ERROR_REPLACEMENT when using env in Caddyfile

1. Caddy version (caddy version):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

a. System environment:

Ubuntu 20.04 LTS on Windows WSL2
caddy is built by xcaddy with current security module from GitHub - greenpau/caddy-security: πŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. πŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. πŸ’Ž Authorization with JWT/PASETO tokens. πŸ”

b. Command:

export OKTA_DOMAIN=dev-9014393.okta.com
sudo caddy run -config Caddyfile_okta

c. Service/unit/compose file:

not used.

d. My complete Caddyfile:

{
  debug
	order authenticate before respond
	order authorize before basicauth
    
    security {  
      oauth identity provider okta {
        realm okta
        driver okta
        domain_name {env.OKTA_DOMAIN}
        client_id <myclientid>
        client_secret <myclientsecret>
        server_id default
        scopes openid email profile groups
      }
  
      authentication portal myportal {
        crypto default token lifetime 3600
        crypto key sign-verify 383aca9a-1c39-4d7a-b4d8-67ba4718dd3f
        enable identity provider okta
        cookie domain myapp.local
        ui {
          links {            
            "My Identity" "whoami" icon "las la-user"
          }
        }
        transform user {
          match realm okta
          action add role authp/user
          ui link "My Website" https://myapp.local icon "las la-star"
        }
      }

      authorization policy mypolicy {
        set auth url https://myapp.local/auth        
        crypto key sign-verify 383aca9a-1c39-4d7a-b4d8-67ba4718dd3f      
        allow roles authp/user
        validate bearer header
        inject headers with claims
      }
    }
}  

myapp.local {    
    tls internal

    route /auth* {
        authenticate with myportal
    }    

    route {
      authorize with mypolicy
      respond "myapp is running" 200
    }
}

3. The problem I’m having:

After successfully setup single sign-on with okta, I am trying to replace domain name, client id and client secret in Caddyfile from plain text to environment variables. First attemp with {env.OKTA_DOMAIN} I got ERROR_REPLACEMENT

4. Error messages and/or full log output:

2022/05/31 13:06:12.893 INFO    using provided configuration    {"config_file": "Caddyfile_okta", "config_adapter": ""}
2022/05/31 13:06:12.895 WARN    Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies   {"adapter": "caddyfile", "file": "Caddyfile_okta", "line": 2}
2022/05/31 13:06:12.897 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/05/31 13:06:12.897 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00035d180"}
2022/05/31 13:06:12.897 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS                                                                   {"server_name": "srv0", "https_port": 443}
2022/05/31 13:06:12.897 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2022/05/31 13:06:12.898 INFO    security        provisioning app instance       {"app": "security"}
2022/05/31 13:06:12.938 DEBUG   security        fetchMetadataURL failed {"identity_provider_name": "okta", "error": "failed to fetch metadata for OAuth 2.0 authorization server: Get \"https://ERROR_REPLACEMENT/oauth2/default/.well-known/openid-configuration?client_id=<myclientid>\": dial tcp: lookup ERROR_REPLACEMENT on 8.8.8.8:53: no such host"}
2022/05/31 13:06:12.939 ERROR   security        failed provisioning app server instance {"app": "security", "error": "server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get \"https://ERROR_REPLACEMENT/oauth2/default/.well-known/openid-configuration?client_id=<myclientid>\": dial tcp: lookup ERROR_REPLACEMENT on 8.8.8.8:53: no such host"}
2022/05/31 13:06:12.939 INFO    tls.cache.maintenance   stopped background certificate maintenance      {"cache": "0xc00035d180"}
run: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authenticator': provision http.handlers.authenticator: loading security app module: provision security: server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get "https://ERROR_REPLACEMENT/oauth2/default/.well-known/openid-configuration?client_id=<myclientid>": dial tcp: lookup ERROR_REPLACEMENT on 8.8.8.8:53: no such host

5. What I already tried:

I’ve read this wiki Variables in Caddyfile but still not find a solution.

6. Links to relevant resources:

The example Caddyfile that I followed:

Try to use {$OKTA_DOMAIN} as documented here Caddyfile Concepts β€” Caddy Documentation

2 Likes

Correct – {env.*} style requires the given module to run the replacer on the config values at runtime, so if it wasn’t written to do that, it won’t be able to replace it.

So instead, use the Caddyfile style, which is replaces env vars before parsing the config.

Thanks for your suggestions!
I’ve tried with {$OKTA_DOMAIN} but got another error:

2022/05/31 18:40:06.883 INFO    using provided configuration    {"config_file": "Caddyfile_okta", "config_adapter": ""}
run: adapting config using caddyfile: parsing caddyfile tokens for 'security': malformed "security.oauth.identity.provider[okta].domain_name" directive with []: must contain single value

I think the problem may be at security module.

1 Like

FYI @greenpau

export OKTA_DOMAIN=dev-9014393.okta.com
sudo caddy run -config Caddyfile_okta

The issue is that OKTA_DOMAIN env variable is not being set.

Run the following and see if you see OKTA_DOMAIN in the output of env command.

export OKTA_DOMAIN=dev-9014393.okta.com
sudo env
1 Like

@greenpau you’re right. The OKTA_DOMAIN env variable is not being set. I’ve found the solution from here: How to keep environment variables when using sudo and tried both:

  1. sudo -E:
export OKTA_DOMAIN=dev-9014393.okta.com
sudo -E caddy run -config Caddyfile_okta
  1. visudo
export OKTA_DOMAIN=dev-9014393.okta.com
sudo visudo

add Defaults env_keep += "OKTA_DOMAIN"

sudo caddy run -config Caddyfile_okta

Both ways work perfectly!

Thank you all!

1 Like