1. Output of caddy version
:
v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=
2. How I run Caddy:
a. System environment:
Debian 11 with caddy PPAs, docker running but not used by caddy.
b. Command:
systemctl reload caddy
c. Service/unit/compose file:
Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->
d. My complete Caddy config:
(cf) {
tls /etc/nginx/certs/t0-tld-cert.pem /etc/nginx/certs/t0-tld-key.pem {
client_auth {
mode require_and_verify
trusted_ca_cert_file /etc/nginx/certs/pull.pem
}
}
}
(log) {
log {
output file /var/log/caddy/access.log
format json
level info
}
}
cdn1.t0.lv {
import cf
import log
root * /var/www/cdn1
file_server
header Cache-Control max-age=3600
header Access-Control-Allow-Origin "*"
redir /gitea/assets/css/theme-tp-nord.css https://theme-park.dev/css/base/gitea/nord.css
}
git.t0.lv {
import log
reverse_proxy http://127.0.0.1:3000
}
ports.t0.lv {
import cf
import log
reverse_proxy http://127.0.0.1:9443
}
reports.t0.lv {
import cf
import log
root * /var/www/reports
file_server
}
3. The problem I’m having:
I have some domains behind cloudflare (cdn1.t0.lv
, ports.t0.lv
, reports.t0.lv
), and one local without CF’s proxy git.t0.lv
For the cloudflare domains I use their origin certificate and pull validation (defined in (cf)
), the origin certificate is issued for t0.lv
and *.t0.lv
.
Currently when I visit https://git.t0.lv (not behind cloudflare) I still get served the cloudflare origin certificate, even though I haven’t told caddy to use it.
(The DNS for git.t0.lv
is still not propagated fully, but the command below should achieve the same result)
openssl s_client -showcerts -servername git.t0.lv -connect srv1.t0.lv:443 | grep "CloudFlare Origin Certificate"
Am I missing something? Is there some SSL setting that I can write to kindly ask ZeroSSL to generate a certificate even if a wildcard is loaded?
4. Error messages and/or full log output:
e@f ~> openssl s_client -showcerts -servername git.t0.lv -connect srv1.t0.lv:443 | grep "CloudFlare Origin Certificate" 00:47
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify return:1
0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
subject=O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.879615,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"git.t0.lv","server_name":"srv0"}
Full log
Aug 15 21:05:06 localhost systemd[1]: Starting Caddy...
Aug 15 21:05:06 localhost caddy[32348]: caddy.HomeDir=/var/lib/caddy
Aug 15 21:05:06 localhost caddy[32348]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Aug 15 21:05:06 localhost caddy[32348]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Aug 15 21:05:06 localhost caddy[32348]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Aug 15 21:05:06 localhost caddy[32348]: caddy.Version=v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=
Aug 15 21:05:06 localhost caddy[32348]: runtime.GOOS=linux
Aug 15 21:05:06 localhost caddy[32348]: runtime.GOARCH=amd64
Aug 15 21:05:06 localhost caddy[32348]: runtime.Compiler=gc
Aug 15 21:05:06 localhost caddy[32348]: runtime.NumCPU=1
Aug 15 21:05:06 localhost caddy[32348]: runtime.GOMAXPROCS=1
Aug 15 21:05:06 localhost caddy[32348]: runtime.Version=go1.18.3
Aug 15 21:05:06 localhost caddy[32348]: os.Getwd=/
Aug 15 21:05:06 localhost caddy[32348]: LANG=en_US.UTF-8
Aug 15 21:05:06 localhost caddy[32348]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Aug 15 21:05:06 localhost caddy[32348]: NOTIFY_SOCKET=/run/systemd/notify
Aug 15 21:05:06 localhost caddy[32348]: HOME=/var/lib/caddy
Aug 15 21:05:06 localhost caddy[32348]: LOGNAME=caddy
Aug 15 21:05:06 localhost caddy[32348]: USER=caddy
Aug 15 21:05:06 localhost caddy[32348]: INVOCATION_ID=3a70e200a0954e719ff3dd292f892477
Aug 15 21:05:06 localhost caddy[32348]: JOURNAL_STREAM=8:178404
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8699348,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"warn","ts":1660597506.8750892,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":28}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.878165,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"warn","ts":1660597506.8789456,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [cloudflare origin certificate *.t0.lv t0.lv]: no URL to issuing certificate"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8791475,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"ports.t0.lv","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.879484,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"cdn1.t0.lv","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.879615,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"git.t0.lv","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8797455,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"reports.t0.lv","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.87988,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"warn","ts":1660597506.8800476,"logger":"http","msg":"enabling strict SNI-Host enforcement because TLS client auth is configured","server_id":"srv0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8810475,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Aug 15 21:05:06 localhost systemd[1]: Started Caddy.
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8838625,"msg":"serving initial configuration"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8843176,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0005cd1f0"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8844814,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Aug 15 21:05:06 localhost caddy[32348]: {"level":"info","ts":1660597506.8852344,"logger":"tls","msg":"finished cleaning storage units"}
5. What I already tried:
- (Worst case) Found a way to restrict the origin certificate to include only the sites that are/will be behind cloudflare
- (Medium case) Change cloudflare to allow self-signed certificates and use
ssl internal
in(cf)
- Tried to find a way to force certificate generation (Something like
ssl ZeroSSL
), no luck even with the wiki search tool
6. Links to relevant resources:
(Guide) Set up caddy with origin certificates and origin pulls