Caddy reverse proxy for Vault

1. The problem I’m having:

Reverse proxy tls authentication problem. According to my Caddyfile configuration after testing with below commands
curl --cert client.crt --key client.key --cacert ca_root.crt -H “X-Vault-Token: hvs.xxx” https://127.0.0.1:8100/v1/sys/metrics?format=prometheus
curl: (60) SSL certificate problem: could not get local issuer certificate
I have the problem “curl: (60) SSL certificate problem: could not get local issuer certificate
More details here: curl - SSL CA Certificates”

But according to configuration see link (Links to relevant resources:) everything works fine.

2. Error messages and/or full log output:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

3. Caddy version:

caddy version
v2.9.1

4. How I installed and ran Caddy:

pkg install but isn’t problem with installation

a. System environment:

Freebsd & HardenedBSD v. 14.2 but it doesn’t mater

b. Command:

curl Test

curl --cert client.crt --key client.key --cacert ca_root.crt -H "X-Vault-Token:  hvs.xxx"   https://127.0.0.1:8100/v1/sys/metrics?format=prometheus
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

 curl --cert client.crt --key client.key --cacert ca_root.crt -H "X-Vault-Token:  hvs.xxx"   -k https://127.0.0.1:8100/v1/sys/metrics?format=prometheus
  HELP core_leadership_lost Total time that a high-availability cluster node last maintained leadership
# TYPE core_leadership_lost summary
core_leadership_lost{quantile="0.5"} NaN
core_leadership_lost{quantile="0.9"} NaN
core_leadership_lost{quantile="0.99"} NaN
core_leadership_lost_sum 0
...

c. My complete Caddy config:

My caddyfile 
https://127.0.0.1:8100 {
        tls /mnt/vaultcerts/agent.crt /mnt/vaultcerts/agent.key {
                protocols tls1.2 tls1.3
                alpn h2 http/1.1
        }
        header -Server

        import log_redacted vaultproxy

        # Reverse proxy to Vault
        reverse_proxy https://active.vault.service.consul:8200 {
                header_up Host active.vault.service.consul
                header_up X-Real-IP {remote_host}
                header_up X-Forwarded-For {remote_host}
                header_up X-Forwarded-Port {server_port}

                transport http {
                        versions 2
                        keepalive 65s
                        tls_client_auth /mnt/vaultcerts/agent.crt /mnt/vaultcerts/agent.key
                        tls_trusted_ca_certs /mnt/vaultcerts/ca_root.crt
                        tls_server_name active.vault.service.consul
                }
        }

        # Error handling with fallback to HTTP Cat
        handle_errors {
                rewrite * /{http.error.status_code}
                reverse_proxy https://http.cat {
                        header_up Host http.cat
                }
        }
}

5. Links to relevant resources:

Are you running this in the /mnt/vaultcerts directory? If not, use --cacert /mnt/vaultcertsca_root.crt

Yes, in the same directory. I’ll check that. But I don’t think that’s the problem, because I’m using Ngnix, for comparison, and there’s no problem. The certificates are generated by Vault in the Nginx configuration, so the problem doesn’t occur.

Caddy is great. My config is fine, the error is due to my ignorance about curl. I’m burning with shame.