Getting HTTPS working on localhost in Windows

dmikester1 · May 17, 2022, 2:40pm

1. Caddy version (`caddy version`):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

I’m running Caddy as a Windows service using WinSW.

a. System environment:

OS: Windows Server 2019 Datacenter

b. Command:

Not using a command to run Caddy, using a service.

c. Service/unit/compose file:

n/a

d. My complete Caddyfile or JSON config:

localhost {
	handle_path /api* {
		reverse_proxy localhost:3001
	}

	handle {
		root * C:\Web\Webs\ExternalWeb
		file_server
	}
}

external-url {
	handle_path /api* {
		reverse_proxy localhost:3001
	}

	handle {
		root * C:\Web\Webs\ExternalWeb
		encode gzip
		file_server
	}
}

internal-url {
	handle_path /api* {
		reverse_proxy localhost:3001
	}

	handle {
		root * C:\Web\Webs\ExternalWeb
		encode gzip
		file_server
	}
}

3. The problem I’m having:

I’m trying to figure out how to get Caddy working with HTTPS on localhost. Out of the box, I’m getting security risk warnings in both Firefox and Chrome. I looked through this doc here: Automatic HTTPS — Caddy Documentation and to be honest, much of it is over my head.
I thought maybe I could install an SSL cert manually myself and have Caddy use that. I started following the tutorial here: Create Locally Trusted SSL Certificates with mkcert on Windows - TechnixLeo but I’m not sure how to have Caddy use that cert or if that is even possible.

4. Error messages and/or full log output:

5. What I already tried:

I have installed Caddy on our Windows web server and got it serving up sites in localhost, but not securely.

6. Links to relevant resources:

francislavoie · May 17, 2022, 3:34pm

Are these real domains? What are these exactly?

Caddy will only set up its internal issuer if it matches the hostname requirements in Automatic HTTPS — Caddy Documentation, i.e. localhost, *.localhost, *.local.

You’ll need to use the tls internal directive in those sites if you want to use the internal issuer.

To have your system trust Caddy’s certs, you’ll need to run caddy.exe trust, which will pull the root cert from Caddy’s running instance on the same machine, and attempt to install it in the various trust stores it can on Windows. Some browsers/clients may require manual installation, in which case you’ll need to grab the root cert from Caddy’s storage location (see your logs, Caddy will report its data storage location if you run with --environ) and manually install it to those trust stores.

If you’re trying to connect from a different machine, then you’ll need to do the cert installation on those machines as well. You can either do it manually, or you can run caddy trust on those machines, using the --address flag to point to the admin endpoint of your Caddy instance – note that the admin endpoint only listens on localhost:2019 by default, so you’d need to change that to :2019 to allow other machines on your network to access it – keep in mind this is risky though because then anyone on the network can change Caddy’s config or shut it down etc.

dmikester1 · May 17, 2022, 3:57pm

Are these real domains? What are these exactly?

Sorry, I just replaced the real ones for privacy reasons. Guess I could have said “example.com” and “example.local”.

I am running Caddy and the certs on the same machine. I will try those steps and come back here if I have more questions.
Thanks!

dmikester1 · May 17, 2022, 4:40pm

That did the trick!
Chrome worked fine after those first two items, tls internal and caddy trust.

Some browsers/clients may require manual installation, in which case you’ll need to grab the root cert from Caddy’s storage location (see your logs, Caddy will report its data storage location if you run with --environ) and manually install it to those trust stores.

But I had to do an extra step for Firefox like your sentence above states. This is what I did that worked for me:

Starting with version 49, Firefox can be configured to automatically search for and import CAs that have been added to the Windows certificate store by a user or administrator.

Enter “about:config” in the address bar and continue to the list of preferences.

Set the preference “security.enterprise_roots.enabled” to true.

Restart Firefox.

From this site: Setting Up Certificate Authorities (CAs) in Firefox | Firefox for Enterprise Help

system · June 16, 2022, 2:41pm

This topic was automatically closed after 30 days. New replies are no longer allowed.