Get_certificate locally hosted acme.sh/lighttpd

jmcgee · July 5, 2023, 1:37pm

Hello,

I have a locally hosted certificate store that i generate with acme.sh and have hosted with lighttpd. I am attemping to use the get_certificate option under the tls directive in order to acquire the cert and key files. However, it keeps coming back with it being unable to find the key. I do see that caddy does try to reach out to the lighttpd server to acquire this key.

For all intents and purposes i have replaced the actual domain name with somedomain

Here is the pertaining line from my Caddyfile:

tls {
	get_certificate http http://ca-dev.pnet:4580/somedomain_ecc/
}

I generate the certificate with acme.sh using the following line:

export NAMECHEAP_API_KEY=someapikey && export NAMECHEAP_USERNAME=someusername && export NAMECHEAP_SOURCEIP=someip && ./acme.sh --issue --dns dns_namecheap -d somedomain -d ‘*.somedomain’

when i open up http://ca-dev.pnet:4580 in a browser, i get a directory listing and see all files available.

Ive tried directly linking to the fullcert.cer file and I get an error stating the privatekey is not found.

Any more information that I could provide?

What could i be doing wrong?

jmcgee · July 5, 2023, 1:54pm

Hmm looks like these may pertain to my issue and perhaps its fixed in 2.7.0-beta.2?

github.com/caddyserver/caddy

Enabling get_certificate should disable cert automation

opened 09:59AM - 03 Mar 23 UTC

closed 04:47PM - 15 May 23 UTC

BioEvo

bug

I set the get_certificate section in caddyfile, caddy verified all parameters an…d directly goes to HTTP-01 challenge. here's my procedure to reproduce the issue: 1. pull the latest version of caddy image and create a fileserver, and serve /etc/caddy as root ``` docker pull caddy docker run --rm --hostname cert.mysite -p 80:80 -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug ``` ``` root@demo:/test# docker run --rm --hostname cert.mysite -p 80:80 -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug 2023/03/03 09:50:13.498 WARN admin admin endpoint disabled 2023/03/03 09:50:13.499 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0003fae00"} 2023/03/03 09:50:13.499 WARN http server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "static", "http_port": 80} 2023/03/03 09:50:13.499 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"} 2023/03/03 09:50:13.499 INFO tls finished cleaning storage units 2023/03/03 09:50:13.499 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false} 2023/03/03 09:50:13.499 INFO http.log server running {"name": "static", "protocols": ["h1", "h2", "h3"]} 2023/03/03 09:50:13.499 INFO Caddy serving static files on :80 ``` 2. open another terminal and copy the hosts file from cert.mysite ``` mkdir -p /test && cd /test docker cp certmgr:/etc/hosts /test/hosts ``` 3. try to validate if http://cert.mysite/Caddyfile is avaliable in another container: ``` root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy wget -o /dev/null -O - cert.mysite/Caddyfile # The Caddyfile is an easy way to configure your Caddy web server. # # Unless the file starts with a global options block, the first # uncommented line is always the address of your site. # # To use your own domain name (with automatic HTTPS), first make # sure your domain's A/AAAA DNS records are properly pointed to # this machine's public IP, then replace ":80" below with your # domain name. :80 { # Set this path to your site's directory. root * /usr/share/caddy # Enable the static file server. file_server # Another common task is to set up a reverse proxy: # reverse_proxy localhost:8080 # Or serve a PHP site through php-fpm: # php_fastcgi localhost:9000 } # Refer to the Caddy docs for more information: # https://caddyserver.com/docs/caddyfile ``` one record of log is printed by cert.mysite ``` root@demo:/test# docker run --rm --hostname cert.mysite -p 80:80 -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug 2023/03/03 09:50:13.498 WARN admin admin endpoint disabled 2023/03/03 09:50:13.499 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0003fae00"} 2023/03/03 09:50:13.499 WARN http server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "static", "http_port": 80} 2023/03/03 09:50:13.499 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"} 2023/03/03 09:50:13.499 INFO tls finished cleaning storage units 2023/03/03 09:50:13.499 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false} 2023/03/03 09:50:13.499 INFO http.log server running {"name": "static", "protocols": ["h1", "h2", "h3"]} 2023/03/03 09:50:13.499 INFO Caddy serving static files on :80 2023/03/03 09:50:19.583 DEBUG http.handlers.file_server sanitized path join {"site_root": "/etc/caddy", "request_path": "/Caddyfile", "result": "/etc/caddy/Caddyfile"} 2023/03/03 09:50:19.583 DEBUG http.handlers.file_server opening file {"filename": "/etc/caddy/Caddyfile"} ``` 4. create /test/Caddyfile with: ``` { debug } https://web.mysite { tls { get_certificate http http://cert.mysite/cert } file_server root * /usr/share/caddy } ``` 5. star anoter container for HTTP cert gatter: ``` root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy 2023/03/03 09:54:56.848 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"} 2023/03/03 09:54:56.849 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//[::1]:2019", "//127.0.0.1:2019", "//localhost:2019"]} 2023/03/03 09:54:56.850 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2023/03/03 09:54:56.850 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2023/03/03 09:54:56.850 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000119260"} 2023/03/03 09:54:56.850 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"} 2023/03/03 09:54:56.851 INFO tls finished cleaning storage units 2023/03/03 09:54:56.851 INFO http enabling HTTP/3 listener {"addr": ":443"} 2023/03/03 09:54:56.851 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details. 2023/03/03 09:54:56.851 DEBUG http starting server loop {"address": "[::]:443", "tls": true, "http3": true} 2023/03/03 09:54:56.851 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]} 2023/03/03 09:54:56.851 DEBUG http starting server loop {"address": "[::]:80", "tls": false, "http3": false} 2023/03/03 09:54:56.851 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]} 2023/03/03 09:54:56.851 INFO http enabling automatic TLS certificate management {"domains": ["web.mysite"]} 2023/03/03 09:54:56.851 INFO autosaved config (load with --resume flag) {"file": "/config/caddy/autosave.json"} 2023/03/03 09:54:56.851 INFO serving initial configuration 2023/03/03 09:54:56.852 INFO tls.obtain acquiring lock {"identifier": "web.mysite"} 2023/03/03 09:54:56.852 INFO tls.obtain lock acquired {"identifier": "web.mysite"} 2023/03/03 09:54:56.852 INFO tls.obtain obtaining certificate {"identifier": "web.mysite"} 2023/03/03 09:54:56.853 DEBUG events event {"name": "cert_obtaining", "id": "5ee698ea-a7b0-42d4-8fd2-2d148a1bcf91", "origin": "tls", "data": {"identifier":"web.mysite"}} 2023/03/03 09:54:56.853 DEBUG tls.obtain trying issuer 1/2 {"issuer": "acme-v02.api.letsencrypt.org-directory"} 2023/03/03 09:54:57.428 DEBUG tls.acme_client http request {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["756"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200} 2023/03/03 09:54:57.607 DEBUG tls.acme_client http request {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["F977mkR7mwCLcOasyyIoTtnnqzTE5wOhhDe4xtpAylAi_Pc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200} 2023/03/03 09:54:57.797 DEBUG tls.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["991443716"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["267"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/991443716"],"Replay-Nonce":["F70EyZ_pC24oN4PtiMWxr1NXVxWGzy0lP6GgbhBSUStj1tw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201} 2023/03/03 09:54:57.798 INFO tls waiting on internal rate limiter {"identifiers": ["web.mysite"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""} 2023/03/03 09:54:57.798 INFO tls done waiting on internal rate limiter {"identifiers": ["web.mysite"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""} 2023/03/03 09:54:57.978 DEBUG tls.acme_client http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["991443716"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["212"],"Content-Type":["application/problem+json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["F70EZ0AyzmBi1gJHVQOnVwxHCzrDIRBTmLFAHCqPZh1mMWo"],"Server":["nginx"]}, "status_code": 400} 2023/03/03 09:54:57.978 ERROR tls.obtain could not get certificate from issuer {"identifier": "web.mysite", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"web.mysite\": Domain name does not end with a valid public suffix (TLD)"} 2023/03/03 09:54:57.978 DEBUG tls.obtain trying issuer 2/2 {"issuer": "acme.zerossl.com-v2-DV90"} 2023/03/03 09:54:57.978 WARN tls missing email address for ZeroSSL; it is strongly recommended to set one for next time 2023/03/03 09:54:59.349 INFO tls generated EAB credentials {"key_id": "LLRR_JiXvnP1Gyxq8z_DJg"} 2023/03/03 09:55:00.338 DEBUG tls.acme_client http request {"method": "GET", "url": "https://acme.zerossl.com/v2/DV90", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:55:00 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200} 2023/03/03 09:55:01.042 DEBUG tls.acme_client http request {"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Fri, 03 Mar 2023 09:55:00 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["choyu-v75RZ-bY957c7mtuaNcSeoRrEvG7HmRHJ7_Us"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200} 2023/03/03 09:55:01.864 DEBUG tls.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newAccount", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["579"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:55:01 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Location":["https://acme.zerossl.com/v2/DV90/account/LLRR_JiXvnP1Gyxq8z_DJg"],"Replay-Nonce":["V4YzFYtZr4O5Kj-c-VBhxNZo5toNBIsaofRmEMM11AM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201} 2023/03/03 09:55:01.865 INFO tls waiting on internal rate limiter {"identifiers": ["web.mysite"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""} 2023/03/03 09:55:01.865 INFO tls done waiting on internal rate limiter {"identifiers": ["web.mysite"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""} 2023/03/03 09:55:02.512 DEBUG tls.acme_client http request {"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["116"],"Content-Type":["application/problem+json"],"Date":["Fri, 03 Mar 2023 09:55:02 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["jQSBi7xGSLNSh3oaSYD3XZqo6XJkKRC4EEuYSOPB2wI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 400} 2023/03/03 09:55:02.512 ERROR tls.obtain could not get certificate from issuer {"identifier": "web.mysite", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [web.mysite]"} 2023/03/03 09:55:02.512 DEBUG events event {"name": "cert_failed", "id": "1298f96f-180f-4a9e-97c7-ccdc8854f8c0", "origin": "tls", "data": {"error":{},"identifier":"web.mysite","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}} 2023/03/03 09:55:02.512 ERROR tls.obtain will retry {"error": "[web.mysite] Obtain: [web.mysite] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [web.mysite] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 5.659666017, "max_duration": 2592000} ``` 6. no new log from cert.mysite, let's get the version of caddy in container: ``` root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy caddy version v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8= ```

francislavoie · July 5, 2023, 2:23pm

The tls.get_certificate.http module sends requests with the query param server_name having the domain name. Your endpoint needs to be a server that looks at that query param and returns both the cert and key PEM contents concatenated one after the other (one request, not separate requests for the cert and key). Pointing it to a file server won’t work because it won’t be reading from server_name (unless you only have a single domain to serve).

jmcgee · July 5, 2023, 2:39pm

Hmm. Is there anything out there that could better explain how one would setup a server to handle such a request?

francislavoie · July 5, 2023, 2:41pm

You’ll probably need some actual code to handle the request. Use your scripting language of your choice. It’s really as simple as reading the server_name query param, doing a lookup in your storage to see if you have matching certs/keys, then serving a response body with the cert and key PEM concatenated one after the other. The response should look like:

-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----

jmcgee · July 5, 2023, 3:22pm

Not my cleanest work and I need to fix some items that causes some permissions issues, but this is a quick php script that does the trick.

<?php
$serverName = $_GET['server_name'];

$crt = '';
$key = '';

if ($serverName === 'domain1') {
    $crt = 'domain1_ecc/domain1.cer';
    $key = 'domain1_ecc/domain1.key';
} elseif ($serverName === 'domain2') {
    $crt = 'domain2_ecc/domain2.crt';
    $key = 'domain2_ecc/domain2.key';
}

if (!empty($crt) && !empty($key)) {
    echo file_get_contents($crt);
    echo file_get_contents($key);
} else {
    echo "Server name not found.";
}
?>

matt · July 5, 2023, 4:29pm

Bingo! Something like that should be fine.

system · August 4, 2023, 4:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.