I am trying to run Caddy inside a corporate network which uses a firewall with self-signed certificates.
I am used to put these certificates in my VMs. For example, for my Arch VMs I do
sudo trust anchor cert-1.crt
sudo trust anchor cert-2.crt
Today, when building, running and trying to get some staging certificates from LetsEncrypt I stumble upon a problem with Go inside Caddy’s docker container.
This is how I build/run my Caddy
Dockerfile
FROM caddy:2.5.1-builder-alpine AS builder
RUN xcaddy build --with github.com/caddy-dns/cloudflare
FROM caddy:2.5.1-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
docker-compose.yml
version: "3.7"
services:
caddy:
build: ./tmp
hostname: caddy
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./sites:/srv
- ./Caddyfile:/etc/caddy/Caddyfile
- data:/data
- config:/config
volumes:
data:
config:
networks:
default:
name: caddy_net
external: true
Only after copy and activate cert-1.crt
and cert-2.crt
inside Caddy’s docker container I was able to build and run it. But it was need to change Dockerfile to this
Dockerfile
FROM caddy:2.5.1-builder-alpine AS builder
COPY cert-1.crt /usr/local/share/ca-certificates/cert-1.crt
COPY cert-2.crt /usr/local/share/ca-certificates/cert-2.crt
RUN update-ca-certificates
RUN xcaddy build --with github.com/caddy-dns/cloudflare
FROM caddy:2.5.1-alpine
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
The container goes up but still shows some errors and do not get the certificates.
Anyone already had this problem and solve it?
Some of the error messages:
{"level":"info","ts":1653412048.66475,"msg":"serving initial configuration"}
{"level":"info","ts":1653412048.6669748,"logger":"tls.obtain","msg":"lock acquired","identifier":"ldap.private.corp.network.domain"}
{"level":"debug","ts":1653412048.6678371,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"warn","ts":1653412049.8716073,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
{"level":"warn","ts":1653412050.709101,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
{"level":"warn","ts":1653412051.5481153,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
{"level":"error","ts":1653412051.54819,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"ldap.private.corp.network.domain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"registering account [mailto:leandro.peracchi@gmail.com] with server: provisioning client: performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority"}
{"level":"debug","ts":1653412051.5482035,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"error","ts":1653412052.9359179,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"ldap.private.corp.network.domain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority"}
{"level":"error","ts":1653412052.9359574,"logger":"tls.obtain","msg":"will retry","error":"[ldap.private.corp.network.domain] Obtain: account pre-registration callback: performing EAB credentials request: Post \"https://api.zerossl.com/acme/eab-credentials-email\": x509: certificate signed by unknown authority","attempt":1,"retrying_in":60,"elapsed":4.268951206,"max_duration":2592000}