Caddy: v2: TLS handshake error on Let's Encrypt sites in combination with custom specified certificate sites

Created on 10 Apr 2020 · 6Comments · Source: caddyserver/caddy

My system

Debian 10 amd64
Caddy Version: v2.0.0-rc.2 h1:7NOaxYrsnQ5D3rcLGn2UnLZHLfBpgrfM/JNTLhjCJ1c= (binary taken from Release (https://github.com/caddyserver/caddy/releases/download/v2.0.0-rc.2/caddy_2.0.0-rc.2_linux_amd64.tar.gz)). I also tried master and built Caddy with go1.14.2, but same issue as below.

Caddy startup command

rm ~/.config/caddy/autosave.json && /etc/caddy/caddy run --config /etc/caddy/CaddyfileTEST --adapter caddyfile

Caddyfile content

hnrk.io, www.hnrk.io {
        root * /etc/caddy/html
        tls /etc/caddy/hnrk.io.crt /etc/caddy/hnrk.io.key
        encode zstd gzip
        php_fastcgi unix//run/php/php7.4-fpm.sock
        try_files {path} {path}/index.php /index.php?{query}
        file_server
}
harmoniks.de, www.harmoniks.de {
        tls [email protected]
        root * /etc/caddy/html/harmoniks.de
        encode zstd gzip
        php_fastcgi unix//run/php/php7.4-fpm.sock
        try_files {path} {path}/index.php /index.php?{query}
        file_server
}

Issue

Everytime I visit my website harmoniks.de, it displays a SSL_PROTOCOL_ERROR in Chrome:

However, visiting hnrk.io works just fine.

And an http: TLS handshake error as seen in Caddy's logs:

$ /etc/caddy/caddy run --config /etc/caddy/CaddyfileTEST --adapter caddyfile
2020/04/10 10:02:24.486 INFO    using provided configuration    {"config_file": "/etc/caddy/CaddyfileTEST", "config_adapter": "caddyfile"}
2020/04/10 10:02:24.490 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/04/10 12:02:24 [INFO][cache:0xc000364c80] Started certificate maintenance routine
2020/04/10 10:02:24.500 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "www.hnrk.io", "server_name": "srv0"}
2020/04/10 10:02:24.500 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "hnrk.io", "server_name": "srv0"}
2020/04/10 10:02:24.500 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/04/10 10:02:24.506 INFO    tls     cleaned up storage units
2020/04/10 10:02:24.506 INFO    http    enabling automatic TLS certificate management   {"domains": ["harmoniks.de", "www.harmoniks.de"]}
2020/04/10 10:02:24.519 INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
2020/04/10 10:02:24.519 INFO    serving initial configuration
2020/04/10 12:02:34 http: TLS handshake error from [2001:470:1f0b:1de:4432:5218:87be:973]:50167: no server TLS configuration available for ClientHello: &{CipherSuites:[31354 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:harmoniks.de SupportedCurves:[43690 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[23130 772 771 770 769] Conn:0xc0000ae088 config:0xc000107c80}
2020/04/10 12:05:21 http: TLS handshake error from 219.124.146.133:34206: no server TLS configuration available for ClientHello: &{CipherSuites:[35466 4865 4866 4867 49195 49199 52393 52392 49196 49200 49161 49171 49162 49172 156 157 47 53 10] ServerName:www.harmoniks.de SupportedCurves:[19018 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[] SupportedVersions:[2570 772 771 770 769] Conn:0xc0000ae038 config:0xc000107c80}
2020/04/10 12:05:22 http: TLS handshake error from 210.158.146.74:40682: no server TLS configuration available for ClientHello: &{CipherSuites:[39578 4865 4866 4867 49195 49199 52393 52392 49196 49200 49161 49171 49162 49172 156 157 47 53 10] ServerName:harmoniks.de SupportedCurves:[60138 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[] SupportedVersions:[2570 772 771 770 769] Conn:0xc0000ae048 config:0xc000107c80}

Could be related to #3248.

bug

Source

Henrocker

All 6 comments

Thanks -- not related to #3248.

If you remove all the directives within the site blocks except for tls, does the error still occur? How minimally can you reproduce the bug?

mholt on 10 Apr 2020

@Henrocker I was able to reproduce the problem, but wanted to be sure of its fix -- can you please try the latest commit 3bee569 (build artifacts should be available momentarily) and confirm that it works for you?

mholt on 10 Apr 2020

UPDATE: I'll try it out, give me a second.

Hi @mholt

With this config:

hnrk.io, www.hnrk.io {
        tls /etc/caddy/hnrk.io.crt /etc/caddy/hnrk.io.key
}
harmoniks.de, www.harmoniks.de {
        tls [email protected]
}

I get these logs (same as before):

/etc/caddy/caddy run --config /etc/caddy/CaddyfileTEST --adapter caddyfile
2020/04/10 14:22:42.219 INFO    using provided configuration    {"config_file": "/etc/caddy/CaddyfileTEST", "config_adapter": "caddyfile"}
2020/04/10 14:22:42.221 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/04/10 16:22:42 [INFO][cache:0xc0003b0be0] Started certificate maintenance routine
2020/04/10 14:22:42.241 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "hnrk.io", "server_name": "srv0"}
2020/04/10 14:22:42.241 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "www.hnrk.io", "server_name": "srv0"}
2020/04/10 14:22:42.241 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/04/10 14:22:42.256 INFO    tls     cleaned up storage units
2020/04/10 14:22:42.256 INFO    http    enabling automatic TLS certificate management   {"domains": ["harmoniks.de", "www.harmoniks.de"]}
2020/04/10 14:22:42.270 INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
2020/04/10 14:22:42.270 INFO    serving initial configuration
2020/04/10 16:23:00 http: TLS handshake error from [2001:470:1f0b:1de:c8f:7e03:b4ae:b102]:53578: no server TLS configuration available for ClientHello: &{CipherSuites:[43690 4865 4866 4867 49195 49199 49196 49200 52393 52392 49171 49172 156 157 47 53 10] ServerName:harmoniks.de SupportedCurves:[2570 29 23 24] SupportedPoints:[0] SignatureSchemes:[1027 2052 1025 1283 2053 1281 2054 1537 513] SupportedProtos:[h2 http/1.1] SupportedVersions:[43690 772 771 770 769] Conn:0xc00012a048 config:0xc00009b200}

Henrocker on 10 Apr 2020

👍1

Thank you for the simplification! That is always nice to ensure the Caddyfile adapter's output can be more easily interpreted while debugging.

mholt on 10 Apr 2020

👍1

@mholt It works! 👍

Thank you for the quick fixes for both issues! Happy easter ✌

Henrocker on 10 Apr 2020

❤1

Thanks, you too Henrik!

mholt on 10 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

IETF QUIC support

klaasel · 3Comments

Rewriting URL's for Laravel

wayneashleyberry · 3Comments

Trying Caddy with own Boulder

mschneider82 · 3Comments

templates: Render whatever is written as a template, rather than loading a static file

mholt · 3Comments

Orbitdownloader 4.1.1.19 can't download file from Caddy server with https

la0wei · 3Comments