Caddyfile TLS does not disable auto_https when provided a cert and key

polarathene · September 9, 2020, 7:58am

1. Caddy version (`caddy version`):

2.1.1

2. How I run Caddy:

a. System environment:

Linux - Manjaro KDE
Docker 19.03

b. Command:

docker run --rm -it \
--name caddytest \
-p 80:80 -p 443:443 \
-v $PWD/public:/usr/share/caddy/ \
-v $PWD/caddy/data:/data  \
-v $PWD/caddy/Caddyfile:/etc/caddy/Caddyfile \
-v $PWD/caddy/tls:/tls caddy

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

pugs.localhost {
  tls /tls/pugs.localhost.pem /tls/pugs.localhost-key.pem
  root * /usr/share/caddy
  file_server
}

3. The problem I’m having:

auto_https behavior according to docs should implicitly be off for the given site block when providing a local certificate.

Unlike tls internal (which fails to generate a certificate from auto_https off), as a certificate can be found when visiting the site address there is no TLS error. However redirects from HTTP to HTTPS should not happen implicitly according to the docs?

I am ok with the redirect, but is this the intended behavior contrary to what the docs suggest should happen? auto_https off or auto_https disable_redirects will explicitly disable the implicit redirects globally to all site blocks as expected, this was presumably meant to happen on the given site block implicitly? (but seems to have no effect if so)

4. Error messages and/or full log output:

2020/09/09 07:49:30.437 INFO    using provided configuration    {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
2020/09/09 07:49:30.439 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/09/09 07:49:30 [INFO][cache:0xc00003b8c0] Started certificate maintenance routine
2020/09/09 07:49:30 [WARNING] Stapling OCSP: no OCSP stapling for [pugs.localhost]: no OCSP server specified in certificate
2020/09/09 07:49:30.439 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "pugs.localhost", "server_name": "srv0"}
2020/09/09 07:49:30.439 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/09/09 07:49:30.439 INFO    tls     cleaned up storage units
2020/09/09 07:49:30.440 INFO    autosaved config        {"file": "/config/caddy/autosave.json"}
2020/09/09 07:49:30.440 INFO    serving initial configuration

5. What I already tried:

Using the JSON API for ignore_loaded_certificates: false does not disable either (assuming this is manually loading)
Differs from tls internal with auto_https off as the certificate is still provided.

6. Links to relevant resources:

<cert_file> and <key_file> are the paths to the certificate and private key PEM files. Specifying just one is invalid; specifying both will disable automatic HTTPS.

Related issue raised on Github for docs (no response for 3 weeks):
https://github.com/caddyserver/website/issues/79

system · October 9, 2020, 7:58am

This topic was automatically closed after 30 days. New replies are no longer allowed.