Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with the way Caddy serves multiple certificates #2334

Closed
ghost opened this issue Nov 5, 2018 · 7 comments
Closed

Problem with the way Caddy serves multiple certificates #2334

ghost opened this issue Nov 5, 2018 · 7 comments
Labels
invalid ❓ This doesn't seem right

Comments

@ghost
Copy link

ghost commented Nov 5, 2018

1. What version of Caddy are you using (caddy -version)?

Caddy 0.11.0 (+22dfb14 Sun Nov 04 19:32:32 UTC 2018) (unofficial)

2. What are you trying to do?

I'm trying to fetch a certificate from my domain app01.domain.tld by using the following shell script.

#!/bin/bash
#
# usage: sh script.sh app01.domain.tld 443
#
REMHOST=$1
REMPORT=${2:-443}

echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

3. What is your entire Caddyfile?

(ecc-tls) {

   tls {
       dns gandiv5
       ciphers ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-WITH-CHACHA20-POLY1305
       key_type p256
       must_staple
    }
}

app01.domain.tld {

   import ecc-tls
}

app02.domain.tld {

   import ecc-tls
}

app03.domain.tld {

   import ecc-tls
}

4. How did you run Caddy (give the full command and describe the execution environment)?

caddy -agree -http2 -quic -log /opt/caddy/log -root /opt/caddy/webroot -conf /opt/caddy/Caddyfile

I'm running Caddy on Debian 9.5 (stretch).

5. Please paste any relevant HTTP request(s) here.

N/A

6. What did you expect to see?

The certificate of app01.domain.tld.

7. What did you see instead (give full error messages and/or log)?

The certificate of either app01, app02 or app03.domain.tld. The certificate changes each time you run the shell script.

8. How can someone who is starting from scratch reproduce the bug as minimally as possible?

  1. Install Caddy.
  2. Set up three or more subdomains on your own domain.
  3. Copy my Caddyfile and adjust it as needed to fetch a certificate for each subdomain.
  4. Use the provided shell script to fetch the certificate of one of the subdomains.

This issue does not affect sites which are not served with Caddy. To verify this, run the same shell script on such a domain and observe that the certificate in the output is the same every time you run it and that it is the correct one for the domain.

The practical relevance of this problem is that the remote control software MeshCentral cannot fetch the correct certificate from a subdomain that is served with Caddy because it receives a different certificate each time it tries to fetch it.
@ghoeffner
Copy link

Related to #1303 👍

@tobya
Copy link
Collaborator

tobya commented Nov 11, 2018
edited
Loading

with regard to #1303 does the following work if you specify :443 at the end of your domains to force https?

(ecc-tls) {

   tls {
       dns gandiv5
       ciphers ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-WITH-CHACHA20-POLY1305
       key_type p256
       must_staple
    }
}

app01.domain.tld:443 {

   import ecc-tls
}

app02.domain.tld:443 {

   import ecc-tls
}

app03.domain.tld:443 {

   import ecc-tls
}

Also please fill in all the questions on the issue sheet. You have left question 5 blank but it is hugely relevant in this instance. How are you requesting the domain?

If this fixes your issue I will explain with reference to #1303 what is happening.

@ghost
Copy link
Author

ghost commented Nov 11, 2018

@tobya No, specifying :443 at the end of the domains sadly didn't fix my issue. The certificate still changes each time I run the shell script.

As for question 5, I'm not sure where I can get the HTTP request from. I'm using openssl to request the certificate from the domain (see shell script), so I'm not seeing the actual HTTP request in the terminal.

@tobya
Copy link
Collaborator

tobya commented Nov 12, 2018

Can you specify how you are calling your shell script. Can you use an actual call.

@mholt mholt closed this as completed Nov 13, 2018
@ghost
Copy link
Author

ghost commented Nov 13, 2018

Just for future reference: The reason why the fetched certificate changed each time is because I wasn't telling OpenSSL to use SNI. The following shell script can be used to fetch the correct certificate each time:

#!/bin/bash
#
# usage: sh script.sh app01.domain.tld 443
#
REMHOST=$1
REMPORT=${2:-443}

echo |\
openssl s_client -servername ${REMHOST} -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

@tobya
Copy link
Collaborator

tobya commented Nov 14, 2018

@WhaleHub thanks for the update. The underlying issue when you didnt specify SNI is fixed with #2339.

@tobya tobya added the invalid ❓ This doesn't seem right label Nov 14, 2018
@ghost
Copy link
Author

ghost commented Nov 14, 2018

@tobya I can confirm that OpenSSL now returns a TLS alert instead of a random certificate when attempting to fetch the certificate without using SNI.

@tatianab tatianab mentioned this issue Nov 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid ❓ This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tobya @ghoeffner @mholt