Description
openedon Nov 5, 2018
1. What version of Caddy are you using (caddy -version)?
Caddy 0.11.0 (+22dfb14 Sun Nov 04 19:32:32 UTC 2018) (unofficial)
2. What are you trying to do?
I'm trying to fetch a certificate from my domain app01.domain.tld by using the following shell script.
#!/bin/bash
#
# usage: sh script.sh app01.domain.tld 443
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
3. What is your entire Caddyfile?
(ecc-tls) {
tls {
dns gandiv5
ciphers ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-WITH-CHACHA20-POLY1305
key_type p256
must_staple
}
}
app01.domain.tld {
import ecc-tls
}
app02.domain.tld {
import ecc-tls
}
app03.domain.tld {
import ecc-tls
}
4. How did you run Caddy (give the full command and describe the execution environment)?
caddy -agree -http2 -quic -log /opt/caddy/log -root /opt/caddy/webroot -conf /opt/caddy/Caddyfile
I'm running Caddy on Debian 9.5 (stretch).
5. Please paste any relevant HTTP request(s) here.
N/A
6. What did you expect to see?
The certificate of app01.domain.tld.
7. What did you see instead (give full error messages and/or log)?
The certificate of either app01, app02 or app03.domain.tld. The certificate changes each time you run the shell script.
8. How can someone who is starting from scratch reproduce the bug as minimally as possible?
- Install Caddy.
- Set up three or more subdomains on your own domain.
- Copy my Caddyfile and adjust it as needed to fetch a certificate for each subdomain.
- Use the provided shell script to fetch the certificate of one of the subdomains.
This issue does not affect sites which are not served with Caddy. To verify this, run the same shell script on such a domain and observe that the certificate in the output is the same every time you run it and that it is the correct one for the domain.
The practical relevance of this problem is that the remote control software MeshCentral cannot fetch the correct certificate from a subdomain that is served with Caddy because it receives a different certificate each time it tries to fetch it.