1. The problem I’m having:
I am trying to run Caddy HTTPS web server in the employer’s internal network.
HTTPS works perfect in the web browser, but it does not work when I try to download some files using curl
My IT department send me 5 files, first two of them I already used is certificate and private key, they are both listed in my Caddyfile
- certificate.crt
- private.key
Other 3 files I received from IT guys are:
- local_domain_seller.pem
- local_cert_authority.pem
- local_cert_authority2.pem
I discovered that I can download those pem files using Firefox “View Certificate” window and then clicking “Download PEM(cert)” in “Miscellaneous” section. At least downloaded local_domain_seller.pem file content is same as file provided by our IT guys.
I guess that Web Browsers are more smart in checking chains of certificates, but how can I fix my curl issue? I think my problem is very simple, but I don’t have extensive knowledge about certificates and I don’t know much about Caddy, so I’m asking for help.
2. Error messages and/or full log output:
curl -v https://subdomain.internal.employer.com
* Trying 10.10.0.124:443...
* Connected to subdomain.internal.employer.com (10.10.0.124) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
3. Caddy version:
apt show caddy
Package: caddy
Version: 2.6.2-6ubuntu0.24.04.1
4. How I installed and ran Caddy:
I installed caddy using apt-get on my Linux Mint Wilma (Ubuntu 24.04) host
This is my Caddyfile
https://subdomain.internal.employer.com {
root * /usr/share/caddy
tls /cert/certificate.crt /cert/private.key {
# I guess I have to put something here
}
# Reverse proxy to Cockpit
rewrite /cockpit /cockpit/
reverse_proxy /cockpit/* localhost:9090 {
transport http {
tls_insecure_skip_verify
}
}
}