmacFLy  路  3Comments