Hello there,
I did setup one domain using custom SSL certificates by defining tls paths, but caddy is still loading the Lets Encrypt certs. Not sure if anything else to be configured. Below is the config added to load the custom certificates, please revert back with correct usage or missed out code.
xyz.com {
tls /etc/ssl/cert.pem /etc/ssl/key.pem
}
Thanks in advance,
Your certificates must have SANs which match the hostnames you have in your Caddy config. If the loaded certificates don’t have matching SANs, then Caddy will attempt to issue a valid certificate from a public issuer instead.
Thanks for reply.
But we had SANs on our crt but still it’s not loading on caddy.
Which ones? Post the output of:
openssl x509 -in cert.pem -text -noout
(I can’t remember if it needs to be in PEM or DER format for this.)
Here is the output
$ openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:fa:02:b4:33:e6:8b:50:16:af:32:93:23:0c:5c:3b:0d:d0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Jul 6 20:03:19 2023 GMT
Not After : Oct 4 20:03:18 2023 GMT
Subject: CN = jb.xyz.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:36:1a:ec:d1:4f:7a:eb:40:8d:85:74:8b:3c:64:
ce:53:be:be:88:f1:a9:42:29:1a:7b:28:59:5a:69:
ae:d4:8a:8b:dd:e2:23:49:0a:40:d6:8e:4c:5a:6e:
ab:f2:df:cb:f6:61:20:e8:57:d0:f6:f1:28:ba:47:
84:49:d9:71:3f
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
FF:7B:5A:11:EA:AD:BE:90:48:6A:60:47:D8:47:E5:A5:85:B8:D3:50
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:jb.xyz.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Jul 6 21:03:19.547 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:FA:67:47:D8:AF:8D:E7:24:68:B5:81:
C2:FB:32:AD:51:DA:B4:69:24:12:25:1B:0B:5F:F6:26:
6C:46:68:9E:AC:02:20:2B:BC:7C:5A:9C:3C:43:44:BF:
63:02:40:A9:85:3D:78:E9:B8:7A:97:5D:BC:90:40:CD:
11:01:CF:76:36:53:8E
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A:
B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A
Timestamp : Jul 6 21:03:19.597 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:88:47:21:7D:82:73:29:86:B3:62:40:
8A:97:6C:E4:3D:70:63:D7:42:B6:3B:D1:49:A9:6C:0B:
50:4F:18:DE:40:02:21:00:99:1C:52:9C:F7:DD:F6:89:
6D:D9:96:57:89:6F:8A:1A:66:E5:44:D9:AC:57:49:75:
9C:6D:11:C1:93:49:76:B3
Signature Algorithm: sha256WithRSAEncryption
20:a3:32:d8:d0:e8:b3:90:29:e8:f8:c2:90:b1:7f:e6:70:85:
1e:90:09:43:35:62:99:30:df:d1:30:13:49:e4:fb:f1:93:68:
ae:5b:6a:2a:a1:bf:4f:f5:b6:a4:3e:50:64:43:3a:11:19:d7:
75:8b:e8:cf:e0:83:83:7f:3e:76:a9:88:49:7e:14:92:a2:36:
92:c2:52:01:df:05:39:ad:f3:6b:9c:0c:10:ff:31:6c:c3:b9:
bc:84:41:d0:79:a1:ec:cd:54:10:2d:ca:fe:67:4c:33:5b:b1:
09:b8:9e:87:d7:e9:78:86:65:0f:88:5d:02:7a:71:68:63:70:
c8:ab:11:a5:ad:9f:a1:ea:4c:ef:c2:f9:1f:9b:4b:51:c9:46:
ab:a2:a2:d7:3c:e5:45:34:5c:65:37:50:3a:01:fa:0f:b2:b5:
67:ae:b7:9b:5b:56:f7:25:e6:e0:26:e2:8e:f6:5a:ec:92:25:
d0:54:5e:29:f3:d4:e3:79:f6:bb:c7:7f:71:7f:cd:1a:8b:73:
73:b7:4a:b3:6c:90:07:32:c5:84:35:a8:91:08:5c:de:78:1d:
38:2c:02:1d:89:ac:cc:0a:c1:03:e8:2d:c8:aa:d8:d8:8d:bc:
9f:8b:74:44:74:7d:54:c1:bd:51:2a:69:35:16:03:05:54:bd:
d2:ba:57:7a
Thanks. That’s actually the wrong cert; that is for jb.abc.com, but you are serving xyz.com. The domains need to match.
Since I believe you have redacted the domain names, which is against our rules (and is mentioned in the help template that you saw), that’s about all the help we can give you without guessing. Please fill out the help template properly for further help.
I know, but that creates problems when trying to help, since the actual values matter.
Ok, so the SAN matches. Now we know that’s not a problem, whereas before when you were redacting, it was actually a problem because they didn’t match.
Thanks.
This is a Let’s Encrypt certificate. What is the problem? Please fill out the help template.
What was the problem though?