The Internal TLS Certificate that Caddy issues is only valid for 12 hours, and gets renewed after.
This prompts the Browser to issue a SEC_ERROR_UNKNOWN_ISSUER error whenever entering a site (after 12 hours) served by caddy. Forcing you to accept the new “unsecure” certificate.
In order to extend the validity duration of the Certificate from 12 hours to a longer timespan,
I found this in the documentation, of wich the lifetime parameter seems to be what I am searching for.
However, I can’t understand how to implement this in to my Caddyfile, especially since there is mention of a json file?
If someone could please show me an real world example of how to use the TLS module in my Caddyfile, or where to find/how to use the json configuration, I would be very thankful.
What you’re meant to do is install the root CA cert to your system’s trust store, so that your browser always trusts the certificates generated.
The root CA cert is in Caddy’s data storage.
Caddy does attempt to automate installing the root CA cert, but since you have Caddy running in a container, it obviously can’t install it on your host machine, where your browser is. So you’ll need to do it manually.
Yes, I have read about this, and it is the solution,
as long as we are talking about my devices.
But this is primarily when I have friend at my place, who every time I tell them to look at whatever.site they have to accept the new key.
Having to tell them every time again to trust this is annoying, especially because of the big warning the Browser displays.
Installing my certificate on all their devices is not really practical compared to having them click around the warning once, and then having their Browser trust this certificate for a year (or however long).
The root key is valid for like 10 years. That’s much easier to trust than having to click through warnings every day.
I’d recommend filing a feature request with browsers if you want to make it easier to trust root certs as easily as end entity certs with a click through (but I doubt it’ll be accepted for various reasons).
But you can use Caddy JSON to configure a longer lifetime for its end entity certificates. I’m mobile now but could get you a link later.
I just opened a PR to add the missing options to the Caddyfile.
Still though, I strongly recommend going with trusting the root CA cert. It’s a much better, more permanent option. Better security.
Also, the intermediate certs have a default lifetime of 7 days, and it’s currently not configurable via JSON either. So if you make the leaf certs have a longer lifetime than the intermediate, you’ll probably have some problems anyways. You’d have to turn on sign_with_root to get around that issue. And that’s a bad idea for other reasons.