1. The problem I’m having:
I’m trying to disable the automatic generation of Caddy PKI’s local ca root/intermediate keys, as created by default in the storage directory:
pki/authorities/local/root.crt
pki/authorities/local/intermediate.key
pki/authorities/local/root.key
pki/authorities/local/intermediate.crt
Rationale: reading up on Caddy 2.9.0’s newly added storage_clean_interval off and storage_check off global switches, I started to wonder if I now would be able to run Caddy without letting it have a place to store data. The answer turns out to be a definite no for the immediate future, since I do happen to use OCSP stapling. But with OCSP on the road to extinction, I still would like to know how to disable the seemingly only other remaining use for the XDG_DATA_HOME/XDG_CONFIG_HOME directories in my setup.
Given that I have more complex automated PKI management needs, I don’t use any of Caddy’s wonderful magical auto-HTTPS features (a shame, I know), and treat it like any other dumb TLS-capable software: I supply it the keys and certificates. Hence I have no need for any features of the PKI module, either the local CA or ACME. Yet I cannot seem to find a way to stop it from wanting to generate its local CA keys/certs. No matter how much I disable, even outright only serving plain http as an experiment, the local CA files keep getting created soon as I start Caddy.
I’m aware of the PKI options to set your own paths for the local CA files:
{
pki {
ca local {
root {
cert /path/to/root.pem
key /path/to/root.key
}
intermediate {
cert /path/to/intermediate.pem
key /path/to/intermediate.key
}
}
}
}
But this still seems to force me to have those dummy files around somewhere, and be actual valid keys/CA certs. Setting them to /dev/null resulted in Caddy failing. And I’m also aware of possible other storage backend alternatives like redirecting to database storage. I’m not that desperate to get rid of these files.
I really would rather simply just turn the PKI module or its local CA entirely off. Why is it even enabled when auto_https off is set?
2. Error messages and/or full log output:
2025/01/02 16:37:33.583 INFO using adjacent Caddyfile
2025/01/02 16:37:33.584 INFO adapted config to JSON {"adapter": "caddyfile"}
2025/01/02 16:37:33.584 WARN admin admin endpoint disabled
2025/01/02 16:37:33.584 INFO http.auto_https automatic HTTPS is completely disabled for server {"server_name": "srv0"}
2025/01/02 16:37:33.584 DEBUG http.auto_https adjusted config {"tls": {"automation":{"policies":[{}]},"disable_storage_check":true,"disable_storage_clean":true}, "http": {"servers":{"srv0":{"listen":[":8888"],"automatic_https":{"disable":true}}}}}
2025/01/02 16:37:33.584 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0005ef480"}
2025/01/02 16:37:33.668 WARN http HTTP/3 skipped because it requires TLS {"network": "tcp", "addr": ":8888"}
2025/01/02 16:37:33.669 DEBUG http starting server loop {"address": "[::]:8888", "tls": false, "http3": false}
2025/01/02 16:37:33.669 WARN http HTTP/2 skipped because it requires TLS {"network": "tcp", "addr": ":8888"}
2025/01/02 16:37:33.669 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/01/02 16:37:33.669 INFO pki.ca.local root certificate trust store installation disabled; unconfigured clients may show warnings {"path": "storage:pki/authorities/local/root.crt"}
2025/01/02 16:37:33.669 INFO serving initial configuration
3. Caddy version:
v2.9.0 h1:rteY8N18LsQn+2KVk6R10Vg/AlNsID1N/Ek9JLjm2yE=
4. How I installed and ran Caddy:
Downloaded from GitHub releases, extracted, removed from quarantine, and put in /usr/local/bin which is in my PATH.
a. System environment:
Experimenting currently on macOS 15.2, to eventually set it on Fedora Linux 41 as well.
b. Command:
caddy run
(in the directory I put the Caddyfile listed in d.)
c. Service/unit/compose file:
d. My complete Caddy config:
{
debug
# all the rest I actually want to be off, and matches my full setup
admin off
auto_https off
persist_config off
skip_install_trust
storage_check off
storage_clean_interval off
}
http://:8888 {
}
5. Links to relevant resources:
caddytls: Allow disabling storage cleaning, avoids writing two files
Let’s Encrypt Ending OCSP Support in 2025 (my sole remaining real need for Caddy to store data)