Help with local https

mikab · February 9, 2022, 1:50pm

Hi here,

1. Caddy version (`caddy version`):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

Simple install on PI

a. System environment:

bullseye/sid

b. Command:

caddy start and then a lot of caddy reload (as root user)

d. My complete Caddyfile or JSON config:

{
	debug
}

http://mikangye.lan {
	root * /var/www/test/index.html
	file_server
}

mikangye.lan {
    respond hello-https
}

api.pellets.localhost {
	log
	tls internal
	root * /var/www/test
        #php_fastcgi 127.0.0.1:9000
	encode gzip zstd
	file_server
}

3. The problem I’m having:

First i’m new to web hosting.
I’m trying to host my webapp api (php api-platform) and my own front (react) on my PI with tls as i would have access with phone/table etc on local network.

I have always an “HTTP/1.1 308 Permanent Redirect”

All servname point to “192.168.1.43” (all declared in an SFR “box”). None are in /etc/hosts

4. Error messages and/or full log output:

on api.pellets.localhost: status 308

curl -v -k api.pellets.localhost
*   Trying ::1:80...
* TCP_NODELAY set
* Connected to api.pellets.localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: api.pellets.localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://api.pellets.localhost/
< Server: Caddy
< Date: Wed, 09 Feb 2022 13:39:42 GMT
< Content-Length: 0
<
* Closing connection 0

on mikangye.lan: status 200 ok

root@ubuntu:/etc/caddy# curl -v mikangye.lan
*   Trying 192.168.1.43:80...
* TCP_NODELAY set
* Connected to mikangye.lan (192.168.1.43) port 80 (#0)
> GET / HTTP/1.1
> Host: mikangye.lan
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: Caddy
< Date: Wed, 09 Feb 2022 13:49:17 GMT
< Content-Length: 0
<
* Connection #0 to host mikangye.lan left intact

From caddy start:

2022/02/09 13:43:20.844	INFO	using adjacent Caddyfile
2022/02/09 13:43:20.848	WARN	input is not formatted with 'caddy fmt'	{"adapter": "caddyfile", "file": "Caddyfile", "line": 12}
2022/02/09 13:43:20.852	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2022/02/09 13:43:20.853	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0x40002cc770"}
2022/02/09 13:43:20.853	WARN	tls	stapling OCSP	{"error": "no OCSP stapling for [install]: no OCSP server specified in certificate"}
2022/02/09 13:43:20.853	DEBUG	tls.cache	added certificate to cache	{"subjects": ["install"], "expiration": "2024/05/09 13:14:51.000", "managed": false, "issuer_key": "", "hash": "c919c676f99fc0220577b5cef51e9d87321b92251277fc3413f20cf054ab9eae", "cache_size": 1, "cache_capacity": 10000}
2022/02/09 13:43:20.853	INFO	http	server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server	{"server_name": "srv1", "http_port": 80}
2022/02/09 13:43:20.854	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2022/02/09 13:43:20.856	INFO	tls	cleaning storage unit	{"description": "FileStorage:/root/.local/share/caddy"}
2022/02/09 13:43:20.864	INFO	tls	finished cleaning storage units
2022/02/09 13:43:20.906	WARN	pki.ca.local	installing root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2022/02/09 13:43:20 define JAVA_HOME environment variable to use the Java trust
2022/02/09 13:43:20 not NSS security databases found
2022/02/09 13:43:22 certificate installed properly in linux trusts
2022/02/09 13:43:22.849	DEBUG	http	starting server loop	{"address": "[::]:443", "http3": false, "tls": true}
2022/02/09 13:43:22.849	DEBUG	http	starting server loop	{"address": "[::]:80", "http3": false, "tls": false}
2022/02/09 13:43:22.851	INFO	http	enabling automatic TLS certificate management	{"domains": ["api.pellets.localhost"]}
2022/02/09 13:43:22.853	WARN	tls	stapling OCSP	{"error": "no OCSP stapling for [api.pellets.localhost]: no OCSP server specified in certificate"}
2022/02/09 13:43:22.853	DEBUG	tls.cache	added certificate to cache	{"subjects": ["api.pellets.localhost"], "expiration": "2022/02/10 00:41:01.000", "managed": true, "issuer_key": "local", "hash": "4037a3abc9e036a2900df7d76f9752c312347259b22921c51b9f0e8cb7b458f0", "cache_size": 2, "cache_capacity": 10000}
2022/02/09 13:43:22.854	INFO	autosaved config (load with --resume flag)	{"file": "/root/.config/caddy/autosave.json"}
2022/02/09 13:43:22.854	INFO	serving initial configuration
Successfully started Caddy (pid=226276) - Caddy is running in the background

5. What I already tried:

I’ve tried several things -_-

6. Links to relevant resources:

If i could have some help

mikab · February 9, 2022, 5:19pm

Sorry,

with :

api.pellets.localhost {
	log
	tls internal
	root * /var/www/test
	encode gzip zstd
	file_server
}

Error 308 was : root * /var/www/test/index.html instead of /var/www/test (so many tries…)

On local PI, i can run curl https://api.pellets.localhost successfully.

On my mac, i need to do curl -v -k https://api.pellets.localhost in order to work (and it’s not working with chrome).

It’s pretty clear without -k : curl: (60) SSL certificate problem: unable to get local issuer certificate

Now i figured out why it’s said “local https”

How could do in order to get a server on my local network with tls correctly enabled ?

matt · February 9, 2022, 6:08pm

You just have to install Caddy’s root CA into the trust store for the computer you want to access and trust it. (Just be aware of the implications of doing this; and guard Caddy’s private key.) Exactly how to do this depends on your system, so I would look up tutorials online.

mikab · February 10, 2022, 8:40am

Hi, thank you Matt. That’s why i can make a successfull curl request from the pi itself.

system · March 11, 2022, 1:51pm

This topic was automatically closed after 30 days. New replies are no longer allowed.