Getting PKI CA IDs for non-local certs

ajhalili2006 · August 19, 2024, 1:17pm

1. The problem I’m having:

I am experimenting with the Admin API to get PKI CA information for a public Web PKI service and its certificates (both Let’s Encrypt and ZeroSSL in this case), but I struggled on the PKI CA ID part when calling its API endpoints.

For anyone asking regarding admin API port access, I use a combination of GCP Compute Engine firewalls and Tailscale ACLs to limit access (and I am accessing it over Tailscale if the IP address might confuse anyone).

2. Error messages and/or full log output:

$ curl -vL http://100.109.34.86:20241/pki/ca/acme-v02.api.letsencrypt.org
*   Trying 100.109.34.86:20241...
* Connected to 100.109.34.86 (100.109.34.86) port 20241
> GET /pki/ca/acme-v02.api.letsencrypt.org HTTP/1.1
> Host: 100.109.34.86:20241
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Content-Type: application/json
< Date: Mon, 19 Aug 2024 13:05:04 GMT
< Content-Length: 86
< 
{"error":"no certificate authority configured with id: acme-v02.api.letsencrypt.org"}
* Connection #0 to host 100.109.34.86 left intact

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

I use xcaddy to install Caddy with DNS plugins for DNS TXT-based challenges and a S3 storage backend for storing TLS certificates over Storj DCS via its hosted S3 endpoint.

xcaddy build \
    --with github.com/caddy-dns/cloudflare \
    --with github.com/caddy-dns/vercel \
    --with github.com/caddy-dns/netlify \
    --with github.com/ss098/certmagic-s3

a. System environment:

Debian 12 on GCP e2-micro instance, running via systems system unit file.

b. Command:

See systemd unit file below for how I run it as a service.

c. Service/unit/compose file:

# Copied from https://github.com/recaptime-dev/proxyparty-caddy/blob/main/config/systemd/caddy.service

# caddy-api.service
#
# For using Caddy with its API, alongside support for reloading
# the server using the config via `systemctl reload`
#
# This unit is "durable" in that it will automatically resume
# the last active configuration if the service is restarted.
#
# See https://caddyserver.com/docs/install for instructions.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy-admin
WorkingDirectory=/var/caddy/src
RuntimeDirectory=caddyserver
ExecStart=caddy run --envfile ./decrypted.env --environ --resume
ExecReload=caddy reload --config ./config/caddy/gcp/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
EnvironmentFile=/var/caddy/src/decrypted.env

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

While I am taking about admin API use, my configurations for this particular server is at https://github.com/recaptime-dev/proxyparty-caddy/tree/main/config/caddy/gcp and uses import to keep things organized.

5. Links to relevant resources:

Not applicable here.

Mohammed90 · August 19, 2024, 1:49pm

What is your goal here? I’m not asking about your attempt at the solution. I’m asking about the real problem you’re trying to solve.

The PKI endpoints on the admin API are for Caddy’s own PKI app, not for the public CAs like LE and ZeroSSL.

ajhalili2006 · August 19, 2024, 3:03pm

Okay, thanks for that note (and I marked your reply as an answer if anyone in the future looks into this).

system · September 18, 2024, 3:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.