1. Caddy version (caddy version
): v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
2. How I run Caddy:
a. System environment:
Void Linux running in KVM, Caddy gets started via Runit and is run inside a minijail sandbox.
b. Command:
minijail0 -l -n -v -b /etc/resolv.conf -b /etc/ssl/ -u caddy -g fantasycookie17 -C /srv/caddy /caddy run
c. Service/unit/compose file:
#include <stdio.h>
#include <unistd.h>
int main() {
char* argv[] = { "-l", "-n", "-v", "-b", "/etc/resolv.conf", "-b", "/etc/ssl/", "-u", "caddy", "-g", "fantasycookie17", "-C", "/srv/caddy", "/caddy", "run", NULL };
char* envp[] = { "HOME=/home", NULL };
execve("/usr/bin/minijail0", argv, envp);
return 1;
}
d. My complete Caddyfile or JSON config:
Caddyfile:
{
http_port 8008
https_port 8443
admin off
}
fantasycookie17.cf {
root * /htdocs/fantasycookie17.cf/
import /headers
tls {
protocols tls1.3
curves x25519
}
encode zstd gzip
templates {
between "{[" "]}"
}
file_server {
browse /htdocs/browsetemplate.html
}
}
nextcloudsrv.tk {
root * /htdocs/nextcloudsrv.tk/
import /headers
tls {
protocols tls1.3
curves x25519
}
encode zstd gzip
file_server
}
fantasycookie17.onederfultech.com {
root * /htdocs/fantasycookie17.cf/
handle /.well-known/matrix/* {
file_server
}
handle {
redir https://fantasycookie17.cf{uri} permanent
}
import /headers
tls {
protocols tls1.3
curves x25519
}
}
headers:
header {
# Security
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
X-Content-Type-Options nosniff
X-Permitted-Cross-Domain-Policies none
Referrer-Policy no-referrer
Feature-Policy "accelerometer 'none'; autoplay 'none'; camera 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; usb 'none'"
Expect-CT "max-age=31536000, enforce"
#Privacy
Tk N
#Caching
/static/* Cache-Control max-age=345600
#Allow Matrix clients to work
header /.well-known/matrix/client access-control-allow-origin "*"
}
#CSP
route {
header Content-Security-Policy "default-src 'none'; style-src 'self'; img-src 'self'; base-uri 'self'; block-all-mixed-content; frame-ancestors 'none'; form-action 'self'; require-trusted-types-for 'script';"
header /services/stickerpicker/* Content-Security-Policy "default-src 'self' https://fantasycookie17.onederfultech.com:8448; base-uri 'self'; script-src 'self'; block-all-mixed-content; form-action 'self'; require-trusted-types-for 'script';"
}
#MIME
route {
header *.html Content-Type text/html
header */ Content-Type text/html
header *.css Content-Type text/css
header *.js Content-Type text/javascript
header *.png Content-Type image/png
header /favicon.ico Content-Type image/png
header *.json Content-Type application/json
header /.well-known/matrix/* Content-Type application/json
header /downloads/zsh* Content-Type text/plain
header *.zip Content-Type application/zip
header *.xml Content-Type application/xml
}
3. The problem I’m having:
I want to use the certificates that Caddy obtains from Let’s Encrypt for other services as well. However, to make them trusted, a full chain certificate is needed, which isn’t what Caddy fetches.
4. Error messages and/or full log output:
void-caddy# openssl verify fullchain.pem
fullchain.pem: CN = fantasycookie17.cf
error 20 at 0 depth lookup:unable to get local issuer certificate
5. What I already tried:
My script I use that I think should work for generating the full chain, however, it doesn’t:
#!/bin/sh
cd /srv/caddy/home/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/
openssl x509 -in fantasycookie17.cf/fantasycookie17.cf.crt -out fantasycookie17.cf/fantasycookie17.cf.pem -outform PEM
cat fantasycookie17.cf/fantasycookie17.cf.pem /etc/ssl/lets-encrypt-r3.pem /etc/ssl/certs/ISRG_Root_X1.pem > fantasycookie17.cf/fullchain.pem
rm fantasycookie17.cf/fantasycookie17.cf.pem
scp -r fantasycookie17.onederfultech.com/ caddy@192.168.100.13:/srv/caddy/tls/
scp -r fantasycookie17.cf/ tls-manager@192.168.100.60:/etc/ssl/
Note: /etc/ssl/lets-encrypt-r3.pem
was downloaded from https://letsencrypt.org/certs/lets-encrypt-r3.pem.
6. Links to relevant resources:
How can I get fullchain certificate from Caddy? is basically the same question, however, it did not really get answered, with OP resorting to Certbot instead (I used to use Certbot, however, for various reasons I do not use it anymore).