凯迪认为一切都很好:
{"level":"info","ts":...,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/.../..."}
{"level":"info","ts":...,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/..."}
{"level":"info","ts":...,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"service.internal.example.com"}
{"level":"info","ts":...,"logger":"tls.obtain","msg":"releasing lock","identifier":"service.internal.example.com"}在Caddy容器内:
# curl https://localhost/ -H "Host: service.internal.example.com" -v
* Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal errorCaddy档案:
{
acme_dns cloudflare ... # github.com/caddy-dns/cloudflare
}
service.internal.example.com {
reverse_proxy localhost:1234 # curl localhost:1234 works
}Wget抛出相同的错误文本,但错误号略有不同:
# wget https://localhost/ --header "Host: service.internal.example.com" -v
--...-- https://localhost/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Unable to establish SSL connection.感谢@Buffoonism,我尝试过:
$ curl https://service.internal.example.com --resolve service.internal.example.com:443:127.0.0.1这个调用(在Caddy容器中)有一个成功的200响应。我已经回退到服务器,结果是一样的:
$ curl https://service.internal.example.com --resolve service.internal.example.com:443:10.1.2.3.4 # works所以,这似乎是我的线索:主机头service.internal.example.com失败,但curl的resolve标志有效。
我不知道下一步该怎么做
1条答案
按热度按时间wljmcqd81#
这看起来像是一个TLS SNI的东西。因为你连接到localhost,curl和wget将发送一个
localhost的TLS SNI,而不是service.internal.example.com。这意味着服务器拒绝它。作为一种替代方法,使用curl的
resolveoption将地址固定到域: