Acme_server implementation

Help
21

Glad you got it compiling.

Based on that error message, I suspect the wrong cert. Try using curl to verify you have the right cert set up:

curl -v "https://acme.roadrunner/acme/local/directory" --cacert /root/root.crt

If it fails, then you’ve probably got the wrong CA – but that error should give you more of a hint.

22

This works (I think):

root@RJ-Caddytest ~# curl -v “https://acme.roadrunner/acme/local/directory” --cacert /root/root.crt

  • Expire in 0 ms for 6 (transfer 0x55d5053d3f90)
  • Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 0 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 2 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 4 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 1 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 4 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 2 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 2 ms for 1 (transfer 0x55d5053d3f90)
  • Expire in 2 ms for 1 (transfer 0x55d5053d3f90)
  • Trying 192.168.2.2…
  • TCP_NODELAY set
  • Expire in 200 ms for 4 (transfer 0x55d5053d3f90)
  • Connected to acme.roadrunner (192.168.2.2) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /root/root.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: [NONE]
  • start date: Feb 4 01:53:47 2021 GMT
  • expire date: Feb 4 13:53:47 2021 GMT
  • subjectAltName: host “acme.roadrunner” matched cert’s “acme.roadrunner”
  • issuer: CN=Caddy Local Authority - ECC Intermediate
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x55d5053d3f90)

GET /acme/local/directory HTTP/2
Host: acme.roadrunner
User-Agent: curl/7.64.0
Accept: /

On the ACME server side:

2021/02/04 07:46:02 {“newNonce”:“https://acme.roadrunner/acme/local/new-nonce",“newAccount”:“https://acme.roadrunner/acme/local/new-account”,“newOrder”:“https://acme.roadrunner/acme/local/new-order”,“revokeCert”:“https://acme.roadrunner/acme/local/revoke-cert”,“keyChange”:"https://acme.roadrunner/acme/local/key-change”}

I also tried curl reverse (from the acme server to the web server).

192.168.2.50:443 {

respond "Hello, this is your internal website @ 192.168.2.50"

   tls {
      ca https://acme.roadrunner/acme/local/directory
      client_auth {
         trusted_ca_cert_file /root/root.crt
      }
   }
}

curl -v “https://192.168.2.50” --cacert .local/share/caddy/pki/authorities/local/root.crt

The Caddy log:

2021/02/04 08:19:54.775 DEBUG http.stdlib http: TLS handshake error from 192.168.2.2:57050: no certificate available for ‘192.168.2.50’

Which makes sense because when starting Caddy, it reports an error with getting a certificate:

2021/02/04 08:19:37.473 ERROR tls.obtain will retry {“error”: “[192.168.2.50] Obtain: registering account with server: provisioning client: performing request: Get "https://acme.roadrunner/acme/local/directory\”: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "Caddy Local Authority - 2021 ECC Root")", “attempt”: 1, “retrying_in”: 60, “elapsed”: 0.635356468, “max_duration”: 2592000}

I think my Caddyfile has an error. So I tried to set the certificate config in the global settings:

# Global Option Block
{
 # General Option
   debug

 # TLS Options
   local_certs
   acme_ca https://acme.roadrunner/acme/local/directory
   acme_ca_root /root/root.crt
}

192.168.2.50:443

respond "Hello, this is your internal website @ 192.168.2.50"

With this setup when I start Caddy there is nothing about getting a certificate and when I do curl from the acme server to the web server, the web server reports:

curl -v “https://192.168.2.50” --cacert .local/share/caddy/pki/authorities/local/root.crt

2021/02/04 07:50:36.398 DEBUG http.stdlib http: TLS handshake error from 192.168.2.2:57036: local error: tls: bad record MAC

Then I discovered that caddy (web server) created new certificates in .local/share/caddy/pki/authorities/local ( I deleted them before). That tells me that the Caddyfile with Global block is not working at all.

23

Managed to get the local CA to work by also setting up my local DNS to resolve the client.

e.g.

dockertest.roadrunner:443 {

           tls {
              ca https://acme.roadrunner/acme/local/directory
              ca_root /root/nextcloud/root.crt
              }

instead of

192.168.2.51:443 {

           tls {
              ca https://acme.roadrunner/acme/local/directory
              ca_root /root/nextcloud/root.crt
              }
2 Likes
24

This topic was automatically closed after 30 days. New replies are no longer allowed.