1. Caddy version (caddy version
):
2.3.0
2. How I run Caddy:
a. System environment:
All docker-based, base system is Debian.
b. Command:
docker run --name caddy_test -ti -v $(pwd)/Caddyfile:/etc/caddy/Caddyfile -v $(pwd)/data:/data -v $(pwd)/www:/usr/share/caddy -d caddy:2.3.0
d. My complete Caddyfile or JSON config:
{
debug
}
example.com {
file_server
root * /usr/share/caddy/ex
tls /tmp/cert.pem /tmp/key.pem
}
3. The problem I’m having:
The certificate/key pair I’m supplying to the tls
directive is for a different domain than example.com
(intentionally). When starting caddy like that, it will ignore the supplied cert and instead start ACME challenges for example.com
. Is it possible to disable that beaviour and force the usage of my own certificate, even though the names don’t match? What I’m actually trying to do is serve my own existing TLS cert on just the local IP address (e.g. in case someone requests https://1.2.3.4
) so that the CN or SAN of the cert can be used as indicators for clients what the valid hostname would be.
If I’m trying to use my own cert/key pair on an IP address block instead of the hostname (as in my config above), Caddy won’t do ACME stuff (since it’s an IP address), but it also won’t use my certificate (since it doesn’t contain the IP address as CN or SAN).
4. Error messages and/or full log output:
2021/03/19 14:20:43.733 INFO admin stopped previous server
2021/03/19 14:20:44.208 DEBUG tls.issuance.acme.acme_client http request {"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.3.0 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Type":["application/octet-stream"],"Date":["Fri, 19 Mar 2021 14:20:43 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["V85qZNBceZqyKMkgcRekTskWY_Q6EPX9re0ctwj1ZDE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
2021/03/19 14:20:44.823 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.3.0 CertMagic acmez (linux; amd64)"]}, "status_code": 201, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store","max-age=-1"],"Content-Length":["273"],"Content-Type":["application/json"],"Date":["Fri, 19 Mar 2021 14:20:44 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/d1XEj1oKn518ovy_PGo9jA"],"Replay-Nonce":["J1H4_BUcT-bp2t6U7hMW8m2ihrqmQS1uXG8FBzTjKkM"],"Server":["nginx"],"Status":[""],"Strict-Transport-Security":["max-age=15552000"]}}
2021/03/19 14:20:45.437 DEBUG tls.issuance.acme.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/authz/jlLAk6qepueBAGZsz_AYlA", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.3.0 CertMagic acmez (linux; amd64)"]}, "status_code": 200, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=-1"],"Content-Length":["441"],"Content-Type":["application/json"],"Date":["Fri, 19 Mar 2021 14:20:45 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["kGXFRnuGCGgC5s-0ljaz_uCAdsUr5ekFIJ6Iyb0SJY8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15552000"]}}
2021/03/19 14:20:45.437 DEBUG tls.issuance.acme.acme_client no solver configured {"challenge_type": "dns-01"}
2021/03/19 14:20:45.437 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "example.com", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
...
5. What I already tried:
Played around with various configs, resulting in my observations as written under 3.