Global ACME server

1. Caddy version (caddy version):

v2.3.x
v2.4.0-beta.1

2. How I run Caddy:

a. System environment:

Debain 10, native

b. Command:

caddy run

d. My complete Caddyfile or JSON config:

# Global Option Block
{
        # General Option
                  debug

        # TLS Options
                  local_certs
                  acme_ca https://acme.roadrunner/acme/local/directory
                  acme_ca_root ./root.crt
}

3. The problem I’m having:

The above code doesn’t seem to be working. Do I have it correct?

Specifying it per domain does work

nextcloud.roadrunner {
        tls {
                ca https://acme.roadrunner/acme/local/directory
                ca_root ./root.crt
        }

You can compare the output of caddy adapt --pretty to see the difference.

Do you mean this? Looks like the JSON config doesn’t have the ACME server setup.

Caddyfile

# Global Option Block
{
        # General Option
        debug

        # TLS Options
        local_certs
        acme_ca https://acme.roadrunner/acme/local/directory
        acme_ca_root ./nextcloud/root.crt
}

nextcloud.roadrunner {
        #tls {
        #        ca https://acme.roadrunner/acme/local/directory
        #        ca_root ./root.crt
        #}


        php_fastcgi 127.0.0.1:9000 {
                env front_controller_active true # Remove index.php form url
        }

        header {
                Strict-Transport-Security max-age=31536000; # enable HSTS
        }

        # Moved to frontend proxy (see Nextcloud documentation)
        #redir /.well-known/carddav /remote.php/dav 301
        #redir /.well-known/caldav /remote.php/dav 301

        # .htaccess / data / config / ... shouldn't be accessible from outside
        @forbidden {
                path /.htaccess
                path /data/*
                path /config/*
                path /db_structure
                path /.xml
                path /README
                path /3rdparty/*
                path /lib/*
                path /templates/*
                path /occ
                path /console.php
        }

        respond @forbidden 404
}

JSON

{
        "logging": {
                "logs": {
                        "default": {
                                "level": "DEBUG"
                        }
                }
        },
        "apps": {
                "http": {
                        "servers": {
                                "srv0": {
                                        "listen": [
                                                ":443"
                                        ],
                                        "routes": [
                                                {
                                                        "match": [
                                                                {
                                                                        "host": [
                                                                                "nextcloud.roadrunner"
                                                                        ]
                                                                }
                                                        ],
                                                        "handle": [
                                                                {
                                                                        "handler": "subroute",
                                                                        "routes": [
                                                                                {
                                                                                        "handle": [
                                                                                                {
                                                                                                        "handler": "headers",
                                                                                                        "response": {
                                                                                                                "set": {
                                                                                                                        "Strict-Transport-Security": [
                                                                                                                                "max-age=31536000;"
                                                                                                                        ]
                                                                                                                }
                                                                                                        }
                                                                                                }
                                                                                        ]
                                                                                },
                                                                                {
                                                                                        "handle": [
                                                                                                {
                                                                                                        "handler": "static_response",
                                                                                                        "status_code": 404
                                                                                                }
                                                                                        ],
                                                                                        "match": [
                                                                                                {
                                                                                                        "path": [
                                                                                                                "/.htaccess",
                                                                                                                "/data/*",
                                                                                                                "/config/*",
                                                                                                                "/db_structure",
                                                                                                                "/.xml",
                                                                                                                "/README",
                                                                                                                "/3rdparty/*",
                                                                                                                "/lib/*",
                                                                                                                "/templates/*",
                                                                                                                "/occ",
                                                                                                                "/console.php"
                                                                                                        ]
                                                                                                }
                                                                                        ]
                                                                                },
                                                                                {
                                                                                        "handle": [
                                                                                                {
                                                                                                        "handler": "static_response",
                                                                                                        "headers": {
                                                                                                                "Location": [
                                                                                                                        "{http.request.uri.path}/"
                                                                                                                ]
                                                                                                        },
                                                                                                        "status_code": 308
                                                                                                }
                                                                                        ],
                                                                                        "match": [
                                                                                                {
                                                                                                        "file": {
                                                                                                                "try_files": [
                                                                                                                        "{http.request.uri.path}/index.php"
                                                                                                                ]
                                                                                                        },
                                                                                                        "not": [
                                                                                                                {
                                                                                                                        "path": [
                                                                                                                                "*/"
                                                                                                                        ]
                                                                                                                }
                                                                                                        ]
                                                                                                }
                                                                                        ]
                                                                                },
                                                                                {
                                                                                        "handle": [
                                                                                                {
                                                                                                        "handler": "rewrite",
                                                                                                        "uri": "{http.matchers.file.relative}"
                                                                                                }
                                                                                        ],
                                                                                        "match": [
                                                                                                {
                                                                                                        "file": {
                                                                                                                "split_path": [
                                                                                                                        ".php"
                                                                                                                ],
                                                                                                                "try_files": [
                                                                                                                        "{http.request.uri.path}",
                                                                                                                        "{http.request.uri.path}/index.php",
                                                                                                                        "index.php"
                                                                                                                ]
                                                                                                        }
                                                                                                }
                                                                                        ]
                                                                                },
                                                                                {
                                                                                        "handle": [
                                                                                                {
                                                                                                        "handler": "reverse_proxy",
                                                                                                        "transport": {
                                                                                                                "env": {
                                                                                                                        "front_controller_active": "true"
                                                                                                                },
                                                                                                                "protocol": "fastcgi",
                                                                                                                "split_path": [
                                                                                                                        ".php"
                                                                                                                ]
                                                                                                        },
                                                                                                        "upstreams": [
                                                                                                                {
                                                                                                                        "dial": "127.0.0.1:9000"
                                                                                                                }
                                                                                                        ]
                                                                                                }
                                                                                        ],
                                                                                        "match": [
                                                                                                {
                                                                                                        "path": [
                                                                                                                "*.php"
                                                                                                        ]
                                                                                                }
                                                                                        ]
                                                                                }
                                                                        ]
                                                                }
                                                        ],
                                                        "terminal": true
                                                }
                                        ]
                                }
                        }
                },
                "tls": {
                        "automation": {
                                "policies": [
                                        {
                                                "issuers": [
                                                        {
                                                                "module": "internal"
                                                        }
                                                ]
                                        }
                                ]
                        }
                }
        }
}

Right, that’s because you have local_certs which overrides any ACME server config with the internal issuer instead.

:man_facepalming: :man_facepalming: :man_facepalming: :man_facepalming:

I thought that was required for the internal ACME server usage. Don’t know why I didn’t even try to comment it out…

1 Like