Closed ghost closed 6 years ago
Do you have trouble with Caddy in general or specifically with Consul TLS storage? What is your Caddyfile? Have you the same issues when turning TLS off in your Caddyfile?
What this plugin does is only saving TLS data like keys and certs in Consul key-value store. The connection in general should never be affected.
On port 80 it'll correctly redirect to port 443, but on port 443 it just kills the connection. The caddyfile is really pretty basic:
:443 {
errors stderr
log stderr
root /var/www
tls hostmaster@ipfs.io {
storage consul
max_certs 10
}
}
$ curl -v https://ipld.link
* Rebuilt URL to: https://ipld.link/
* Trying 104.238.177.91...
* Connected to ipld.link (104.238.177.91) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: The TLS connection was non-properly terminated.
* Closing connection 0
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
What I'm looking for is a vhost that proxies to an IPFS daemon, and that'll accept any domain name and try to obtain a certificate for it.
According to Wireshark, curl correctly sends the TLS Client Hello, receives a TCP ACK for that, then the server initiates the closing of the TCP stream (FIN handshake).
By the way, on startup at least the caddytls/acme-v01.api.letsencrypt.org/users/hostmaster@ipfs.io
value in Consul gets created, so the connection to Consul seems to work.
Wow this is weird -- I'm seeing a nil pointer panic in caddytls.CacheManagedCertificate()
after storage.LoadSite()
, but before ConsulStorage.LoadSite()
is ever called.
Did I maybe manage to load two storage backends? And why is caddy hiding that panic?
Ah not sure what that was -- maybe some synchronization off between output from different goroutines...
ConsulStorage.LoadSite()
anyhow does return nil without an error. I inserted a few printf's and a recover into caddytls.CacheManagedCertificate()
and here's what I get:
tlsHelloListener.Accept(92.195.84.242:40304)
ConsulStorage.LoadSite(ipld.link)
storage.LoadSite(ipld.link) => <nil>, %!s(<nil>)
pre makeCertificate(<nil>)
recover() => runtime error: invalid memory address or nil pointer dereference
It's caddytls.ErrNotExist(err)
that produces nil
Good catch! That was obviously a bug. ;)
I'm having a bit of trouble getting this to work, and more specifically, debugging my issues -- incoming connections just get reset, or terminated permaturely, and I'm finding it hard to get any information on what's going on.
Please advise how to debug, are there obscure logging options to turn on, or any other means of introspection? I'm happy to insert Printf lines into caddy, if that's what I'll have to do :)