Caddy认为一切都很好:
{"level":"info","ts":...,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/.../..."}
{"level":"info","ts":...,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/..."}
{"level":"info","ts":...,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"service.internal.example.com"}
{"level":"info","ts":...,"logger":"tls.obtain","msg":"releasing lock","identifier":"service.internal.example.com"}
Caddy容器内部:
# curl https://localhost/ -H "Host: service.internal.example.com" -v
* Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Caddyfile:
{
acme_dns cloudflare ... # github.com/caddy-dns/cloudflare
}
service.internal.example.com {
reverse_proxy localhost:1234 # curl localhost:1234 works
}
Wget抛出相同的错误文本,但错误编号略有不同:
# wget https://localhost/ --header "Host: service.internal.example.com" -v
--...-- https://localhost/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Unable to establish SSL connection.
感谢@Buffeonism,我尝试过:
$ curl https://service.internal.example.com --resolve service.internal.example.com:443:127.0.0.1
这个调用(在Caddy容器内(有一个成功的200响应。我已经退出到服务器,结果相同:
$ curl https://service.internal.example.com --resolve service.internal.example.com:443:10.1.2.3.4 # works
因此,这似乎是我的线索:service.internal.example.com的主机标头失败,但curl的resolve标志有效。
我不知道下一步该做什么。
它看起来像TLS SNI。因为您连接到localhost,curl和wget将发送localhost的TLS SNI,而不是service.internal.example.com。这意味着服务器拒绝它。
作为一种替代方法,使用curl的resolve选项将地址固定到域:
curl https://service.internal.example.com --resolve service.internal.example.com:443:127.0.0.1