1. Output of caddy version:
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
I run caddy via docker-compose using caddy:2.6.2-alpine image
a. System environment:
DietPi v8.9.2, running caddy via docker
b. Command:
docker-compose up caddy
c. Service/unit/compose file:
version: '3.7'
services:
vaultwarden:
image: vaultwarden/server:1.26.0-arm32v6
container_name: vaultwarden
restart: always
environment:
- WEBSOCKET_ENABLED=true
volumes:
- ./vw-data:/data
caddy:
image: caddy:2.6.2-alpine
container_name: caddy
restart: always
ports:
- 80:80
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy-config:/config
- ./caddy-data:/data
- ./caddy-certs:/certs
- ./caddy-download:/downloadables
environment:
- "DOMAIN_LIST=https://vaultwarden.home.lan:443, https://vaultwarden:443"
- LOG_FILE=/data/access.log
- CA_CERT=/certs/root.crt
- CA_KEY=/certs/root.key
d. My complete Caddy config:
{
pki {
ca vw-ca {
root {
cert {$CA_CERT}
key {$CA_KEY}
}
}
}
}
{$DOMAIN_LIST} {
log {
level INFO
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
# Enable TLS
tls {
issuer internal {
ca vw-ca
sign_with_root
}
}
# Enable compression
encode gzip
# Downloadables folder (CA cert)
handle /downloadables/* {
root * /downloadables
file_server
}
# Notifications redirected to the WebSocket server
handle /notifications/hub {
reverse_proxy vaultwarden:3012
}
# Proxy everything else to Rocket
handle {
reverse_proxy vaultwarden:80 {
header_up X-Real-IP {remote_host}
}
}
}
3. The problem I’m having:
I’m trying to use self-signed trusted root certificate to make Caddy automatically issue certificates for my vaultwarden.home.lan and vaultwarden domains. For some reason, Caddy gives me this weird error that I couldn’t find any valuable info about: x509: requested SignatureAlgorithm does not match private key type. My private key type is 4096-bit RSA.
Currently using those two commands to generate my private key/certificate files:
$ openssl genrsa -out root.key 4096
$ openssl req -x509 -sha256 -new -nodes -key root.key -days 7300 -out root.crt
The problem is that SignatureAlgorithm does not match private key type message doesn’t leave me any clues… What type does my private key needs to be? Interesting thing is, it worked flawlessly for almost a year before I decided to make a clean install of DietPi, copying all of my previous Caddy/Vaultwarden/Docker data to it, not making any changes to the config files.
4. Error messages and/or full log output:
{"level":"info","ts":1666137956.5622864,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1666137956.6879723,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1666137956.735624,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1666137956.8141751,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x38f5270"}
{"level":"info","ts":1666137956.9496994,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1666137956.9571142,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1666137956.9801853,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1666137956.9876792,"msg":"failed to sufficiently increase receive buffer size (was: 176 kiB, wanted: 2048 kiB, got: 352 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"debug","ts":1666137956.9999893,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1666137957.0074394,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1666137957.0196562,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1666137957.0279973,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666137957.0363963,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["vaultwarden","vaultwarden.home.lan"]}
{"level":"info","ts":1666137957.0647142,"logger":"tls.obtain","msg":"acquiring lock","identifier":"vaultwarden.home.lan"}
{"level":"info","ts":1666137957.0792642,"logger":"tls.obtain","msg":"acquiring lock","identifier":"vaultwarden"}
{"level":"info","ts":1666137957.1380982,"logger":"tls.obtain","msg":"lock acquired","identifier":"vaultwarden.home.lan"}
{"level":"info","ts":1666137957.1482213,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"vaultwarden.home.lan"}
{"level":"debug","ts":1666137957.1558852,"logger":"events","msg":"event","name":"cert_obtaining","id":"e8b7588e-08ec-4a56-9813-ca4f0470169d","origin":"tls","data":{"identifier":"vaultwarden.home.lan"}}
{"level":"info","ts":1666137957.1646152,"logger":"tls.obtain","msg":"lock acquired","identifier":"vaultwarden"}
{"level":"info","ts":1666137957.20883,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"vaultwarden"}
{"level":"debug","ts":1666137957.2344093,"logger":"events","msg":"event","name":"cert_obtaining","id":"6a8e512d-0f2c-4785-b73a-fa6dd6becda7","origin":"tls","data":{"identifier":"vaultwarden"}}
{"level":"debug","ts":1666137957.233992,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"vw-ca"}
{"level":"debug","ts":1666137957.3109512,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"vw-ca"}
{"level":"error","ts":1666137957.63976,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"vaultwarden.home.lan","issuer":"vw-ca","error":"authority.Sign; error creating certificate: error creating certificate: x509: requested SignatureAlgorithm does not match private key type","errorVerbose":"x509: requested SignatureAlgorithm does not match private key type\nerror creating certificate\ngo.step.sm/crypto/x509util.CreateCertificate\n\tgo.step.sm/crypto@v0.18.0/x509util/certificate.go:184\ngithub.com/smallstep/certificates/cas/softcas.createCertificate\n\tgithub.com/smallstep/certificates@v0.22.1/cas/softcas/softcas.go:258\ngithub.com/smallstep/certificates/cas/softcas.(*SoftCAS).CreateCertificate\n\tgithub.com/smallstep/certificates@v0.22.1/cas/softcas/softcas.go:80\ngithub.com/smallstep/certificates/authority.(*Authority).Sign\n\tgithub.com/smallstep/certificates@v0.22.1/authority/tls.go:228\ngithub.com/caddyserver/caddy/v2/modules/caddytls.InternalIssuer.Issue\n\tgithub.com/caddyserver/caddy/v2@v2.6.2/modules/caddytls/internalissuer.go:131\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:554\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.17.2/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:611\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:462\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:359\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.17.2/async.go:73\nruntime.goexit\n\truntime/asm_arm.s:831\nauthority.Sign; error creating certificate\ngithub.com/smallstep/certificates/errs.Wrap\n\tgithub.com/smallstep/certificates@v0.22.1/errs/error.go:99\ngithub.com/smallstep/certificates/authority.(*Authority).Sign\n\tgithub.com/smallstep/certificates@v0.22.1/authority/tls.go:236\ngithub.com/caddyserver/caddy/v2/modules/caddytls.InternalIssuer.Issue\n\tgithub.com/caddyserver/caddy/v2@v2.6.2/modules/caddytls/internalissuer.go:131\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:554\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.17.2/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:611\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:462\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:359\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.17.2/async.go:73\nruntime.goexit\n\truntime/asm_arm.s:831"}
{"level":"debug","ts":1666137957.7061722,"logger":"events","msg":"event","name":"cert_failed","id":"e52e06d3-f34d-435c-bab6-0d2a0baf3829","origin":"tls","data":{"error":{"status":500,"message":"The certificate authority encountered an Internal Server Error. Please see the certificate authority logs for more info."},"identifier":"vaultwarden.home.lan","issuers":["vw-ca"],"renewal":false}}
{"level":"error","ts":1666137957.7141402,"logger":"tls.obtain","msg":"will retry","error":"[vaultwarden.home.lan] Obtain: authority.Sign; error creating certificate: error creating certificate: x509: requested SignatureAlgorithm does not match private key type","attempt":1,"retrying_in":60,"elapsed":0.567696,"max_duration":2592000}
{"level":"error","ts":1666137957.7444441,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"vaultwarden","issuer":"vw-ca","error":"authority.Sign; error creating certificate: error creating certificate: x509: requested SignatureAlgorithm does not match private key type","errorVerbose":"x509: requested SignatureAlgorithm does not match private key type\nerror creating certificate\ngo.step.sm/crypto/x509util.CreateCertificate\n\tgo.step.sm/crypto@v0.18.0/x509util/certificate.go:184\ngithub.com/smallstep/certificates/cas/softcas.createCertificate\n\tgithub.com/smallstep/certificates@v0.22.1/cas/softcas/softcas.go:258\ngithub.com/smallstep/certificates/cas/softcas.(*SoftCAS).CreateCertificate\n\tgithub.com/smallstep/certificates@v0.22.1/cas/softcas/softcas.go:80\ngithub.com/smallstep/certificates/authority.(*Authority).Sign\n\tgithub.com/smallstep/certificates@v0.22.1/authority/tls.go:228\ngithub.com/caddyserver/caddy/v2/modules/caddytls.InternalIssuer.Issue\n\tgithub.com/caddyserver/caddy/v2@v2.6.2/modules/caddytls/internalissuer.go:131\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:554\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.17.2/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:611\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:462\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:359\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.17.2/async.go:73\nruntime.goexit\n\truntime/asm_arm.s:831\nauthority.Sign; error creating certificate\ngithub.com/smallstep/certificates/errs.Wrap\n\tgithub.com/smallstep/certificates@v0.22.1/errs/error.go:99\ngithub.com/smallstep/certificates/authority.(*Authority).Sign\n\tgithub.com/smallstep/certificates@v0.22.1/authority/tls.go:236\ngithub.com/caddyserver/caddy/v2/modules/caddytls.InternalIssuer.Issue\n\tgithub.com/caddyserver/caddy/v2@v2.6.2/modules/caddytls/internalissuer.go:131\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:554\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.17.2/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:611\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:462\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.17.2/config.go:359\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.17.2/async.go:73\nruntime.goexit\n\truntime/asm_arm.s:831"}
{"level":"debug","ts":1666137957.7551541,"logger":"events","msg":"event","name":"cert_failed","id":"df7173e8-74a0-4fd7-9408-39160d6cace3","origin":"tls","data":{"error":{"status":500,"message":"The certificate authority encountered an Internal Server Error. Please see the certificate authority logs for more info."},"identifier":"vaultwarden","issuers":["vw-ca"],"renewal":false}}
{"level":"error","ts":1666137957.7610912,"logger":"tls.obtain","msg":"will retry","error":"[vaultwarden] Obtain: authority.Sign; error creating certificate: error creating certificate: x509: requested SignatureAlgorithm does not match private key type","attempt":1,"retrying_in":60,"elapsed":0.554023,"max_duration":2592000}
{"level":"info","ts":1666137958.8766544,"logger":"pki.ca.vw-ca","msg":"root certificate is already trusted by system","path":"/certs/root.crt"}
{"level":"info","ts":1666137958.9081242,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1666137958.9159842,"msg":"serving initial configuration"}
{"level":"info","ts":1666137958.9231052,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1666137958.925789,"logger":"tls","msg":"finished cleaning storage units"}
5. What I already tried:
I tried to re-generate private key/certificate with RSA-4096 and ECDSA as my private key types, that’s the only thing I could think of given this strange error message…
6. Links to relevant resources:
–