Closed dfiel closed 8 years ago
slightly adjusting my caddyfile on external yields ERR-SSL_PROTOCOL_ERROR
*
proxy / 10.1.1.42 {
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}
header_upstream Connection {>Connection}
header_upstream Upgrade {>Upgrade}
}
tls {
max_certs 100
}
What does your -log
(process log) show?
Also, you can replace all those header_upstream lines with simply websocket
and transparent
.
Finally, could you try building from source with the latest that is on master? We've fixed some significant proxy bugs that wiggled into the 0.9 release since then.
Well I dun goofed, removed the original post to move it to the forum, as I hadn't noticed that you responded.
Building from source with the same caddyfile in my second post still gives ERR_SSL_PROTOCOL_ERROR
What's in your process log though? (Use -log stderr
to print it to stderr, for instance.)
Any chance you could put your original post back here? I don't see it on the forum so all the context is pretty much missing now. :(
Activating privacy features... done.
http://*
https://*
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".
2016/08/13 11:38:49 [INFO] Obtaining new certificate for sriplylrhnllvgz
2016/08/13 11:38:49 [INFO] Obtaining new certificate for kxkmfosl
2016/08/13 11:38:49 [INFO] Obtaining new certificate for sgdwxvsdtdmqe
2016/08/13 11:38:50 [INFO][sriplylrhnllvgz] acme: Obtaining bundled SAN certificate
2016/08/13 11:38:50 http: TLS handshake error from 100.14.33.84:33525: [sriplylrhnllvgz] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:38:50 [INFO][sgdwxvsdtdmqe] acme: Obtaining bundled SAN certificate
2016/08/13 11:38:50 http: TLS handshake error from 100.14.33.84:29363: [sgdwxvsdtdmqe] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:38:50 [INFO][kxkmfosl] acme: Obtaining bundled SAN certificate
2016/08/13 11:38:50 http: TLS handshake error from 100.14.33.84:49258: [kxkmfosl] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:38:52 http: TLS handshake error from 100.14.33.84:25371: kxkmfosl: throttled; refusing to issue cert since last attempt on 2016-08-13 11:38:50.36826814 -0400 EDT failed
2016/08/13 11:38:52 http: TLS handshake error from 100.14.33.84:35952: sriplylrhnllvgz: throttled; refusing to issue cert since last attempt on 2016-08-13 11:38:50.145942464 -0400 EDT failed
2016/08/13 11:38:52 http: TLS handshake error from 100.14.33.84:30957: sgdwxvsdtdmqe: throttled; refusing to issue cert since last attempt on 2016-08-13 11:38:50.26155399 -0400 EDT failed
2016/08/13 11:39:11 [INFO] Obtaining new certificate for cmkhsio
2016/08/13 11:39:11 [INFO] Obtaining new certificate for pnzawugjc
2016/08/13 11:39:11 [INFO] Obtaining new certificate for chojihtdpamoadg
2016/08/13 11:39:11 [INFO][pnzawugjc] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:11 http: TLS handshake error from 100.14.33.84:27370: [pnzawugjc] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:11 [INFO][chojihtdpamoadg] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:11 http: TLS handshake error from 100.14.33.84:10522: [chojihtdpamoadg] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:11 [INFO][cmkhsio] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:12 http: TLS handshake error from 100.14.33.84:59717: [cmkhsio] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:12 [INFO] Obtaining new certificate for bkoimtviemq
2016/08/13 11:39:12 [INFO] Obtaining new certificate for nkvfizicxzvweus
2016/08/13 11:39:12 [INFO][bkoimtviemq] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:12 [INFO] Obtaining new certificate for tvwhhzntqwawvl
2016/08/13 11:39:12 http: TLS handshake error from 100.14.33.84:25461: [bkoimtviemq] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:12 [INFO][nkvfizicxzvweus] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:12 http: TLS handshake error from 100.14.33.84:27744: [nkvfizicxzvweus] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:12 [INFO][tvwhhzntqwawvl] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:13 http: TLS handshake error from 100.14.33.84:20514: [tvwhhzntqwawvl] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:13 http: TLS handshake error from 100.14.33.84:2401: cmkhsio: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:12.094371163 -0400 EDT failed
2016/08/13 11:39:13 http: TLS handshake error from 100.14.33.84:31561: pnzawugjc: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:11.70476325 -0400 EDT failed
2016/08/13 11:39:13 http: TLS handshake error from 100.14.33.84:60338: chojihtdpamoadg: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:11.860980194 -0400 EDT failed
2016/08/13 11:39:15 http: TLS handshake error from 100.14.33.84:12216: bkoimtviemq: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:12.842225722 -0400 EDT failed
2016/08/13 11:39:15 http: TLS handshake error from 100.14.33.84:17885: nkvfizicxzvweus: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:12.991877936 -0400 EDT failed
2016/08/13 11:39:15 http: TLS handshake error from 100.14.33.84:5686: tvwhhzntqwawvl: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:13.157786017 -0400 EDT failed
2016/08/13 11:39:17 http: TLS handshake error from 100.14.33.84:51142: read tcp 104.223.72.6:443->100.14.33.84:51142: read: connection reset by peer
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:5085: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:21823: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:61962: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:43982: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:53767: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:18576: no certificate available for mydomain.com
2016/08/13 11:39:28 [INFO] Obtaining new certificate for bzuvyak
2016/08/13 11:39:28 [INFO] Obtaining new certificate for wwdrbfjwfexhfb
2016/08/13 11:39:28 [INFO] Obtaining new certificate for qydjfgbiutwypj
2016/08/13 11:39:29 [INFO][bzuvyak] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:29 http: TLS handshake error from 100.14.33.84:11913: [bzuvyak] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:29 [INFO][wwdrbfjwfexhfb] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:29 http: TLS handshake error from 100.14.33.84:42483: [wwdrbfjwfexhfb] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:29 [INFO][qydjfgbiutwypj] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:29 http: TLS handshake error from 100.14.33.84:31350: [qydjfgbiutwypj] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:31 http: TLS handshake error from 100.14.33.84:61980: bzuvyak: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:29.17787122 -0400 EDT failed
2016/08/13 11:39:31 http: TLS handshake error from 100.14.33.84:5181: wwdrbfjwfexhfb: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:29.30299667 -0400 EDT failed
2016/08/13 11:39:31 http: TLS handshake error from 100.14.33.84:64710: qydjfgbiutwypj: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:29.485779145 -0400 EDT failed
2016/08/13 11:39:35 http: TLS handshake error from 100.14.33.84:54242: no certificate available for mysql.mydomain.com
2016/08/13 11:39:35 http: TLS handshake error from 100.14.33.84:27126: no certificate available for mysql.mydomain.com
2016/08/13 11:39:35 http: TLS handshake error from 100.14.33.84:49772: no certificate available for mydomain.com
2016/08/13 11:39:36 http: TLS handshake error from 100.14.33.84:51753: no certificate available for mydomain.com
2016/08/13 11:39:36 http: TLS handshake error from 100.14.33.84:21600: no certificate available for mydomain.com
2016/08/13 11:39:36 http: TLS handshake error from 100.14.33.84:8039: no certificate available for mydomain.com
2016/08/13 11:39:38 http: TLS handshake error from 100.14.33.84:35416: read tcp 104.223.72.6:443->100.14.33.84:35416: read: connection reset by peer
^C2016/08/13 11:39:41 [INFO] SIGINT: Shutting down
Well I can see why you're having SSL_PROTOCOL errors. sgdwxvsdtdmqe
is not a valid domain name that Let's Encrypt can verify. :smile: On-demand TLS has to be rate limited to prevent abuse, so when a cert request fails it has to wait a while before trying another.
I have it rate limited to 100 certificates, but when I try to use my own domain (mydomain.com in the logs) I get the SSL_PROTOCOL error.
Yes, but if you read the logs you'll see why. Closing as this isn't an actionable Caddy issue.
Rate limits are described here: https://caddyserver.com/docs/automatic-https#on-demand
I'm now very confused, those random strings of letters have nothing to do with my domains. Why are those attempting to go through, and not my actual mydomain.com
Apparently some client is making requests to your server with those names. It's the DNS resolver's and CA's job to verify a hostname, that's not Caddy's job. I don't know what those names are either but you might want to fix that / figure it out... :confused:
I figured out the issues with those random strings, and now my original issue still stands. Some content (notably javascript and css) is served over HTTP. My otherwise working configs are:
External:
*.*.* {
proxy / 10.1.1.42 {
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}
header_upstream Connection {>Connection}
header_upstream Upgrade {>Upgrade}
}
tls {
max_certs 1000
}
}
*.* {
proxy / 10.1.1.42 {
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}
header_upstream Connection {>Connection}
header_upstream Upgrade {>Upgrade}
}
tls {
max_certs 1000
}
}
Internal:
mydomain.com:80 {
fastcgi / 127.0.0.1:9000 php
root /home/caddy/WebHost/mydomain.com
header /wp-content/ Cache-Control "max-age=2592000"
header /wp-includes/js Cache-Control "max-age=2592000"
rewrite {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?url={uri}
}
}
mysql.mydomain.com:80 {
fastcgi / 127.0.0.1:9000 php
root /home/caddy/WebHost/phpMyAdmin
}
invoice.mydomain.com:80 {
fastcgi / 127.0.0.1:9000 php
root /home/caddy/WebHost/InvoicePlane
rewrite {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?url={uri}
}
}
mydomain.org:80 {
fastcgi / 127.0.0.1:9000 php
root /home/caddy/WebHost/mydomain.org
}
firefly.mydomain.com:80 {
proxy / 10.0.1.46
}
mydomain.xyz:80 {
proxy / 192.168.1.116
}
cloud.otherdomain.xyz:80 {
proxy / 10.0.1.43
header / {
Strict-Transport-Security "max-age=31536000;"
}
}
office.otherdomain.xyz:80 {
proxy / https://10.0.1.43:443 {
insecure_skip_verify
transparent
websocket
}
}
relationships.mydomain.org:80 {
proxy / 10.0.1.45
}
Browsing to mydomain.com in the browser shows the page, but Chrome blocks the loading of CSS and Javascript, due to being served over HTTP, so the page appears broken. Do I need rewrite rules? I assumed that all HTTP requests were redirected to HTTPS if I used automatic TLS?
Also, accessing /wp-admin/ gives me an endless loop of redirects, like this:
--2016-08-13 22:19:23-- https://dfiel.com/wp-admin
Resolving dfiel.com (dfiel.com)... 104.223.72.6
Connecting to dfiel.com (dfiel.com)|104.223.72.6|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:27-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:27-- https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
20 redirections exceeded.
Seems similar to #212
Your whole external Caddyfile can become:
*.*, *.*.* # I don't recommend such lazy use of wildcards with on-demand TLS
proxy / 10.1.1.42 {
transparent
websocket
}
tls {
max_certs 1000 # this is too high, you should lower it
}
As for your HTTP/HTTPS problems it's probably in your backend web apps, make sure they are not configured to do extra redirects, etc. Good luck!
The thing is, they worked perfectly before adding the external server. If I port forward my internal server, everything was served over HTTPS, no errors
Try proxying to http://10.1.1.42
instead of just 10.1.1.42
.
@dfiel See #1040 for a similar question as yours.
I got it working, Wordpress wasn't respecting the HTTPS in settings :/
(moved to forum)