Skip to content

Does this work with initial certificate setup and sniproxy? #5

New issue
New issue
Open
Open
Does this work with initial certificate setup and sniproxy?#5
@ntninja

Description

@ntninja
ntninja
opened on Jan 26, 2019

Hi! I just spent some time trying set up this software behind an sniproxy-based reverse protocol with enabled “proxy_protocol” support, but I couldn't get it to work. When using the ALPN challenge I get:

test_caddy | Activating privacy features... 2019/01/26 20:44:19 [INFO] acme: Registering account for [email protected]
test_caddy | 2019/01/26 20:44:19 [INFO] [test.ninetailed.ninja] acme: Obtaining bundled SAN certificate
test_caddy | 2019/01/26 20:44:19 [INFO] [test.ninetailed.ninja] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/cFVMAoxTSk4JwTN2D0-MVhYXB0sVmOQdg6LSUNsgz78
test_caddy | 2019/01/26 20:44:19 [INFO] [test.ninetailed.ninja] acme: use tls-alpn-01 solver
test_caddy | 2019/01/26 20:44:19 [INFO] [test.ninetailed.ninja] acme: Trying to solve TLS-ALPN-01
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44350: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44354: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44358: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44362: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44364: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44366: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44368: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44370: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:26 [test.ninetailed.ninja] failed to obtain certificate: acme: Error -> One or more domains had a problem:
test_caddy | [test.ninetailed.ninja] acme: error: 400 :: urn:ietf:params:acme:error:tls :: remote error: tls: record overflow, url: 
test_caddy | exit status 1
test_caddy exited with code 1

When disabling TLS-ALPN-01 and using HTTP-01 instead, I get:

test_caddy | Activating privacy features... 2019/01/26 20:47:30 [INFO] [test.ninetailed.ninja] acme: Obtaining bundled SAN certificate
test_caddy | 2019/01/26 20:47:31 [INFO] [test.ninetailed.ninja] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/pSEq4OKVS8Rq_4Qvr_2DBRWW8izqUI0wkM1OXIkVhXU
test_caddy | 2019/01/26 20:47:31 [INFO] [test.ninetailed.ninja] acme: Could not find solver for: tls-alpn-01
test_caddy | 2019/01/26 20:47:31 [INFO] [test.ninetailed.ninja] acme: use http-01 solver
test_caddy | 2019/01/26 20:47:31 [INFO] [test.ninetailed.ninja] acme: Trying to solve HTTP-01
test_caddy | 2019/01/26 20:47:37 [test.ninetailed.ninja] failed to obtain certificate: acme: Error -> One or more domains had a problem:
test_caddy | [test.ninetailed.ninja] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://test.ninetailed.ninja/.well-known/acme-challenge/XyPxxbLYHFOe8R_FySSwLJ2daCY1sa6epb71Yvdf39w [2001:1608:39::a]: 400, url: 
test_caddy | exit status 1
test_caddy exited with code 1

Both of these work however, when disabling the PROXY protocol in both Caddy (this plugin) and sniproxy (the proxy_protocol flag). I can also attest that sniproxy's PROXY protocol implementation works without issues when used with nginx.

When getting a cert without using the PROXY protocol (ie: disable this plugin), I'm also not able to view HTTPS content when enabling it afterwards (but HTTP work although it will receive the PROXY headers as well):

test_caddy | Activating privacy features... 2019/01/26 20:53:35 [INFO][test.ninetailed.ninja] Obtain: Certificate already exists in storage
test_caddy | done.
test_caddy | https://test.ninetailed.ninja
test_caddy | http://test.ninetailed.ninja
test_caddy | 2019/01/26 20:53:35 https://test.ninetailed.ninja
test_caddy | 2019/01/26 20:53:35 http://test.ninetailed.ninja
test_caddy | 2019/01/26 20:53:35 [NOTICE] Sending telemetry: we were too early; waiting 1h1m45.482846269s before trying again
test_caddy | 2019/01/26 20:53:58 http: TLS handshake error from 172.18.0.5:39472: invalid source address
test_caddy | 2019/01/26 20:54:01 http: TLS handshake error from 172.18.0.5:39498: invalid source address

In each case the Caddyfile was just:

test.ninetailed.ninja
proxyprotocol

And the sniproxy config was:

listener [::]:80 {
    protocol http
}

listener [::]:443 {
    protocol tls
}

table {
    # some other rules

    test.ninetailed.ninja test_caddy proxy_protocol

    # some other rules
}

(where test_caddy is the name of the Caddy server container).

Do maybe have some insights into this by any chance?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions