Error with trust_pool Directive for Client Certificate Validation

1. The problem I’m having:

Hello, I attempted to use the trust_pool directive to validate client certificates with my CA pem file. However, I’m encountering an error indicating that there is no directive named trust_pool.

2. Error messages and/or full log output:

Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': unknown subdirective for client_auth: trust_pool, at /etc/caddy/Caddyfile:9

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Distributor ID: Ubuntu
Description: Ubuntu 24.04 LTS
Release: 24.04
Codename: noble

b. Command:

caddy start
caddy reload --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

d. My complete Caddy config:

} {
	tls internal {
		client_auth {
			mode require_and_verify
			trust_pool file {
				pem_file /var/www/certificates/
		insecure_secrets_log /var/log/caddy/

	handle /api/* {
		reverse_proxy http://localhost:8000 {
			header_up Connection ""
			header_up X-SSL-Client-Cert {http.request.tls.client.certificate_pem}
			header_up X-SSL-Client-Serial {http.request.tls.client.certificate.serial_number}
			header_up X-SSL-Client-Verify {http.request.tls.client.verified}
			header_up X-SSL-Client-S-DN {http.request.tls.client.subject}
			header_up X-Real-IP {http.request.remote}
			header_up X-Forwarded-Proto {http.request.scheme}
			header_up X-Forwarded-For {http.request.remote}
			header_up User-Agent {http.request.header.User-Agent}
			header_up Accept-Encoding {http.request.header.Accept-Encoding}
			flush_interval -1

			transport http {
				versions h1
				read_buffer 0
				write_buffer 0
				dial_timeout 600s
				read_timeout 600s
				write_timeout 600s

	log {
		output file /var/log/caddy/example.log
		level DEBUG

5. Links to relevant resources:

You’re using v2.7.6. The directive was added in v2.8.0. Upgrade your installation.