Failed to install root certificate

teppanyakiroll · October 5, 2021, 12:21pm

1. Caddy version (`caddy version`): v2.4.5

2. How I run Caddy:

a. System environment:

Windows 10: OS Build 19042.1237

b. Command:

caddy2 run --watch

c. My complete Caddyfile or JSON config:

CaddyFile

localhost:8080 { 
    handle /api/v1/ { 
        reverse_proxy localhost:3000
    }
    handle /api/v2/ { 
        reverse_proxy localhost:3001
    }
}

autosave.json

{
   "apps":{
      "http":{
         "servers":{
            "srv0":{
               "listen":[
                  ":8080"
               ],
               "routes":[
                  {
                     "handle":[
                        {
                           "handler":"subroute",
                           "routes":[
                              {
                                 "group":"group2",
                                 "handle":[
                                    {
                                       "handler":"subroute",
                                       "routes":[
                                          {
                                             "handle":[
                                                {
                                                   "handler":"reverse_proxy",
                                                   "upstreams":[
                                                      {
                                                         "dial":"localhost:3000"
                                                      }
                                                   ]
                                                }
                                             ]
                                          }
                                       ]
                                    }
                                 ],
                                 "match":[
                                    {
                                       "path":[
                                          "/api/v1/"
                                       ]
                                    }
                                 ]
                              },
                              {
                                 "group":"group2",
                                 "handle":[
                                    {
                                       "handler":"subroute",
                                       "routes":[
                                          {
                                             "handle":[
                                                {
                                                   "handler":"reverse_proxy",
                                                   "upstreams":[
                                                      {
                                                         "dial":"localhost:3001"
                                                      }
                                                   ]
                                                }
                                             ]
                                          }
                                       ]
                                    }
                                 ],
                                 "match":[
                                    {
                                       "path":[
                                          "/api/v2/"
                                       ]
                                    }
                                 ]
                              }
                           ]
                        }
                     ],
                     "match":[
                        {
                           "host":[
                              "localhost"
                           ]
                        }
                     ],
                     "terminal":true
                  }
               ]
            }
         }
      }
   }
}

3. The problem I’m having:

Im trying to setup a web server using caddy that act as a proxy for two endpoints that I’m running using express. However, I’m having difficulties installing the root certificate.

4. Error messages and/or full log output:

2021/10/05 12:18:48.149 INFO    using adjacent Caddyfile
2021/10/05 12:18:48.150 WARN    input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile", "line": 1}
2021/10/05 12:18:48.155 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/10/05 12:18:48.155 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000392930"}
2021/10/05 12:18:48.155 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/10/05 12:18:48.157 INFO    tls     cleaning storage unit   {"description": "FileStorage:C:\\Users\\User\\AppData\\Roaming\\Caddy"}
2021/10/05 12:18:48.158 INFO    tls     finished cleaning storage units
2021/10/05 12:18:48.171 WARN    pki.ca.local    installing root certificate (you might be prompted for password)       {"path": "storage:pki/authorities/local/root.crt"}
2021/10/05 20:18:48 Note: NSS support is not available on your platform
2021/10/05 12:18:48.621 ERROR   pki.ca.local    failed to install root certificate      {"error": "add cert failed: Failed adding cert: Access is denied.", "certificate_file": "storage:pki/authorities/local/root.crt"}
2021/10/05 12:18:48.622 INFO    http    enabling automatic TLS certificate management   {"domains": ["localhost"]}
2021/10/05 12:18:48.623 WARN    tls     stapling OCSP   {"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate"}
2021/10/05 12:18:48.623 INFO    autosaved config (load with --resume flag)      {"file": "C:\\Users\\User\\AppData\\Roaming\\Caddy\\autosave.json"}
2021/10/05 12:18:48.624 INFO    serving initial configuration
2021/10/05 12:18:48.624 INFO    watcher watching config file for changes        {"config_file": "Caddyfile"}

5. What I already tried:

caddy2 trust

logs when run above command

2021/10/05 12:20:09.091 WARN    ca.local        installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
2021/10/05 20:20:09 Note: NSS support is not available on your platform
trust: add cert failed: Failed adding cert: Access is denied.

6. Links to relevant resources:

francislavoie · October 5, 2021, 2:32pm

Caddy needs administrator access to install certificates. You’ll need to run it with elevated privileges to install the certs.

But it’s complicated, because you need to make sure that the right storage location is used when installing the CA certs – when running as a privileged user, the caddy trust command might try to use the wrong storage location.

We have some improvements planned to make this smoother:

github.com/caddyserver/caddy

Rework `caddy trust` to use the admin API for fetching the root cert

opened 05:37AM - 11 Mar 21 UTC

tgelite

feature

I’m trying to script setup and configuration of caddy server based on a custom d…ownload that includes additional plugins (caddy-auth-portal, caddy-auth-jwt, caddy-trace, and various caddy-dns modules ). During setup, the caddy unit file is configured to run caddy as a non priveledged user (by design). To get certificates configured properly we are attempting to use the caddy trust command as root during install/config. I think this is performing the trust install based on the default caddy CA location created upon install, rather than the custom storage file_system root declaration I’m passing in my /etc/caddy/Caddyfile (provided below) The result is on first startup from systemctl is throwing errors indicating it can not import the root ca because the service is not running as a priveledged user. What would be nice is to be able to run caddy trust as root, indicating the custom location for all local CA certificate files. Here is an example of the preamble to the Caddyfile configuration I use to expose the certificate deployment for shared use by our combined components on the processing node. In this scenario letsEncrypt/ZeroTLS is not being used... { storage file_system { root /opt/caddy/storage } local_certs http_port 80 https_port 443 } The rest of our deployment detail is in forum issue https://caddy.community/t/new-feature-caddy-trust-with-support-for-config-switch/11606

For now, you’ll probably be better off installing the root cert manually (find guides on Google for instructions on adding certificates to your system and/or browser trust stores). You can find the root cert in Caddy’s storage, under pki/authorities/local/root.crt.

teppanyakiroll · October 5, 2021, 2:53pm

Ahh i see, alright I’ll try installing the cert manually for now.

teppanyakiroll · October 5, 2021, 6:27pm

I installed the certificate by doing it manually. Navigate to your Caddy folder which the path looks like this C:\Users\User\AppData\Roaming\Caddy\pki\authorities\local then double click the root certificate and install the certificate in your local machine targeted to the Trusted Root Certificate. Re-run your caddy file and the error shouldn’t persist anymore.

Logs after the root certificate is trusted by your machine

2021/10/05 18:11:18.801 INFO    pki.ca.local    root certificate is already trusted by system   {"path": "storage:pki/authorities/local/root.crt"}

system · November 4, 2021, 12:21pm

This topic was automatically closed after 30 days. New replies are no longer allowed.