Automatic HTTPS for a local TLD

owenthereal · January 24, 2021, 6:49am

1. Caddy version (`caddy version`):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

a. System environment:

Mac 11.1

b. Command:

caddy run -config caddy.json # See below for the config

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

{
  "admin": {
    "disabled": true
  },
  "apps": {
    "http": {
      "servers": {
        "proxy": {
          "listen": [
            ":80",
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "reverse_proxy",
                  "transport": {
                    "protocol": "http"
                  },
                  "upstreams": [
                    {
                      "dial": "192.168.64.36:30784"
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "app1.test-domain"
                  ]
                }
              ]
            },
            {
              "handle": [
                {
                  "handler": "reverse_proxy",
                  "transport": {
                    "protocol": "http"
                  },
                  "upstreams": [
                    {
                      "dial": "192.168.64.36:31525"
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "app2.test-domain"
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  }
}

3. The problem I’m having:

I’m trying to use Caddy to proxy to two upstreams behind a local TLD test-domain. Here is my /etc/hosts:

127.0.0.1 app1.test-domain
127.0.0.1 app2.test-domain

Caddy proxied correctly for HTTP but reached out to ACME for cert for a local domain:

2021/01/24 06:43:38.535 ERROR   tls.obtain      will retry      {"error": "[app1.test-domain] Obtain: [app1.test-domain] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [api.meroxa] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 2.298220396, "max_duration": 2592000}

Is it possible to configure Caddy to generate a self-signed cert for a local TLD?

4. Error messages and/or full log output:

See above.

5. What I already tried:

I couldn’t find a config that allows generating self-signed cert for a local TLD.

6. Links to relevant resources:

francislavoie · January 24, 2021, 8:02am

IMO your config would be more easily expressed as a Caddyfile. You can run caddy adapt to get the JSON it adapts to.

{
    admin off
}

app1.rest-domain {
    tls internal
    reverse_proxy 192.168.64.36:30784
}

app2.test-domain {
    tls internal
    reverse_proxy 192.168.64.36:31525
}

Just so you’re aware, turning off the admin API also makes it impossible to use the caddy reload command to gracefully reload Caddy with your new config.

matt · January 24, 2021, 3:53pm

I would just create a single automation policy that dictates the internal issuer:

{
  "apps": {
    "tls": {
      "automation": {
        "policies": [
          {
            "issuers": [
              {
                "module": "internal"
              }
            ]
          }
        ]
      }
    }
  }
}

As Francis said, you can get this easily by writing a Caddyfile consisting of:

{
    local_certs
}

and then running caddy adapt. (No need to specify tls internal for all sites)

system · February 23, 2021, 6:49am

This topic was automatically closed after 30 days. New replies are no longer allowed.