How can I get fullchain certificate from Caddy?

I am running Caddy2 in Docker to obtain automatic certificates. I would like to use these certificates then also in my other dockerized services.

I am sharing the folder in which certificates are stored between the containers.
What I do is that I get domain.crt, convert it to pem, add key and dhparams and that is what I use as a cert in other docker container.

openssl x509 -in /etc/certs/$DOMAIN_PREFIX.crt -out /$DOMAIN_PREFIX.pem -outform PEM
cat /etc/certs/$DOMAIN_PREFIX.key >> /$DOMAIN_PREFIX.pem
openssl dhparam -out /dhparam.pem 2048
cat /dhparam.pem >> /$DOMAIN_PREFIX.pem

So far I have implemented it in only one container, specifically, running Domoticz home automation SW.
This works fine, I can now access Domoticz using HTTPS and my certificates are working as expected in all browsers I have tried.
However, I also wrote some Python scripts that access my Domoticz and those complain about certificate. While debugging this, I also found out that curl or wget complain about certificate problem.

Checking with openssl I get this:

$ openssl s_client -connect localhost:8081 --showcerts
Can’t use SSL_get_servername
depth=0 CN =
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN =
verify error:num=21:unable to verify the first certificate
verify return:1

Using Google it seems that I need to use fullchain certificate instead of just the single (?) certificate for site. Is there a way to get fullchain certificate from Caddy? It seems to be working fine on the Caddy-served web site I have, but not in my Domoticz, when I compare those with openssl and it also works fine with wget and curl. So Caddy must keep the fullchain somewhere.

I would appreciate any help or pointing in the correct direction.

Welcome @raqua,

That error just means that the signer is not a trusted authority (has nothing to do with “full chain” exactly). Caddy will automatically (attempt to) install its own local CA into the system trust store, but of course when run in a container or VM, that trust store doesn’t exist or is different from your main OS trust store. Since this is a trust decision, it’s on you to install Caddy’s CA certificate into your trust store if you’re running it in a complex setup.

@matt, thank you for your reply.

I think that I still do not understand this correctly. My understanding is that signer of the certificate should be Let’s Encrypt, not my local Caddy server.
I have since created Certbot container and added it’s fullchain.pem to my Domoticz and this works as expected.

This is because your test with openssl calls localhost:8081. Let’s Encrypt will not issue a certificate for localhost. (emphasis mine)

If you check the Overview section on the Automatic HTTPS page, you’ll see this statement:

  • Caddy serves IP addresses and local/internal hostnames over HTTPS with locally-trusted certificates. Examples: localhost , .

  • Caddy serves public DNS names over HTTPS with certificates from Let’s Encrypt. Examples: , , * .

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.