Get complete certificate chain from browser

rebekka · August 31, 2022, 1:13pm

1. Output of `caddy version`:

v2.5.2

2. How I run Caddy:

a. System environment:

Linux

b. Command:

start-stop-daemon --start --background --name caddy --exec /usr/bin/caddy -- run --pidfile /run/caddy.pid --resume --environ --envfile /etc/caddy/caddy.env

d. My complete Caddy config:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            "0.0.0.0:443"
          ],
          "routes": [
            {
              "@id": "test1-path-demo",
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "static_response",
                          "headers": {
                            "Location": [
                              "/test1/"
                            ]
                          },
                          "status_code": "302"
                        }
                      ],
                      "match": [
                        {
                          "path": [
                            "/test1"
                          ]
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "rewrite",
                                  "strip_path_prefix": "/test1"
                                }
                              ]
                            },
                            {
                              "handle": [
                                {
                                  "handler": "static_response",
                                  "body": "Hallo von Test1"
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "path": [
                            "/test1/*"
                          ]
                        }
                      ]
                    }
                  ]
                }
              ]
            }
          ],
          "tls_connection_policies": [
            {}
          ]
        }
      }
    },
    "tls": {
      "automation": {
        "policies": [
          {
            "on_demand": true,
            "issuers": [
              {
                "module": "internal",
                "ca": "my_ca"
              }
            ]
          }
        ]
      }
    },
    "pki": {
     "certificate_authorities": { 
        "my_ca": {
           "root_common_name": "Standard Root CA",
           "intermediate_common_name": "Standard Intermediate CA"
        }
     }
    }
  },
  "logging": {
    "sink": {
      "writer": {
        "output": "file",
        "roll_size_mb": 5,
        "filename": "/home/user/var/caddy/caddy-standard.sink"
      }
    },
    "logs": {
      "logging": {
        "writer": {
          "output": "file",
          "roll_size_mb": 5,
          "filename": "/home/user/var/caddy/caddy-standard.log"
        },
        "level": "INFO"
      }
    }
  },
  "admin": {
    "listen": "unix//run/caddy-standard.sock"
  }
}

3. The problem I’m having:

I use caddy in our local network to serve a webservice. I do not use a DNS hostname, the webpage gets visited via the IP of the server.
I want my users to be able to retrieve the root certificate of the caddy internal CA via the browser so that they can import it and the browser does not show the HTTPS warnings.
When I check the HTTPS Certificate via the browser it is shown as invalid and an error is displayed that says the issuer of the intermediate certificate could not be found. The certificate chain is not complete, the certificate of the CA is not included, only the server certificate and the intermediate certificate. Therefore my users can not import it to trust the internal CA of caddy.

Is it possible to configure Caddy such that I can export the Root certificate via the browser?

4. Error messages and/or full log output:

Intermediate Certificate: Certificate’s issuer could not be found.

5. What I already tried:

Tested with different browsers (Chrome, Firefox).
Via the caddy API I can retrieve the complete certificate chain.

matt · August 31, 2022, 4:57pm

Caddy does automatically try to install its root certificate into the local system trust store(s). But this depends heavily on which system you’re running on and supported trust stores. And getting admin privileges to do so (requires password if not running as root).

You can install trust manually though; the location of Caddy’s root cert should be printed to the logs.

rebekka · August 31, 2022, 5:26pm

Thank you Matt for your answer.
I know the feature of automatically installing the certificate to the trust store. However, I want to be able to download the root certificate from the Browser. Is there a possibility to enable that?

matt · August 31, 2022, 7:40pm

I’m confused, because this:

Is it possible to configure Caddy such that I can export the Root certificate via the browser?

doesn’t follow this:

When I check the HTTPS Certificate via the browser it is shown as invalid and an error is displayed that says the issuer of the intermediate certificate could not be found. The certificate chain is not complete, the certificate of the CA is not included, only the server certificate and the intermediate certificate. Therefore my users can not import it to trust the internal CA of caddy.

If the browser doesn’t have the certificate, how/why would you download or export it from the browser?

rebekka · September 2, 2022, 7:04am

That’s exactly my problem. The browser does only show the intermediate and leaf certificate, however the root certificate is not available. My aim is to download the root certificate via the browser and store it as trusted root certificate, in order the https connection is established without any browser warnings. I’m wondering if there is the possibility to configure caddy such that the root certificate is downloadable via the browser.

matt · September 2, 2022, 4:03pm

I guess you could do something like this:

file_server /root.crt {
    root /path/to/data/folder/caddy/pki/authorities/local
}

Just make sure you only allow access to the cert, not the private key (the /root.crt matcher is crucial)

system · September 30, 2022, 1:14pm

This topic was automatically closed after 30 days. New replies are no longer allowed.