Change the local certificate validity period

Vorname_Nachname · January 8, 2022, 10:07pm

1. Caddy version (`v2.4.6`):

2. How I run Caddy:

a. System environment:

Debian 11 Bullseye,
aarm64,
docker version: 20.10.5+dfsg1,
docker image: caddy/latest,
docker image id: 2e48a5247e10

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: '2'
services:
  caddy:                                      
    container_name: caddy               
    image: 'caddy:latest'
    volumes:                                                       
      - '/mnt/data/docker/caddy/Caddyfile:/etc/caddy/Caddyfile'
      - '/mnt/data/docker/caddy/srv:/srv'
      - '/mnt/data/docker/caddy/data:/data'
      - '/mnt/data/docker/caddy/config:/config'
    hostname: caddy.xe
    restart: always
    dns:                
      - pihole 
      - 192.168.178.1                             
    networks:
      system_mac_vlan:
        ipv4_address: 192.168.178.194
      internal:    

networks:                        
  internal:          
    driver: bridge                                                   
  system_mac_vlan:                
    external: true

d. My complete Caddyfile or JSON config:

fritz.xe {
        reverse_proxy 192.168.178.1:80
        tls internal
}
heimdall.xe {
        reverse_proxy heimdall:80
        tls internal
}
kuma.xe {
        reverse_proxy kuma:3001
        tls internal
}
portainer.xe {
        reverse_proxy 192.168.178.192:9000
        tls internal
}
mkdocs.xe {
        reverse_proxy mkdocs:8000
        tls internal
}
pihole.xe {
        redir / /admin/
        reverse_proxy pihole:80
        tls internal
 ##     basicauth {
 ##              bob JDJhJDE0JFZENFhLbFRNTnNDVGxmR242WjVHbU9MRFoubkZHekROZy93eEdwOUVTUXFWT1Q4TGd6VXpx
 ##}
}
pyload.xe {
        reverse_proxy pyload:8000
        tls internal
}
test.xe {
        reverse_proxy 192.168.178.159:80
        tls internal
}

3. The problem I’m having:

The Internal TLS Certificate that Caddy issues is only valid for 12 hours, and gets renewed after.
This prompts the Browser to issue a SEC_ERROR_UNKNOWN_ISSUER error whenever entering a site (after 12 hours) served by caddy. Forcing you to accept the new “unsecure” certificate.

4. Error messages and/or full log output:

5. What I already tried:

In order to extend the validity duration of the Certificate from 12 hours to a longer timespan,
I found this in the documentation, of wich the lifetime parameter seems to be what I am searching for.
However, I can’t understand how to implement this in to my Caddyfile, especially since there is mention of a json file?
If someone could please show me an real world example of how to use the TLS module in my Caddyfile, or where to find/how to use the json configuration, I would be very thankful.

6. Links to relevant resources:

francislavoie · January 9, 2022, 12:26am

What you’re meant to do is install the root CA cert to your system’s trust store, so that your browser always trusts the certificates generated.

The root CA cert is in Caddy’s data storage.

Caddy does attempt to automate installing the root CA cert, but since you have Caddy running in a container, it obviously can’t install it on your host machine, where your browser is. So you’ll need to do it manually.

Vorname_Nachname · January 9, 2022, 11:18am

Yes, I have read about this, and it is the solution,
as long as we are talking about my devices.

But this is primarily when I have friend at my place, who every time I tell them to look at whatever.site they have to accept the new key.
Having to tell them every time again to trust this is annoying, especially because of the big warning the Browser displays.

Installing my certificate on all their devices is not really practical compared to having them click around the warning once, and then having their Browser trust this certificate for a year (or however long).

matt · January 9, 2022, 5:02pm

The root key is valid for like 10 years. That’s much easier to trust than having to click through warnings every day.

I’d recommend filing a feature request with browsers if you want to make it easier to trust root certs as easily as end entity certs with a click through (but I doubt it’ll be accepted for various reasons).

But you can use Caddy JSON to configure a longer lifetime for its end entity certificates. I’m mobile now but could get you a link later.

francislavoie · January 9, 2022, 6:08pm

I just opened a PR to add the missing options to the Caddyfile.

Still though, I strongly recommend going with trusting the root CA cert. It’s a much better, more permanent option. Better security.

Also, the intermediate certs have a default lifetime of 7 days, and it’s currently not configurable via JSON either. So if you make the leaf certs have a longer lifetime than the intermediate, you’ll probably have some problems anyways. You’d have to turn on sign_with_root to get around that issue. And that’s a bad idea for other reasons.

Vorname_Nachname · January 9, 2022, 8:14pm

Thanks, this means that I can define those values in the Caddyfile with version 2.5.0?
And yes, adding the root CA is probably the better way, but still, thanks for your help!

system · February 7, 2022, 10:07pm

This topic was automatically closed after 30 days. New replies are no longer allowed.