Caddy local certificates expiration

1. Caddy version (caddy version):

latest stable

2. How I run Caddy:

caddy start
curl localhost:2019/load -X POST -H "Content-Type: application/json" -d @caddy_reverse_hostname.json

With this contents:

{
  "apps": {
    "http": {
      "servers": {
        "localhost": {
          "listen": [":443"],
          "routes": [
            {
              "match": [
                {
                  "path": ["/api/*", "/socket/*"],
                  "host": ["10.211.55.3", "desktop-5s36bv4.local"]
                }
              ],
              "handle": [
                {
                  "handler": "reverse_proxy",
                  "upstreams": [
                    {
                      "dial": "localhost:9090"
                    }
                  ]
                }
              ]
            },
            {
              "match": [
                {
                  "host": ["10.211.55.3", "desktop-5s36bv4.local"]
                }
              ],
              "handle": [
                {
                  "handler": "reverse_proxy",
                  "upstreams": [
                    {
                      "dial": "localhost:8080"
                    }
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  }
}

a. System environment:

Windows

b. Command:

see above.

c. Service/unit/compose file:

see above

d. My complete Caddyfile or JSON config:

see above

3. The problem I’m having:

Certificates are expiring too soon.
Since we need to share an https site on a local network via computername, we are forced to use untrusted certificates (no control on the clients). It seems that Caddy auto generated certificates expire after 1 day, so clients are forced to accept untrusted certificates once a day. It would be good to change the expiration date of the automatically generated certificates to something like a year

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

Instead of accepting untrusted certificates, have your clients trust the CA root, which is valid for 10 years. This is how trust with all public CAs operates.

2 Likes

So I can configure Caddy to use CA root instead of the automatically generated certificate? What should I do in my configuration to achieve that?

Thanks,
Fausto

To clarify, don’t change your caddy config. Just have the clients add the root cert to their trust store.

1 Like

This is a great resource in explaining the mechanics: https://matt.life/expert-caddy/establishing-trust-pki-and-tls

1 Like

The link is password protected

What you should do is have each client which needs to access your server have Caddy’s root CA cert installed in their trust store. You can google for instructions for each client/OS you need.

You can find the root CA cert in Caddy’s storage (wherever that is on your system, you can probably run caddy environ as the same user that you run Caddy with to find out, look for caddy.AppDataDir in the output), in pki/authorities/local/root.crt

The leaf cert lifetimes are intentionally short, at 12 hours. The shorter the lifetimes, the better.

Ah yeah, it’s a perk of being a monthly sponsor. :smiley:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.