Hi @matt , I’m running Caddy 2.0.0-beta.17 in an ubuntu18.04- docker image (Buildkite CI agent). I ran into the same issue even after installing the libnss library:
(show that libnss and certutil are installed)
root@buildkite-agent-75bbc68d9c-8nzhv:/# apt-get install libnss3-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
libnss3-tools is already the newest version (2:3.35-2ubuntu2.7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
...
...
root@buildkite-agent-75bbc68d9c-8nzhv:/# certutil
certutil - Utility to manipulate NSS certificate databases
Usage: certutil <command> -d <database-directory> <options>
Valid commands:
-A Add a certificate to the database (create if needed)
-B Run a series of certutil commands from a batch file
-E Add an Email certificate to the database (create if needed)
-C Create a new binary certificate from a BINARY cert request
-G Generate a new key pair
-D Delete a certificate from the database
--rename Change the database nickname of a certificate
-F Delete a key from the database
-U List all modules
-K List all private keys
-L List all certs, or print out a single named cert (or a subset)
--build-flags Print enabled build flags relevant for NSS test execution
-M Modify trust attributes of certificate
-N Create a new certificate database
-T Reset the Key database or token
-O Print the chain of a certificate
-R Generate a certificate request (stdout)
-V Validate a certificate
-W Change the key database password
--upgrade-merge Upgrade an old database and merge it into a new one
--merge Merge source database into the target database
-S Make a certificate and add to database
(error still happens when running caddy)
root@buildkite-agent-75bbc68d9c-d5twx:/# caddy version
v2.0.0-beta.17 h1:x+Ur3uX83j+STerOWsrLDlknXe7z71VnO5xD+H2OwAw=
...
root@buildkite-agent-75bbc68d9c-8nzhv:/# caddy reverse-proxy --to localhost:7080
2020/03/16 21:18:31.345 WARN admin admin endpoint disabled
2020/03/16 21:18:31.345 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443}
2020/03/16 21:18:31.345 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "proxy"}
2020/03/16 21:18:31 [INFO][cache:0xc0007d66e0] Started certificate maintenance routine
2020/03/16 21:18:31.356 INFO http enabling automatic TLS certificate management {"domains": ["localhost"]}
2020/03/16 21:18:31.357 INFO tls cleaned up storage units
2020/03/16 21:18:31 [INFO][localhost] Obtain certificate; acquiring lock...
2020/03/16 21:18:31 [INFO][localhost] Obtain: Lock acquired; proceeding...
2020/03/16 21:18:31 [INFO][localhost] Certificate obtained successfully
2020/03/16 21:18:31 [INFO][localhost] Obtain: Releasing lock
2020/03/16 21:18:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/16 21:18:31.393 WARN pki.ca.local trusting root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"}
reverse-proxy: loading new config: pki app module: start: adding root certificate to trust store: not NSS security databases found
Is there another library that I need to install? Or do I need to wait for the team to cut a new release?