Subject name does not qualify for certificate when IPv6 address contains scope ID (%...)

[hawkeye64]

1. Caddy version (caddy version):

$ caddy version
v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

systemd

a. System environment:

Ubuntu 18.04

d. My complete Caddyfile or JSON config:

{
  # This is pointing to Let's Encrypt Staging environment (for dev)
  # https://letsencrypt.org/docs/staging-environment/
  # This will allow you to get things right before issuing trusted
  # certificates and reduce the chance of your running up against rate limits.
  #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
  
  # causes all certificates to be issued internally by default,
  # rather than through a (public) ACME CA such as Let's Encrypt.
  # This is useful in development environments.
  local_certs
  
  # configure automatic HTTPS. It can either disable it entirely (off)
  # or disable only HTTP-to-HTTPS redirects (disable_redirects).
  # auto_https off
  auto_https disable_redirects

  debug
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

(SecurityHeaders) {
  header_up X-Real-IP {remote_host}
  header_up X-Forwarded-Proto {scheme}
}

:80, :443 {

  tls {
    on_demand
  }

  # Set this path to your site's directory.
  root * /opt/ivt/apps/6.0.0/packages/client/spa

  # Enable the static file server.
  file_server

  route /weather/* {
    uri replace /weather /socket.io
    reverse_proxy * http://localhost:3010 {
      import SecurityHeaders
    }
  }
  route /ptz/* {
    uri replace /ptz /socket.io
    reverse_proxy * http://localhost:3006 {
      import SecurityHeaders
    }
  }
  route /liveview/* {
    uri replace /liveview /socket.io
    reverse_proxy * http://localhost:3004 {
      import SecurityHeaders
    }
  }
  route /archive/* {
    uri replace /archive /socket.io
    reverse_proxy * http://localhost:3003 {
      import SecurityHeaders
    }
  }
  route /alarms/* {
    uri replace /alarms /socket.io
    reverse_proxy * http://localhost:3002 {
      import SecurityHeaders
    }
  }
  route /console_socket/* {
    uri replace /console_socket /console/socket.io
    reverse_proxy * http://localhost:3001 {
      import SecurityHeaders
    }
  }
  route /web_app_socket/* {
    uri replace /web_app_socket /web/socket.io
    reverse_proxy * http://localhost:3001 {
      import SecurityHeaders
    }
  }
  route /files/* {
    uri replace /files/ /
    reverse_proxy * http://localhost:3001 {
      import header_options
    }
  }
  route /api/* {
    reverse_proxy * http://localhost:3001 {
      import header_options
    }
  }
}

3. The problem I'm having:

In the journal, getting this message:

Dec 08 20:46:26 lance-ubuntu caddy[16093]: {"level":"debug","ts":1607485586.9103239,"logger":"http.stdlib",
"msg":"http: TLS handshake error from [fe80::b1d9:68f3:fcda:a150%enp0s31f6]:62373: 
subject name does not qualify for certificate: fe80::db67:46fb:e04e:5397%enp0s31f6"}

4. Error messages and/or full log output:

displayed above

5. What I already tried:

This should just be generating local certs. There's no domain name used. It's an IoT device.

6. Links to relevant resources:

[mholt]

Thanks for the report!

... I did not realize GitHub would close this issue from a commit in a separate repository... interesting. anyway...

The latest commit uses the latest CertMagic. Can you please try again with that and confirm it works?

[hawkeye64]

As for the auto-commit, it's because of this, which was to get rolled out in Dec.: github/roadmap#107

and mentioned in their blog here: https://github.blog/2020-12-08-new-from-universe-2020-dark-mode-github-sponsors-for-companies-and-more/