This works (I think):
root@RJ-Caddytest ~# curl -v “https://acme.roadrunner/acme/local/directory” --cacert /root/root.crt
- Expire in 0 ms for 6 (transfer 0x55d5053d3f90)
- Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 0 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 2 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 4 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 4 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 2 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 2 ms for 1 (transfer 0x55d5053d3f90)
- Expire in 2 ms for 1 (transfer 0x55d5053d3f90)
- Trying 192.168.2.2…
- TCP_NODELAY set
- Expire in 200 ms for 4 (transfer 0x55d5053d3f90)
- Connected to acme.roadrunner (192.168.2.2) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /root/root.crt
CApath: /etc/ssl/certs
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
- TLSv1.3 (IN), TLS handshake, Certificate (11):
- TLSv1.3 (IN), TLS handshake, CERT verify (15):
- TLSv1.3 (IN), TLS handshake, Finished (20):
- TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.3 (OUT), TLS handshake, Finished (20):
- SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
- ALPN, server accepted to use h2
- Server certificate:
- subject: [NONE]
- start date: Feb 4 01:53:47 2021 GMT
- expire date: Feb 4 13:53:47 2021 GMT
- subjectAltName: host “acme.roadrunner” matched cert’s “acme.roadrunner”
- issuer: CN=Caddy Local Authority - ECC Intermediate
- SSL certificate verify ok.
- Using HTTP2, server supports multi-use
- Connection state changed (HTTP/2 confirmed)
- Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
- Using Stream ID: 1 (easy handle 0x55d5053d3f90)
GET /acme/local/directory HTTP/2
Host: acme.roadrunner
User-Agent: curl/7.64.0
Accept: /
On the ACME server side:
2021/02/04 07:46:02 {“newNonce”:“https://acme.roadrunner/acme/local/new-nonce",“newAccount”:“https://acme.roadrunner/acme/local/new-account”,“newOrder”:“https://acme.roadrunner/acme/local/new-order”,“revokeCert”:“https://acme.roadrunner/acme/local/revoke-cert”,“keyChange”:"https://acme.roadrunner/acme/local/key-change”}
I also tried curl reverse (from the acme server to the web server).
192.168.2.50:443 {
respond "Hello, this is your internal website @ 192.168.2.50"
tls {
ca https://acme.roadrunner/acme/local/directory
client_auth {
trusted_ca_cert_file /root/root.crt
}
}
}
curl -v “https://192.168.2.50” --cacert .local/share/caddy/pki/authorities/local/root.crt
The Caddy log:
2021/02/04 08:19:54.775 DEBUG http.stdlib http: TLS handshake error from 192.168.2.2:57050: no certificate available for ‘192.168.2.50’
Which makes sense because when starting Caddy, it reports an error with getting a certificate:
2021/02/04 08:19:37.473 ERROR tls.obtain will retry {“error”: “[192.168.2.50] Obtain: registering account with server: provisioning client: performing request: Get "https://acme.roadrunner/acme/local/directory\”: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "Caddy Local Authority - 2021 ECC Root")", “attempt”: 1, “retrying_in”: 60, “elapsed”: 0.635356468, “max_duration”: 2592000}
I think my Caddyfile has an error. So I tried to set the certificate config in the global settings:
# Global Option Block
{
# General Option
debug
# TLS Options
local_certs
acme_ca https://acme.roadrunner/acme/local/directory
acme_ca_root /root/root.crt
}
192.168.2.50:443
respond "Hello, this is your internal website @ 192.168.2.50"
With this setup when I start Caddy there is nothing about getting a certificate and when I do curl from the acme server to the web server, the web server reports:
curl -v “https://192.168.2.50” --cacert .local/share/caddy/pki/authorities/local/root.crt
2021/02/04 07:50:36.398 DEBUG http.stdlib http: TLS handshake error from 192.168.2.2:57036: local error: tls: bad record MAC
Then I discovered that caddy (web server) created new certificates in .local/share/caddy/pki/authorities/local
( I deleted them before). That tells me that the Caddyfile with Global block is not working at all.