I can’t get the tls certs signed by caddy to have the configured CN and SAN.
Is there any way to get caddy to sign the self-signed certs with the internal CA using keycloak.localhost and photoz.localhost as configured in the Caddyfile?
When running Caddy in Docker, it’s important to use a volume for the /data directory so to not lose any certificate data!
Also it’s unnecessary to set the X-Forwarded-For header, Caddy already does that for you in v2. And on the current master branch (i.e. next release) it will also handle X-Forwarded-Proto for you.
It’s unclear to me what exactly the issue is you’re asking about though, what are you seeing instead of what you expect? Could you clarify?
Here’s the output when I use openssl to try and connect to caddy
I’m expecting something more like, say if we use the same command on yahoo.com,
I get something like
0 s:C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN = *.www.yahoo.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
The error from openssl is just saying that it doesn’t trust the issuer, so Caddy’s root isn’t installed in your trust store, it seems. (That’s probably because it’s running in a docker container and not on your host system.) So, I think that is expected.
But I think that’s ok, because if the SAN is set, the CN is not checked, according to
Thanks so much!
ps: thanks for the advice on setting the X-Forwarded-For header! It was surprising to me that the docs said X-Forwarded-Proto will be set when it isn’t (yet) set, so I decided to explicitly set both to be sure.
You can always install Caddy’s root cert on your host machine if you want to. (Make sure you’re persisting Caddy’s storage like Francis warned!)
The CommonName field has been deprecated for years, so Caddy doesn’t set that field on its certificates.
The docs might be slightly ahead of the tagged release at the moment, should only be that way for another week or so! That header will be set automatically with the next release.