Force usage of existing certificate for different SAN

1. Caddy version (caddy version):


2. How I run Caddy:

a. System environment:

All docker-based, base system is Debian.

b. Command:

docker run --name caddy_test -ti -v $(pwd)/Caddyfile:/etc/caddy/Caddyfile -v $(pwd)/data:/data -v $(pwd)/www:/usr/share/caddy -d caddy:2.3.0

d. My complete Caddyfile or JSON config:

} {
	root * /usr/share/caddy/ex
	tls /tmp/cert.pem /tmp/key.pem

3. The problem I’m having:

The certificate/key pair I’m supplying to the tls directive is for a different domain than (intentionally). When starting caddy like that, it will ignore the supplied cert and instead start ACME challenges for Is it possible to disable that beaviour and force the usage of my own certificate, even though the names don’t match? What I’m actually trying to do is serve my own existing TLS cert on just the local IP address (e.g. in case someone requests so that the CN or SAN of the cert can be used as indicators for clients what the valid hostname would be.

If I’m trying to use my own cert/key pair on an IP address block instead of the hostname (as in my config above), Caddy won’t do ACME stuff (since it’s an IP address), but it also won’t use my certificate (since it doesn’t contain the IP address as CN or SAN).

4. Error messages and/or full log output:

2021/03/19 14:20:43.733	INFO	admin	stopped previous server
2021/03/19 14:20:44.208	DEBUG	tls.issuance.acme.acme_client	http request	{"method": "HEAD", "url": "", "headers": {"User-Agent":["Caddy/2.3.0 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Fri, 19 Mar 2021 14:20:43 GMT"],"Link":["<>;rel=\"index\""],"Replay-Nonce":["V85qZNBceZqyKMkgcRekTskWY_Q6EPX9re0ctwj1ZDE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
2021/03/19 14:20:44.823	DEBUG	tls.issuance.acme.acme_client	http request	{"method": "POST", "url": "", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.3.0 CertMagic acmez (linux; amd64)"]}, "status_code": 201, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["273"],"Content-Type":["application/json"],"Date":["Fri, 19 Mar 2021 14:20:44 GMT"],"Location":[""],"Replay-Nonce":["J1H4_BUcT-bp2t6U7hMW8m2ihrqmQS1uXG8FBzTjKkM"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
2021/03/19 14:20:45.437	DEBUG	tls.issuance.acme.acme_client	http request	{"method": "POST", "url": "", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.3.0 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["441"],"Content-Type":["application/json"],"Date":["Fri, 19 Mar 2021 14:20:45 GMT"],"Link":["<>;rel=\"index\""],"Replay-Nonce":["kGXFRnuGCGgC5s-0ljaz_uCAdsUr5ekFIJ6Iyb0SJY8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
2021/03/19 14:20:45.437	DEBUG	tls.issuance.acme.acme_client	no solver configured	{"challenge_type": "dns-01"}
2021/03/19 14:20:45.437	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "", "challenge_type": "http-01", "ca": ""}

5. What I already tried:

Played around with various configs, resulting in my observations as written under 3.

Hi Pascal, welcome.

No; this certificate will not be valid with the clients.

To do this, just add the IP address to the SANs.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.