Caddy skipping automatic cetificate creation if I have a wildcard origin certificate loaded

Tc-001 · August 15, 2022, 9:53pm

1. Output of `caddy version`:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

a. System environment:

Debian 11 with caddy PPAs, docker running but not used by caddy.

b. Command:

systemctl reload caddy

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->

d. My complete Caddy config:

(cf) {
        tls /etc/nginx/certs/t0-tld-cert.pem /etc/nginx/certs/t0-tld-key.pem {
                client_auth {
                        mode require_and_verify
                        trusted_ca_cert_file /etc/nginx/certs/pull.pem
                }
        }
}

(log) {
        log {
                output file /var/log/caddy/access.log
                format json
                level info
        }
}

cdn1.t0.lv {
        import cf
        import log
        root * /var/www/cdn1

        file_server

        header Cache-Control max-age=3600
        header Access-Control-Allow-Origin "*"

        redir /gitea/assets/css/theme-tp-nord.css https://theme-park.dev/css/base/gitea/nord.css
}

git.t0.lv {
        import log
        reverse_proxy http://127.0.0.1:3000
}

ports.t0.lv {
        import cf
        import log
        reverse_proxy http://127.0.0.1:9443
}

reports.t0.lv {
        import cf
        import log
        root * /var/www/reports
        file_server
}

3. The problem I’m having:

I have some domains behind cloudflare (cdn1.t0.lv, ports.t0.lv, reports.t0.lv), and one local without CF’s proxy git.t0.lv

For the cloudflare domains I use their origin certificate and pull validation (defined in (cf)), the origin certificate is issued for t0.lv and *.t0.lv.

Currently when I visit https://git.t0.lv (not behind cloudflare) I still get served the cloudflare origin certificate, even though I haven’t told caddy to use it.

(The DNS for git.t0.lv is still not propagated fully, but the command below should achieve the same result)
openssl s_client -showcerts -servername git.t0.lv -connect srv1.t0.lv:443 | grep "CloudFlare Origin Certificate"

Am I missing something? Is there some SSL setting that I can write to kindly ask ZeroSSL to generate a certificate even if a wildcard is loaded?

4. Error messages and/or full log output:

e@f ~> openssl s_client -showcerts -servername git.t0.lv -connect srv1.t0.lv:443 | grep "CloudFlare Origin Certificate"                                                                                        00:47
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify return:1
 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
subject=O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate

Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.879615,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"git.t0.lv","server_name":"srv0"}

Full log

Aug 15 21:05:06 localhost systemd[1]: Starting Caddy...
Aug 15 21:05:06 localhost caddy[32348]: caddy.HomeDir=/var/lib/caddy
Aug 15 21:05:06 localhost caddy[32348]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Aug 15 21:05:06 localhost caddy[32348]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Aug 15 21:05:06 localhost caddy[32348]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Aug 15 21:05:06 localhost caddy[32348]: caddy.Version=v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=
Aug 15 21:05:06 localhost caddy[32348]: runtime.GOOS=linux
Aug 15 21:05:06 localhost caddy[32348]: runtime.GOARCH=amd64
Aug 15 21:05:06 localhost caddy[32348]: runtime.Compiler=gc
Aug 15 21:05:06 localhost caddy[32348]: runtime.NumCPU=1
Aug 15 21:05:06 localhost caddy[32348]: runtime.GOMAXPROCS=1
Aug 15 21:05:06 localhost caddy[32348]: runtime.Version=go1.18.3
Aug 15 21:05:06 localhost caddy[32348]: os.Getwd=/
Aug 15 21:05:06 localhost caddy[32348]: LANG=en_US.UTF-8
Aug 15 21:05:06 localhost caddy[32348]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Aug 15 21:05:06 localhost caddy[32348]: NOTIFY_SOCKET=/run/systemd/notify
Aug 15 21:05:06 localhost caddy[32348]: HOME=/var/lib/caddy
Aug 15 21:05:06 localhost caddy[32348]: LOGNAME=caddy
Aug 15 21:05:06 localhost caddy[32348]: USER=caddy
Aug 15 21:05:06 localhost caddy[32348]: INVOCATION_ID=3a70e200a0954e719ff3dd292f892477
Aug 15 21:05:06 localhost caddy[32348]: JOURNAL_STREAM=8:178404
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8699348,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"warn","ts":1660597506.8750892,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":28}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.878165,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"warn","ts":1660597506.8789456,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [cloudflare origin certificate *.t0.lv t0.lv]: no URL to issuing certificate"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8791475,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"ports.t0.lv","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.879484,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"cdn1.t0.lv","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.879615,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"git.t0.lv","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8797455,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"reports.t0.lv","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.87988,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"warn","ts":1660597506.8800476,"logger":"http","msg":"enabling strict SNI-Host enforcement because TLS client auth is configured","server_id":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8810475,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Aug 15 21:05:06 localhost systemd[1]: Started Caddy.
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8838625,"msg":"serving initial configuration"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8843176,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0005cd1f0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8844814,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8852344,"logger":"tls","msg":"finished cleaning storage units"}

5. What I already tried:

(Worst case) Found a way to restrict the origin certificate to include only the sites that are/will be behind cloudflare
(Medium case) Change cloudflare to allow self-signed certificates and use ssl internal in (cf)
Tried to find a way to force certificate generation (Something like ssl ZeroSSL), no luck even with the wiki search tool

6. Links to relevant resources:

(Guide) Set up caddy with origin certificates and origin pulls

francislavoie · August 15, 2022, 10:45pm

It depends what SAN is in the certificate you loaded (from anywhere). If it’s a wildcard, Caddy will just use it and will skip automation (because it already has something that fulfills the requirements).

You can use the auto_https global option to configure this, you can use auto_https ignore_loaded_certs to make Caddy perform issuance anyways for those that don’t have an explicit TLS config (or more accurately, make it issue certs for anything that appears in the automate list in the JSON config – run caddy adapt --pretty on your Caddyfile to see what I mean).

Tc-001 · August 15, 2022, 10:53pm

Thank you for the guidance!

For now I have changed SSL/TLS > Overview > HTTPS Mode from Full (Strict) to Full in CF, and added tls internal instead of my origin certificates, thus not loading them and allowing Caddy to default to requesting them. This seems to have fixed it for me, although not ideal. (Or maybe I am just a perfectionist lol)

I will take a look at auto_https ignore_loaded_certs, as that seems perfect!

system · September 14, 2022, 9:54pm

This topic was automatically closed after 30 days. New replies are no longer allowed.