Configuring internal tls

bobbysteel · July 26, 2021, 7:55am

1. Caddy version (`caddy version`):

Docker :latest

2. How I run Caddy:

Simple file_server for now

a. System environment:

Ubuntu 21

b. Command:

Paste command here.

c. Service/unit/compose file:

version: '3'
services:
  caddy:
    image: caddy/caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /home/me/Caddy/usr/share/caddy:/usr/share/caddy
      - /home/me/Caddy/data:/data
      - /home/me/Caddy/config:/config
      - /home/me/Caddy/caddy:/caddy
      - /home/me/Caddy/logs:/logs
      - /home/me/Caddy/Caddyfile:/etc/caddy/Caddyfile
      - /var/www:/var/www

networks:
    default:
        external:
            name: mypublicnetwork

d. My complete Caddyfile or JSON config:

lenovo {
        tls internal
        root * /var/www
        file_server
}

3. The problem I’m having:

Chrome says “windows does not have enough information to verify this certificate”

Caddy Local Authority - ECC Intermediate

Ignoring the error, the file_server works fine just without cert.

Is there some other step I need to take? The directions aren’t clear whether I need to do something else to make the certificate usable.

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

Whitestrake · July 26, 2021, 8:09am

Howdy @bobbysteel, welcome back!

Just to check, have you installed your Caddy server’s CA certificate on your Windows client?

Automatic HTTPS — Caddy Documentation

bobbysteel · July 26, 2021, 8:31am

I have not. So I just copy the file out of that directory and install it into Chrome then? That’s what was confusing about the directions.
Thanks!

basil · July 26, 2021, 9:50am

You’ll find this wiki article very useful Use Caddy for local HTTPS (TLS) between front-end reverse proxy and LAN hosts

bobbysteel · July 26, 2021, 11:41am

Still failing. I copied the root.crt and imported into Chrome but no change in behavior. I found the link confusing - acme_server is an invalid directive when I put it into my Caddyfile for lenovo {} as the server name. Also, for the root.crt, for my office, am I meant to share that with everyone? Is there a way to more easily scale this out to other users?

francislavoie · July 26, 2021, 11:51am

The acme_server directives turns Caddy into an ACME server for other ACME clients (such as other instances of Caddy) to use for getting certificates issued. If you’re just running a single instance of Caddy, you won’t need this.

There’s no unified way to automate installing root certificates on machines. If you’re using Active Directory and everyone’s on Windows machines, then you might be able to do it with some Group Policy stuff, but you’ll need to do your research on that topic.

Chrome tends to be a bit temperamental about caching TLS, so sometimes importing doesn’t fix it right away. Make sure you clear out any cache in Chrome.

Please use the caddy Docker image instead, caddy/caddy is not the official Docker library image, but is instead our CI target, so there’s a chance you get a broken build from there. Also, I strongly recommend pinning to a specific version by specifying a tag. See Docker

bobbysteel · July 29, 2021, 7:54pm

Same problem with the official image or building my own. I’ve got a DNS record working for a fqdn but cannot get the https://lenovo to work whatsoever. I copied the root certificate out and loaded into chrome but that made no difference

bobbysteel · August 3, 2021, 8:55pm

Any other ideas?

system · August 25, 2021, 7:55am

This topic was automatically closed after 30 days. New replies are no longer allowed.