1. Caddy version:
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I installed, and run Caddy:
I installed it via the official install instructions for Ubuntu package
a. System environment:
Ubuntu 22.04.1 LTS
macOS 13.2 client
d. My complete Caddy config:
# use this import if you want to always require mTLS certs to get in
(mTLS_required) {
tls {
client_auth {
mode require_and_verify
trusted_ca_cert_file /etc/caddy/root_ca.crt
}
}
}
https://carl.lab.step.toys {
encode gzip
respond "Hi {tls_client_subject}! I'm {system.hostname}"
import mTLS_required
}
3. The problem I’m having:
I’m trying to get the client certificate dialog to appear in Safari during the mTLS handshake with Caddy, when I have a certificate stored in a Yubikey PIV slot.
The config above uses a Web PKI cert for the server, and requires a client cert from my private PKI.
I have a cert and private in Yubikey PIV slot 9a, as suggested by Apple.
The error I get from Safari is that “The certificate for this server is invalid.” My understanding is that it tried looking for client certs and didn’t find one.
Other notes:
- Firefox handles this scenario just fine and prompts me for the Yubikey’s PIN when I visit the URL.
- Yubikey PIV certificates can work in Safari with mTLS. Okta’s “Sign in with PIV / CAC Card” button presents the certificate dialog and shows the Yubikey certificate. But I have no idea what’s different about this vs. Caddy’s handshake.
- The certificate and key are listed when I run
sudo security export-smartcard
. - I’ve tried this with a new macOS account, and that doesn’t change anything.
- I’ve also tried setting up nginx to do this, and I have the same issue there.