Alternate certificate chain to support older OpenSSL version

1. Caddy version (caddy version):

v2.4.5

2. How I run Caddy:

a. System environment:

Linux Alpine v3.14 Docker image, caddy installed via apk.

b. Command:

caddy run --config /my/Caddyfile

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

Not complete, but looks like this:

my.domain.tld {
    root * /data
    file_server browse
}

3. The problem I’m having:

Clients with an older OpenSSL version (I’m not sure which exactly) are no longer able to access data from the web server. They say “certificate expired”. I suspect the reason is what Let’s Encrypt people explain here: OpenSSL Client Compatibility Changes for Let’s Encrypt Certificates - API Announcements - Let's Encrypt Community Support

Updating the clients will take a lot of time, so it would be good to temporarily get it working again with server side changes. In the explanation above, they say it should be possible to switch to the alternate certificate chain, which Caddy seems to support:

However, we will continue to provide the shorter chain as an alternate, which can be selected by ACME clients that have alternate chain support. To support OpenSSL versions older than 1.1.0, you should configure this shorter chain.This functionality is officially supported by ACME and is already implemented by clients like uacme, Caddy, and Certbot.

But I do not understand how to do that. Maybe somehow with tls.issuer.preferred_chains? But how exactly? Any hint would be very welcome.

5. What I already tried:

my.domain.tld {
    root * /data
    file_server browse
    tls {
        issuer acme {
            preferred_chains smallest
        }
    }
}

But this doesn’t seem to change anything (no surprise, since I don’t know what I’m doing…).

6. Links to relevant resources:

Caddy will only get a new certificate once the current one is expiring, or if it is deleted (i.e. doesn’t have one). So if you need a completely different certificate right away, you can delete the current one.

If needed, you can force Caddy to use a specific chain like so:

:warning: The /data directory is where Caddy stores its certificates in the official Docker image. This would probably leak your certs and keys, unless I misunderstand your setup. Please be careful with this!!!

A better directory to use generally for static files is /srv.

Awesome, that worked! Thank you very much! :tada:

I think it should not be a problem here since I’m not using the official Docker image. But thanks anyway for this hint, it’s good to know in case I migrate to the official image some day :slightly_smiling_face:

This topic was automatically closed after 30 days. New replies are no longer allowed.