Caddy: self_signed certs now causing browser errors
1. What version of Caddy are you using (caddy -version)?
I have confirmed this behavior in two different versions:
first one just freshly downloaded from https://caddyserver.com/download/darwin/amd64?license=
Caddy 0.10.11 (non-commercial use only)
the other installed on Mac OS (High Sierra) with brew install caddy
Caddy 0.10.11 (unofficial)
2. What are you trying to do?
I have been using caddy to run a TLS reverse proxy in front of a web application on my laptop. This has been working fine for months. All of my browsers started refusing the self_signed certs yesterday. I don't think I changed anything yesterday, but based on my troubleshooting, I think I must have upgraded my things to use caddy 0.10.11.
3. What is your entire Caddyfile?
I can reproduce the symptoms without any Caddyfile.
4. How did you run Caddy (give the full command and describe the execution environment)?
caddy 'tls self_signed' browse
5. Please paste any relevant HTTP request(s) here.
Visiting this url with any of my browers shows errors that are not the typical untrusted certificate errors.
https://localhost:2015
In case it's relevant, here are the browser versions I've tested:
Mac OS: 10.13.3 (17D102)
Firefox: 59.0.1 (64-bit)
Google Chrome: Version 65.0.3325.162 (Official Build) (64-bit)
Safari: Version 11.0.3 (13604.5.6)
Curl:
curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy
This curl command also demonstrates a failure
curl -vvv -I https://localhost:2015
6. What did you expect to see?
In the browsers expect to see a listing of the current working directory.
In the curl command I expected to see 200 OK among the response headers.
7. What did you see instead (give full error messages and/or log)?
Firefox's error message:
Secure Connection Failed
An error occurred during a connection to localhost:2015. Peer reports
it experienced an internal error.
Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
And a screenshot:
Other browser errors are similarly uninformative, but decidedly NOT the usual warning about untrusted, self-signed certificates.
And what curl had to say about it:
* Rebuilt URL to: https://localhost:2015/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 2015 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
8. How can someone who is starting from scratch reproduce the bug as minimally as possible?
caddy 'tls self_signed' browse
open https://localhost:2015
curl -vvv -I https://localhost:2015
dobbs
All 11 comments
I have also just confirmed that browsers are accepting self-signed certs from caddy version 0.10.10.
Well, to be precise, they're complaining the same way they usually do about untrusted certificates, but providing the usual UX to accept the risks.
dobbs
on 18 Mar 2018
Can you build the latest source from the master branch and try again? It's working fine here.
mholt
on 18 Mar 2018
I'll give that a try. Also gonna try to repeat these symptoms on a different computer for good measure.
dobbs
on 18 Mar 2018
I got 0.10.11 installed on a different computer faster. I can confirm the self-signed certs work just as expected. It's running older MacOS, and slightly different Safari, identical Firefox and Chrome:
MacOS: 10.11.6
Safari: 11.0.3 (11604.5.6.1.1))
I cannot explain why self-signed certs for 0.10.10 work for all three browsers and curl on my laptop where they fail in all three browsers and curl for 0.10.11.
I will try compiling master in case it reveals anything informative.
dobbs
on 19 Mar 2018
While installing go I did run one more test. The browsers on the other computer report the same error when I attempt to connect to caddy 0.10.11 running on my laptop. And they behave normally when connecting to caddy 0.10.10.
dobbs
on 19 Mar 2018
I've confirmed that compiled from master the self-signed certs work as expected.
I did also git reset --hard v0.10.11 and compiled that to double-check. Sure enough that tag displays the same symptoms reported here.
dobbs
on 19 Mar 2018
Weird. You could https://git-scm.com/docs/git-bisect to find which commit caused it/fixed it, if you feel like it!
francislavoie
on 19 Mar 2018
Looks like https://github.com/mholt/caddy/issues/2035 again - should be fixed in master as of https://github.com/mholt/caddy/pull/2037.
whitestrake
on 19 Mar 2018
I did play with git-bisect and confirm what @whitestrake says.
This commit displays the expected behavior (the browsers whine about untrusted certs, but let me proceed if I accept the risk): https://github.com/mholt/caddy/commit/6e2de19d9fc29f8dec059c5345819a68a13832f2
dobbs
on 19 Mar 2018
In case this is helpful, here's the script I used with git bisect.
#!/bin/bash
set -euo pipefail
IFS=$'\t\n\r'
cd $GOPATH/src/github.com/mholt/caddy/caddy
go run build.go
./caddy --version
./caddy 'tls self_signed' browse 2>&1 >../bisect.log &
sleep 3
curl -IksS https://localhost:2015 \
| grep -q 200 \
&& echo CERT_OK \
|| echo CERT_NOT_OK
killall caddy
# move binary to revision-specific file for sanity-checking
mv caddy{,-$(git rev-parse --short HEAD)}
Great, thanks! Really appreciate your details and the script you used to bisect.
mholt
on 19 Mar 2018
Related issues
ericmdantas
路
3Comments
aeroxy
路
3Comments
mschneider82
路
3Comments
jgsqware
路
3Comments
kilpatty
路
3Comments
Most helpful comment
In case this is helpful, here's the script I used with
git bisect.