How to disable sudo prompt on startup / installation of root certificate?

1. Caddy version (caddy version):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

~/applications/caddy_linux_amd64 run
with a Caddyfile in the same directory

http://syn7:8447, http://127.0.57.1:8447 {
  route {
    reverse_proxy 127.0.0.1:8080
  }
}

a. System environment:

Ubuntu 21.10
amd64

b. Command:

~/applications/caddy_linux_amd64 run

c. Service/unit/compose file:

Nothing

d. My complete Caddyfile or JSON config:

http://syn7:8447, http://127.0.57.1:8447 {
  route {
    reverse_proxy 127.0.0.1:8080
  }
}

3. The problem I’m having:

It prompts me for my sudo password, but I don’t want to need to give it one.
If I Ctrl+C to not give it one, Caddy refuses to start.

4. Error messages and/or full log output:

2022/03/16 15:51:59.544 INFO    using adjacent Caddyfile
2022/03/16 15:51:59.546 WARN    input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2022/03/16 15:51:59.546 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2022/03/16 15:51:59.546 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000230a10"}
2022/03/16 15:51:59.554 WARN    pki.ca.local    installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
2022/03/16 15:51:59 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
2022/03/16 15:51:59 define JAVA_HOME environment variable to use the Java trust
[sudo] password for oktola: 
2022/03/16 15:52:01.046 INFO    shutting down   {"signal": "SIGINT"}
2022/03/16 15:52:01.046 WARN    exiting; byeee!! 👋     {"signal": "SIGINT"}
2022/03/16 15:52:01.047 ERROR   pki.ca.local    failed to install root certificate      {"error": "failed to execute sudo: exit status 1", "certificate_file": "storage:pki/authorities/local/root.crt"}
2022/03/16 15:52:01.047 INFO    tls     cleaning storage unit   {"description": "FileStorage:/home/oktola/.local/share/caddy"}
2022/03/16 15:52:01.047 INFO    autosaved config (load with --resume flag)      {"file": "/home/oktola/.config/caddy/autosave.json"}
2022/03/16 15:52:01.047 INFO    tls     finished cleaning storage units
2022/03/16 15:52:01.047 INFO    serving initial configuration
2022/03/16 15:52:01.048 INFO    tls.cache.maintenance   stopped background certificate maintenance      {"cache": "0xc000230a10"}
2022/03/16 15:52:01.050 INFO    admin   stopped previous server {"address": "tcp/localhost:2019"}
2022/03/16 15:52:01.050 INFO    shutdown complete       {"signal": "SIGINT", "exit_code": 0}

5. What I already tried:

I’ve looked around but failed to find a way to turn this off.

I tried various configuration directives, such as auto_https off but it didn’t appear to be a valid directive in this version.

I wonder if it might be a bug considering I’m not using any TLS in my configuration, but I can’t tell whether there’s an implicit listener on port 443 or something — I haven’t been able to find out how to disable it, if that’s the case though.

I’m not even sure why it should refuse to start up if it can’t install the cert — I would’ve said that’s very much a client concern and it’s none of Caddy’s business! … Am I wrong?

6. Links to relevant resources:

You can add

{
  skip_install_trust
}

to your Caddyfile (as global option )

3 Likes

Thank you so much!

Is that your entire Caddyfile? That’s strange, you specified http:// so it shouldn’t attempt to set up local HTTPS.

When you say “in the same directory”, do you mean in your current directory, or do you mean beside the Caddy binary? Because Caddy will be looking in your current directory by default.

I think Caddy is likely running with a different config file than you expected.

Technically at that point, Caddy is started up and is running fine, it’s just that the sudo prompt doesn’t catch the Ctrl+C and it bubbles up to the main Caddy process as well which kills it. The trust installation happens asynchronously from the actual server running.

2 Likes

Is that your entire Caddyfile?

Yes

When you say “in the same directory”, do you mean in your current directory, or do you mean beside the Caddy binary?

The current working directory (i.e. what pwd says)

Technically at that point, Caddy is started up and is running fine, it’s just that the sudo prompt doesn’t catch the Ctrl+C and it bubbles up to the main Caddy process as well which kills it. The trust installation happens asynchronously from the actual server running.

Argh, I see!

For anyone that might find this in the future, my new Caddyfile is thus:

{
  skip_install_trust
}


http://syn7:8447, http://127.0.57.1:8447 {
  route {
    reverse_proxy 127.0.0.1:8080
  }
}

and it seems to work so far.

It’s possible we may have fixed the issue with trust installation, if you’d like to try v2.5.0-beta.1.

I just tried the beta now, and it has the same symptoms (prompts unless I add skip_install_trust)

Okay, I see the problem and I can reproduce it… it’s strange. There’s an edgecase with the Caddyfile adapter and the automatic HTTPS enabling logic that ends up making making TLS automation policies in the config even though you have http://.

As a workaround, you can write your config like this, which doesn’t have the issue.

http://syn7:8447 {
    reverse_proxy 127.0.0.1:8080
}

http://127.0.57.1:8447 {
    reverse_proxy 127.0.0.1:8080
}

I opened an issue about it:

2 Likes

Thanks for looking into it :)!

I’m fairly happy with skip_install_trust since at least it’s clear what I mean/wanted. (Maybe it could be more prominent; e.g. mentioned on the page about TLS: tls (Caddyfile directive) — Caddy Documentation but I’m pretty new to Caddy and it might just be my lack of intuition for where to look for the option.)

A problem with duplicating the two blocks is that I actually have a lot of logic in there (I created a smaller example to show the problem without any distraction for this thread) and duplicating that would get messy fast.

1 Like

Well, that option should ideally never be needed, especially in your case because you specified http://. I don’t think the tls directive docs is the right place to put it because it’s not an option for that directive.

You can use snippets to avoid duplication:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.