cUrl doesn't work with Caddy's LetsEncrypt certificates

geoidesic · December 29, 2023, 11:34am

1. The problem I’m having:

I’m trying to use the linux tool curl to access the site hosted by Caddy using LetsEncrypt certificates. The site works in a browser but not via curl.

2. Error messages and/or full log output:

% curl -v https://app.sportch.localhost
*   Trying 127.0.0.1:443...
* Connected to app.sportch.localhost (127.0.0.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

3. Caddy version:

latest

4. How I installed and ran Caddy:

docker-composer up

a. System environment:

Docker

b. Command:

docker-compose up

c. Service/unit/compose file:

version: "0.0.2"
networks:
  web-network:
services:
  caddy:
    image: caddy:latest
    restart: always
    volumes:
      - ./caddy/data:/data
      - ./caddy/config:/config
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./caddy/logs:/logs
      - ./app:/var/www/html
    ports:
      - "80:80"
      - "443:443"
    networks:
      - web-network
    # this bit allows caddy on docker to see the listener on the external (to docker) port 8080 (which listens locally on my laptop)
    extra_hosts:
      host.docker.internal: host-gateway
  php:
    build: ./php
    tty: true
    restart: always
    volumes:
      - ./app:/var/www/html
    networks:
      - web-network
    extra_hosts:
      host.docker.internal: host-gateway

  mysql:
    image: mysql/mysql-server:latest-aarch64
    ports:
      - "23306:3306"
    environment:
      MYSQL_ROOT_HOST: "%"
      MYSQL_ROOT_USER: root
      MYSQL_ROOT_PASSWORD: root
      MYSQL_DATABASE: aasportch10700
      MYSQL_USER: my_user
      MYSQL_PASSWORD: my_password
    command: mysqld --sql_mode="NO_ENGINE_SUBSTITUTION"
    volumes:
      - $PWD/db/data:/var/lib/mysql
      - $PWD/db/config:/etc/mysql/conf.d
    networks:
      - web-network
    extra_hosts:
      host.docker.internal: host-gateway

  phpmyadmin:
    image: phpmyadmin
    tty: true
    working_dir: $PWD/phpmyadmin
    ports:
        - "8888:80"
    networks:
        - web-network
    environment:
        PMA_HOST: "mysql"
        PMA_PORT: "3306"
        PMA_USER: "root"
        PMA_PASSWORD: "root"

d. My complete Caddy config:

{
    debug
}
app.sportch.localhost {
    root * /var/www/html/SportchLegacyApp
    encode gzip
    php_fastcgi php:9000 
    header / {
        Content-Type text/html
    }
    file_server
}

5. Links to relevant resources:

Mohammed90 · December 29, 2023, 12:02pm

The domain name is not a public domain, so the certificate on it is not issued by Let’s Encrypt rather by Caddy’s internal CA.

Public certificate authorities, e.g. Let’s Encrypt, do not issue certificates for non-public domain names which they cannot verify. If you want curl to recognize the certificate, you’ll need to extract the root certificate from Caddy’s data directory and install it into your system’s trust.

Elicro · January 1, 2024, 5:35am

What did you tried to install the local caddy root ca into this server or desktop?

system · January 31, 2024, 5:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.