Caddy for SSL Access

1

Just read the thread which mentioned using the following script to install and configure Caddy:

http://install.manager.io/

Since the Manager is already installed and running properly with my subdomain point to the server IP (CentOS 7, server edition), I just start with:

curl -fsSL https://getcaddy.com | bash

and finished all the following command, I try to visit:

https://mydomain or https://myIP

Then I cannot visit the Manager anymore, but manager can still be visited through http and via 8080.

Is there anything I should do to enable the SSL after running all the script in http://install.manager.io/?

2

What does it mean? If you had Manager running on port 8080, then https://mydomain wouldn’t work before, only https://mydomain:8080

Why do you say you cannot visit Manager anymore after installing Caddy?

3

Sorry for the misunderstanding. I just follow your script to install Caddy, after that Manager Server can still be visited by port 8080, but cannot be visited through https or port 443. Therefore, I think the Caddy is not correctly configured.

So I don’t know whether there is additional step beyond the script you provided to enable SSL.

4

There are a few things you can check.

Perhaps firewall has been configured to disallow 80, 443 ports. Or maybe something is already running on those ports thus Caddy cannot start.

Try to type systemctl status caddy to see what output you get from caddy service.

5

I am using a clean CentOS VPS to test the install of Manager, and I have enabled the port 443, as shown below:
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 443/tcp 8080/tcp 445/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

And systemctl status caddy shows:

caddy.service
Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2017-08-13 05:00:03 EDT; 4h 15min ago
Main PID: 2181 (caddy)
CGroup: /system.slice/caddy.service
└─2181 /usr/local/bin/caddy -agree=true -conf=/usr/share/manager-server/ca…

Aug 13 05:00:03 UCS-IHAV6Q5B systemd[1]: Started caddy.service.
Aug 13 05:00:03 UCS-IHAV6Q5B systemd[1]: Starting caddy.service…
Aug 13 05:00:03 UCS-IHAV6Q5B caddy[2181]: Activating privacy features… done.
Aug 13 05:00:03 UCS-IHAV6Q5B caddy[2181]: https://
Aug 13 05:00:03 UCS-IHAV6Q5B caddy[2181]: http://

In this case, I can visit Manager via 8080, but at https, the browser said:

This site can’t provide a secure connection

xxxx.xxx.xxx sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

6

Seems like Caddy is running.

Do you access https by IP address or by domain name? You need to access it by domain name and it cannot be “localhost”.

The reason for this is that Caddy won’t issue SSL certificate for “localhost” or for IP address.

7

@lubos I have point the A record to my server, and visit it through 8080 with no problem. But it seems in the script you provided, there is no place to enter the domain, or provide the information of my domain/subdomain, so how can Caddy generate a SSL for me?

8

You don’t need to enter domain anywhere. Caddy will automatically request SSL certificate for domain name you are accessing when it’s for the first time.

So if you have a domain name something.anything.com when you go to https://something.anything.com, you get ERR_SSL_PROTOCOL_ERROR and when you go to http://something.anything.com:8080 you see Manager. Correct?

9

Yes, exactly.

10
  • Try to check SSL connection using SSL Server Test (Powered by Qualys SSL Labs)
  • Try different web-browser.
  • Try to access your server using different domain name, eg. www.10.0.0.1.xip.io or www.10.0.0.1.nip.io where you replace 10.0.0.1 with IP of your server.
11

Thanks @lubos I use SSL Server Test (Powered by Qualys SSL Labs) to check and showed me a valid certificate, and then I can access it through Chrome.

I guess Chrome has made some security setting, so the server cannot initiate the SSL certification when first connected from Chrome.

BTW, what if I have another service runs on a different port, e.g. 8090, can I modify the current Caddy configuration file to enable the SSL on 8090?

12

You can add multiple rules into Caddy so it will redirect to different ports based on domain name. So you can have Caddy serving SSL for two or more different servers at the same time.

But this is out of scope for this forum, check documentation of Caddy at https://caddyserver.com/ to learn how to set it up. It’s quite common use case.