Caddy in Docker - can another container read the certificates?

1. Caddy version (caddy version):

$ docker exec -it caddy /bin/sh
/srv # caddy version
v2.5.0-rc.1 h1:d/ivzqaW+ht8J4yD+XI9omgCDIbQCDOD5AzKPTwkwWk=

2. How I run Caddy:

$ cat tmp/Dockerfile
FROM caddy:2.5.0-rc.1-builder-alpine AS builder

RUN xcaddy build --with github.com/caddy-dns/cloudflare

FROM caddy:2.5.0-rc.1-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

$ cat docker-compose.yml
version: "3.7"

services:
  caddy:
    build: ./tmp
    hostname: caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
      - $PWD/sites:/srv
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
    name: caddy_caddy_data
    external: true
  caddy_config:

networks:
  default:
    name: caddy_net
    external: true

$ docker-compose up -d
$ cat Caddyfile
{
        acme_ca https://acme-v02.api.letsencrypt.org/directory
}

(cloudflare) {
        tls user@hotmail.com {
                dns cloudflare <credentials>
        }
}

(vips_only) {
        @fuck_off_world {
                not remote_ip <my_IP_during_tests>
        }
        respond @fuck_off_world 403
}

ldap.example.com {
        import cloudflare
        import vips_only
        respond "LDAP host for EXAMPLE.COM here!"
        # later - reverse_proxy phpldapadmin
}

a. System environment:

                   -`                    admin@vps.example.com
                  .o+`                   ----------------------
                 `ooo/                   OS: Arch Linux x86_64
                `+oooo:                  Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-5.2)
               `+oooooo:                 Kernel: 5.15.35-1-lts
               -+oooooo+:                Uptime: 2 hours, 12 mins
             `/:-:++oooo+:               Packages: 207 (pacman)
            `/++++/+++++++:              Shell: bash 5.1.16
           `/++++++++++++++:             Resolution: 1024x768
          `/+++ooooooooooooo/`           Terminal: /dev/pts/1
         ./ooosssso++osssssso+`          CPU: AMD EPYC 7282 (6) @ 2.794GHz
        .oossssso-````/ossssss+`         GPU: 00:02.0 Vendor 1234 Device 1111
       -osssssso.      :ssssssso.        Memory: 259MiB / 16001MiB
      :osssssss/        osssso+++.
     /ossssssss/        +ssssooo/-
   `/ossssso+/:-        -:/+osssso+-
  `+sso+:-`                 `.-/+oso:
 `++:.                           `-/+/
 .`                                 `/
$ docker --version
Docker version 20.10.14, build a224086349

$ docker-compose --version
Docker Compose version 2.4.1

3. The problem I’m having:

It’s possible another docker container access (read only, preferably) the certificates that Caddy maintains on volume “caddy_data” (on the host, “/var/lib/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/”).

I would like to run GitHub - osixia/docker-openldap: A docker image to run OpenLDAP 🐳 and use the certificate that Caddy obtained.

I need to “share” or “access” the volume “caddy_data” to map some environment variables:

LDAP_TLS_CRT_FILENAME
LDAP_TLS_KEY_FILENAME

and maybe

LDAP_TLS_CA_CRT_FILENAME (this one when I used Lego to get certificates there was a file “*issuer.crt” together with .crt and .key. In Caddy, I don’t know…

Tried to do some configuration on docker-compose.yml of docker-openldap but without success.

version: '2'
services:
  openldap:
    image: osixia/openldap:1.5.0
    hostname: ldap
    container_name: openldap
    restart: unless-stopped
    ports:
      #- "389:389"
      - "636:636"
    volumes:
      - ldap_data:/var/lib/ldap
      - ldap_config:/etc/ldap/slapd.d
      - certs:/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ldap.example.com:/container/service/slapd/assets/certs
...
      LDAP_TLS_CRT_FILENAME: "ldap.example.com.crt"
      LDAP_TLS_KEY_FILENAME: "ldap.example.com.key"
      # ??? LDAP_TLS_CA_CRT_FILENAME: "ldap.example.com.issuer.crt"
...
volumes:
  ldap_data:
  ldap_config:
  certs:
    name: caddy_caddy_data
    external: true
...

I see that isn’t working because OpenLDAP do not “see” the certificate on Caddy and generates a self-signed.

***  INFO   | 2022-04-24 23:44:01 | Running /container/run/startup/:ssl-tools...
***  INFO   | 2022-04-24 23:44:01 | Running /container/run/startup/slapd...
***  INFO   | 2022-04-24 23:44:01 | openldap user and group adjustments
***  INFO   | 2022-04-24 23:44:01 | get current openldap uid/gid info inside container
***  INFO   | 2022-04-24 23:44:01 | -------------------------------------
***  INFO   | 2022-04-24 23:44:01 | openldap GID/UID
***  INFO   | 2022-04-24 23:44:01 | -------------------------------------
***  INFO   | 2022-04-24 23:44:01 | User uid: 911
***  INFO   | 2022-04-24 23:44:01 | User gid: 911
***  INFO   | 2022-04-24 23:44:01 | uid/gid changed: false
***  INFO   | 2022-04-24 23:44:01 | -------------------------------------
***  INFO   | 2022-04-24 23:44:01 | updating file uid/gid ownership
***  INFO   | 2022-04-24 23:44:01 | No certificate file and certificate key provided, generate:
***  INFO   | 2022-04-24 23:44:01 | /container/service/slapd/assets/certs/ldap.setic.poa.br.crt and /container/service/slapd/assets/certs/ldap.setic.poa.br.key

Any ideas?

This line doesn’t make sense – you have two : in here.

It should probably look like:

volumes:
  - certs:/certs
env:
  - LDAP_TLS_CRT_FILENAME: "/certs/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ldap.example.com/ldap.example.com.crt"
  - LDAP_TLS_KEY_FILENAME: "/certs/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ldap.example.com/ldap.example.com.key"

Or something along those lines.

Either way, this isn’t a problem with Caddy, this is more of a Docker or OpenLDAP question.

You should be aware, Caddy has issuer fallback so it won’t necessarily get a cert from Let’s Encrypt. If there’s a problem with LE, then it might get a cert from ZeroSSL instead, in which case the directory would change.

So relying on the file path like that isn’t really recommended. You could turn off zerossl by explicitly specifying issuer acme in your tls config, but I don’t recommend that either because it worsens the robustness of cert issuance.

I’m working on an event dispatching system for Caddy which should eventually make it possible to copy certs for a domain to a well-known location when a cert is issued or renewed, but I don’t have a timeline for when it’ll be ready.

1 Like

Great news! This will be very, very useful! :+1:t2:

I know, I asked here because I thought someone else needed it and managed to do it.

Yes, was the intention when I used acme_ca https://acme-v02.api.letsencrypt.org/directory.

Anyway, for now I learned a way of generate “my osixia/openldap” with the certificate that Caddy gets.

Thanks for your time and attention! :vulcan_salute:t2:

2 Likes