Having issues enabling HTTPS for local applications

halpdesk · October 17, 2022, 8:30pm

1. Output of `caddy version`:

“caddy:latest” via Docker

2. How I run Caddy:

I’ve installed Caddy via Docker on Ubuntu Server to serve as an internal reverse proxy/HTTPS for other Docker containers on my machine.

I use OPNsense as a firewall and within it use Unbound to redirect local DNS queries for an internal domain (*.ubuntu.arpa) to the machine running Caddy.

a. System environment:

Ubuntu Server, 22.04
Caddy via Docker

b. Command:

Paste command here.

c. Service/unit/compose file:

  caddy:
    image: caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ${APPDATA}/caddy/Caddyfile:/etc/caddy/Caddyfile
      - ${APPDATA}/caddy/site:/srv
      - ${APPDATA}/caddy/data:/data
      - ${APPDATA}/caddy/config:/config
    networks:
      - caddy

d. My complete Caddy config:

linkding.ubuntu.arpa:443 {
  
  reverse_proxy linkding:9090
  tls internal
  
}

3. The problem I’m having:

Caddy currently operates as expected when I direct the domain to port 80 via http. However, when redirecting to 443, adding ‘tls internal’, and installing the root crt in Caddy’s data directory to the Windows machine I’m trying to access the domain from, the site continues to serve http and says not secure.

4. Error messages and/or full log output:

Paste logs/commands/output here.
USE THE PREVIEW PANE TO MAKE SURE IT LOOKS NICELY FORMATTED.

5. What I already tried:

I’ve tried adding https / http in the relevant places within my Caddyfile to no avail. I’m not sure what else I might be missing to get HTTPS working?

6. Links to relevant resources:

francislavoie · October 17, 2022, 9:32pm

I don’t understand. Are you not making your requests with https://?

Please make an example request with curl -v to show what behaviour you’re seeing.

This is fine, but FYI :443 is redundant, because Caddy is HTTPS by default. It will listen on both 80 and 443 when told to serve a domain, port 80 for the ACME HTTP challenge and HTTP->HTTPS redirects, and 443 for HTTPS.

halpdesk · October 18, 2022, 12:04am

Here’s what I see when I curl the previous URL:

C:\Windows\system32>curl -v https://linkding.ubuntu.arpa
*   Trying 192.168.10.13:443...
* Connected to linkding.ubuntu.arpa (192.168.10.13) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
* Closing connection 0
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I’ve trusted Caddy’s certificate on the device I’m calling ‘curl’ from, so I’m not sure how else to trust the root certificate.

matt · October 18, 2022, 4:25am

It seems the installation into your system trust store didn’t go quite like you thought, since the cert is still untrusted. Make sure to install your Caddy instance’s local root CA into the trust store.

system · November 16, 2022, 8:31pm

This topic was automatically closed after 30 days. New replies are no longer allowed.