Comments (5)
jaredfolkins
commented on June 3, 2024
The http2 library is very specific about what cipher suites are allowed.
https://github.com/bradfitz/http2/blob/b6255645465a25b25f804acb9b3a54009e80c2a4/server.go#L228-L302
If you are getting this error on a large network I would wonder about some sort of MITM device. An IDS or IPS that is trying to force its requirements on the connection.
Out of curiosity, if you change the ssl port to a non default port (22443) and try to connect, what happens?
Jared
from caddy.
mholt
commented on June 3, 2024
As soon as I can try, I will let you know, because that's a good idea. I know for a fact that the campus is using an SSL proxy (grrr but oh well). And thanks for the link, I hadn't noticed that before. And I would think immediately that must be it, except that I can load https://http2.golang.org just fine on campus. Wonder if it has something to do with SNI...
from caddy.
mholt
commented on June 3, 2024
I'm going to close this for now. I think it's out of our control which ciphers the clients/MITM support. And I haven't heard anyone else have the same problem.
from caddy.
dobbs
commented on June 3, 2024
I ran into this error tonight while trying to add a new virtual host in my Caddyfile
2017/12/08 04:56:24 [ERROR] Maintaining newly-loaded certificate for EXAMPLE.COM get directory at 'https://acme-v01.api.letsencrypt.org/directory': failed to get json "https://acme-v01.api.letsencrypt.org/directory": Get https://acme-v01.api.letsencrypt.org/directory: x509: failed to load system roots and no roots provided
2017/12/08 04:56:24 http: TLS handshake error from IP-ADDRESS:57270: tls: no cipher suite supported by both client and server
I run caddy in a docker container (alpine base image). I was able to correct the problem like this:
docker exec -it --user root THE-CONTAINER-ID sh
apk add ca-certificates
exit
docker restart THE-CONTAINER-ID
I think that the root certificates baked into my docker image are out of date. The final message about no cipher suite seems misleading. The error immediately before it about roots is what made me think to update the ca-certificates.
from caddy.
francislavoie
commented on June 3, 2024
Yeah, I think it's generally accepted that you need to install ca-certificates or something that requires it if you need to do any networking with HTTPS from inside a container. For example, see https://github.com/abiosoft/caddy-docker/blob/master/Dockerfile (probably the most popular Caddy docker image), which installs git, which has a dependency of libcurl, which has a dependency of ca-certificates. (see here: https://pkgs.alpinelinux.org/package/v3.6/main/x86_64/git)
from caddy.
Related Issues (20)
- Inquiry on Using Starlark Scripting with Caddy HOT 4
- caddytls: tailscale cert manager not used as fallback for *.ts.net certs HOT 9
- reverseproxy: feature request: certificate pinning for use with tls_insecure_skip_verify HOT 1
- all: Support the riscv64 platform HOT 3
- Improve error message when trying to define a global matcher HOT 3
- Issue with Caddy Server Configuration for Domain HOT 1
- v2.8.0-rc.1: panic: runtime error: invalid memory address or nil pointer dereference HOT 5
- Intermediate certificate expired without using specified root certificate HOT 2
- Set `sign_with_root` via Caddyfile HOT 3
- core: caddy unable to start with an empty $HOME HOT 5
- Using proxy_protocol v2 with h2c backend gives wrong IP address to backend. HOT 19
- TLS does not work on NATed IPv4 literal HOT 1
- Feature-Request: [Templates] include from string buffer HOT 2
- Permission denied when first run after fresh installation. HOT 11
- ZeroSSL Issuer can't use dns_challenge_override_domain HOT 4
- Client_ip not merged as remote_ip used to in "not" expression HOT 3
- v2.8 is a major breaking change: update to CertMagic breaks LegoDeprecated HOT 1
- the change to SanitizedPathJoin in v2.8.x can cause routing to break in certain configurations HOT 5
- Build amd64 and arm are broken HOT 1
- X-Accel-Redirect style of header matching is broken in handle_response
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caddy.