Cannot obtain SSL certificate with tls directive when using a matcher

[fuomag9]

Hi,

I'm trying to setup a matcher as I need to ONLY offer TLS 1.2 for the Element X client due to element-hq/element-x-ios#786. As I do not want to downgrade the security for every client (since they share the same domain and endpoints) I am trying to apply the TLS rules by user agent. I am using the cloudflare DNS plugin to get my certificates issued.

I have defined this "snippet" in the caddyfile so I can import it in the single websites, but this has caused issues with the certificates emissions (see logs below) since it is trying to parse the @tls12only matcher as an email for the tls directive.

(fix-elementx) {

@tls12only {
header_regexp User-Agent Element X
}

tls @tls12only {
protocols tls1.2 tls1.2
}


}

Is there any way to achieve this type of configuration?

Logs

Aug 12 15:34:35 nginx caddy[51414]: {"level":"warn","ts":1691854475.9346201,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
Aug 12 15:34:36 nginx caddy[51414]: {"level":"error","ts":1691854476.19086,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"chat.fuo.fi","issuer":"acme.zerossl.com-v2-censor","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: invalid_email (code 2901)"}
Aug 12 15:34:36 nginx caddy[51414]: {"level":"error","ts":1691854476.1909115,"logger":"tls.renew","msg":"will retry","error":"[chat.fuo.fi] Renew: account pre-registration callback: failed getting EAB credentials: HTTP 200: invalid_email (code 2901)","attempt":1,"retrying_in":60,"elapsed":1.442140529,"max_duration":2592000}
Aug 12 15:34:36 nginx caddy[51414]: {"level":"error","ts":1691854476.341747,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"fuo.fi","issuer":"acme.zerossl.com-v2-censor","error":"account pre-registration callback: failed getting EAB credentials: HTTP 200: invalid_email (code 2901)"}
Aug 12 15:34:36 nginx caddy[51414]: {"level":"error","ts":1691854476.3418047,"logger":"tls.renew","msg":"will retry","error":"[fuo.fi] Renew: account pre-registration callback: failed getting EAB credentials: HTTP 200: invalid_email (code 2901)","attempt":1,"retrying_in":60,"elapsed":1.593005769,"max_duration":2592000}
Aug 12 15:34:36 nginx caddy[51414]: {"level":"info","ts":1691854476.7611685,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"censor"}
Aug 12 15:34:37 nginx caddy[51414]: {"level":"error","ts":1691854477.714659,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"lime.fuo.fi","issuer":"acme.zerossl.com-v2-censor","error":"HTTP 400 urn:ietf:params:acme:error:invalidContact - A contact URL for an account was invalid"}
Aug 12 15:34:37 nginx caddy[51414]: {"level":"error","ts":1691854477.7147174,"logger":"tls.obtain","msg":"will retry","error":"[lime.fuo.fi] Obtain: registering account [mailto:@tls12only] with server: attempt 1: https://acme.zerossl.com/v2/censor/newAccount: HTTP 400 urn:ietf:params:acme:error:invalidContact - A contact URL for an account was invalid","attempt":1,"retrying_in":60,"elapsed":2.960061756,"max_duration":2592000}

[mholt]

The TLS directive doesn't take a matcher because it's not an http handler.

I'm mobile but can reply more later when I have a chance. From what I gather what you're trying to do is impossible (for any server) because user agent is only known after making a connection. You have to decide your tls settings based on the ClientHello only.

[mholt]

Ok, yeah -- after re-reading, this is definitely not possible (with any server). The TLS connection has to be made before HTTP is transacted, so there is no header or user-agent. Just a ClientHello. That's all you have to configure a handshake.

Since this issue tracker is reserved for actionable development items, I'm going to close this, but we have a community forum at caddy.community where more people will be exposed to your question, including people who may be more expert or experienced than I am with the specific issue you're facing. I hope you'll ask your question there. The Help category in the forum even provides a template you can fill out. Thanks for understanding!