How to disable sudo prompt on startup / installation of root certificate?

oktola · March 16, 2022, 4:00pm

1. Caddy version (`caddy version`):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

~/applications/caddy_linux_amd64 run
with a Caddyfile in the same directory

http://syn7:8447, http://127.0.57.1:8447 {
  route {
    reverse_proxy 127.0.0.1:8080
  }
}

a. System environment:

Ubuntu 21.10
amd64

b. Command:

~/applications/caddy_linux_amd64 run

c. Service/unit/compose file:

Nothing

d. My complete Caddyfile or JSON config:

http://syn7:8447, http://127.0.57.1:8447 {
  route {
    reverse_proxy 127.0.0.1:8080
  }
}

3. The problem I’m having:

It prompts me for my sudo password, but I don’t want to need to give it one.
If I Ctrl+C to not give it one, Caddy refuses to start.

4. Error messages and/or full log output:

2022/03/16 15:51:59.544 INFO    using adjacent Caddyfile
2022/03/16 15:51:59.546 WARN    input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2022/03/16 15:51:59.546 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2022/03/16 15:51:59.546 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000230a10"}
2022/03/16 15:51:59.554 WARN    pki.ca.local    installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
2022/03/16 15:51:59 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
2022/03/16 15:51:59 define JAVA_HOME environment variable to use the Java trust
[sudo] password for oktola: 
2022/03/16 15:52:01.046 INFO    shutting down   {"signal": "SIGINT"}
2022/03/16 15:52:01.046 WARN    exiting; byeee!! 👋     {"signal": "SIGINT"}
2022/03/16 15:52:01.047 ERROR   pki.ca.local    failed to install root certificate      {"error": "failed to execute sudo: exit status 1", "certificate_file": "storage:pki/authorities/local/root.crt"}
2022/03/16 15:52:01.047 INFO    tls     cleaning storage unit   {"description": "FileStorage:/home/oktola/.local/share/caddy"}
2022/03/16 15:52:01.047 INFO    autosaved config (load with --resume flag)      {"file": "/home/oktola/.config/caddy/autosave.json"}
2022/03/16 15:52:01.047 INFO    tls     finished cleaning storage units
2022/03/16 15:52:01.047 INFO    serving initial configuration
2022/03/16 15:52:01.048 INFO    tls.cache.maintenance   stopped background certificate maintenance      {"cache": "0xc000230a10"}
2022/03/16 15:52:01.050 INFO    admin   stopped previous server {"address": "tcp/localhost:2019"}
2022/03/16 15:52:01.050 INFO    shutdown complete       {"signal": "SIGINT", "exit_code": 0}

5. What I already tried:

I’ve looked around but failed to find a way to turn this off.

I tried various configuration directives, such as auto_https off but it didn’t appear to be a valid directive in this version.

I wonder if it might be a bug considering I’m not using any TLS in my configuration, but I can’t tell whether there’s an implicit listener on port 443 or something — I haven’t been able to find out how to disable it, if that’s the case though.

I’m not even sure why it should refuse to start up if it can’t install the cert — I would’ve said that’s very much a client concern and it’s none of Caddy’s business! … Am I wrong?

6. Links to relevant resources:

github.com/caddyserver/caddy

pki.ca.local - failed to install root certificate

opened 06:05AM - 11 Jul 20 UTC

closed 05:16PM - 11 Jul 20 UTC

christoph-kluge

duplicate upstream needs info

I'm experimenting with Caddy on OSX but it seems I'm having issues with installi…ng the root/intermediate certificates into the keychain. It seems to work for Firefox because there it's recognized correctly but all other browser's do not. I did took a look already at #3205 and #3534 but I'm still stuck. I have tried: * brew uninstall caddy + remove the `/Application Support/Caddy` directory * Adding the root crt into the keychain (system) and trust it manally * Adding the intermediate crt into the keychain (system) and trust it manually ------------------- I am running: * Catalina 10.15.5 * caddy version: `v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=` * Browsers: Safari, Opera, Chrome, Firefox ----------------- Caddyfile ``` customer3.company.local { tls internal reverse_proxy * customers.live-domain.com:443 { header_up Host customers.live-domain.com header_up X-Forwarded-Host {host} header_up X-Forwarded-Port {port} header_up X-Forwarded-Proto {proto} header_up X-Forwarded-Proto-Custom {proto} header_up CloudFront-Forwarded-Proto {proto} transport http { tls_server_name customers.live-domain.com } } } ``` Logs when adding a new local domain (before manually trusting certificates) ``` 2020/07/11 05:37:43.815 INFO watcher config file changed; reloading {"config_file": "Caddyfile"} 2020/07/11 05:37:43.815 INFO using provided configuration {"config_file": "Caddyfile", "config_adapter": ""} 2020/07/11 05:37:43.816 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]} 2020/07/11 05:37:43.816 INFO admin stopped previous server 2020/07/11 07:37:43 [INFO][cache:0xc000723080] Started certificate maintenance routine 2020/07/11 05:37:43.817 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2020/07/11 05:37:43.817 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2020/07/11 05:37:43.817 WARN pki.ca.local installing root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"} 2020/07/11 05:37:43.889 ERROR pki.ca.local failed to install root certificate {"error": "certificate cannot be installed in NSS security databases", "certificate_file": "storage:pki/authorities/local/root.crt"} 2020/07/11 05:37:43.889 INFO http enabling automatic TLS certificate management {"domains": ["customer2.company.local"]} 2020/07/11 07:37:43 [INFO][cache:0xc000797f20] Stopped certificate maintenance routine 2020/07/11 05:37:43.889 INFO autosaved config {"file": "/Users/christophkluge/Library/Application Support/Caddy/autosave.json"} 2020/07/11 07:37:43 [INFO][customer2.company.local] Obtain certificate; acquiring lock... 2020/07/11 07:37:43 [INFO][customer2.company.local] Obtain: Lock acquired; proceeding... 2020/07/11 07:37:43 [INFO][customer2.company.local] Certificate obtained successfully 2020/07/11 07:37:43 [INFO][customer2.company.local] Obtain: Releasing lock 2020/07/11 07:37:43 [WARNING] Stapling OCSP: no OCSP stapling for [customer2.company.local]: no OCSP server specified in certificate ``` Logs when adding a new local domain (after manually trusting certificates) ``` 2020/07/11 05:56:09.544 INFO watcher config file changed; reloading {"config_file": "Caddyfile"} 2020/07/11 05:56:09.544 INFO using provided configuration {"config_file": "Caddyfile", "config_adapter": ""} 2020/07/11 05:56:09.545 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["127.0.0.1:2019", "localhost:2019", "[::1]:2019"]} 2020/07/11 07:56:09 [INFO][cache:0xc000c5d920] Started certificate maintenance routine 2020/07/11 05:56:09.545 INFO admin stopped previous server 2020/07/11 05:56:09.546 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2020/07/11 05:56:09.546 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2020/07/11 05:56:09.546 INFO pki.ca.local root certificate is already trusted by system {"path": "storage:pki/authorities/local/root.crt"} 2020/07/11 05:56:09.546 INFO http enabling automatic TLS certificate management {"domains": ["customer3.company.local"]} 2020/07/11 07:56:09 [INFO][cache:0xc00011c360] Stopped certificate maintenance routine 2020/07/11 05:56:09.546 INFO autosaved config {"file": "/Users/christophkluge/Library/Application Support/Caddy/autosave.json"} 2020/07/11 07:56:09 [INFO][customer3.company.local] Obtain certificate; acquiring lock... 2020/07/11 07:56:09 [INFO][customer3.company.local] Obtain: Lock acquired; proceeding... 2020/07/11 07:56:09 [INFO][customer3.company.local] Certificate obtained successfully 2020/07/11 07:56:09 [INFO][customer3.company.local] Obtain: Releasing lock 2020/07/11 07:56:09 [WARNING] Stapling OCSP: no OCSP stapling for [customer3.company.local]: no OCSP server specified in certificate ``` Logs when opening the website in the browser (2x refreshed) ``` 2020/07/11 07:54:17 http: TLS handshake error from 127.0.0.1:62849: EOF 2020/07/11 07:54:17 http: TLS handshake error from 127.0.0.1:62850: EOF 2020/07/11 07:55:27 http: TLS handshake error from 127.0.0.1:63176: EOF 2020/07/11 07:55:27 http: TLS handshake error from 127.0.0.1:63177: EOF ``` Screenshots: Before adding certitficates <img width="808" alt="Screenshot 2020-07-11 at 07 20 52" src="https://user-images.githubusercontent.com/1446269/87217696-808ee280-c34c-11ea-8af3-d8d71fd222b8.png"> After adding root certificate <img width="755" alt="Screenshot 2020-07-11 at 07 50 39" src="https://user-images.githubusercontent.com/1446269/87217698-87b5f080-c34c-11ea-983a-b892ec13fd8f.png"> After adding intermediate certificate <img width="726" alt="Screenshot 2020-07-11 at 08 03 46" src="https://user-images.githubusercontent.com/1446269/87217766-25112480-c34d-11ea-9e7e-a10f83b128e4.png">

github.com/caddyserver/caddy

Disabling http-to-https redirect from Caddyfile

opened 05:18AM - 03 Apr 20 UTC

closed 10:59PM - 19 May 20 UTC

sqs

feature

Is it possible to [disable the HTTP-to-HTTPS redirects](https://caddyserver.com/…docs/json/apps/http/servers/automatic_https/disable_redirects/) in Caddyfile? My Caddyfile is: ``` sourcegraph.test:3443 tls internal reverse_proxy localhost:3080 ``` When I run `caddy` (as a non-root user), I get an error because it can't bind to port 80: ``` $ caddy run --config=dev/Caddyfile 2020/04/03 05:14:29.418 INFO using provided configuration {"config_file": "dev/Caddyfile", "config_adapter": ""} 2020/04/03 05:14:29.419 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]} 2020/04/02 22:14:29 [INFO][cache:0xc0009afc20] Started certificate maintenance routine 2020/04/03 05:14:29.427 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2020/04/03 05:14:29.468 INFO pki.ca.local root certificate is already trusted by system {"path": "storage:pki/authorities/local/root.crt"} 2020/04/03 05:14:29.468 INFO tls cleaned up storage units run: loading initial config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: permission denied ``` I don't want it to try to bind to port 80. I believe it's doing so to enable HTTP-to-HTTPS redirects, so disabling those would suffice to solve my problem. I can see how to disable them in JSON, but I like using Caddyfile because it's simple. I would like to not have to switch everything to JSON just for this one directive. (Ref: https://github.com/sourcegraph/sourcegraph/issues/9536)

jok · March 16, 2022, 4:23pm

You can add

{
  skip_install_trust
}

to your Caddyfile (as global option )

oktola · March 16, 2022, 4:34pm

Thank you so much!

francislavoie · March 16, 2022, 4:35pm

Is that your entire Caddyfile? That’s strange, you specified http:// so it shouldn’t attempt to set up local HTTPS.

When you say “in the same directory”, do you mean in your current directory, or do you mean beside the Caddy binary? Because Caddy will be looking in your current directory by default.

I think Caddy is likely running with a different config file than you expected.

Technically at that point, Caddy is started up and is running fine, it’s just that the sudo prompt doesn’t catch the Ctrl+C and it bubbles up to the main Caddy process as well which kills it. The trust installation happens asynchronously from the actual server running.

oktola · March 16, 2022, 4:36pm

Is that your entire Caddyfile?

Yes

When you say “in the same directory”, do you mean in your current directory, or do you mean beside the Caddy binary?

The current working directory (i.e. what pwd says)

Technically at that point, Caddy is started up and is running fine, it’s just that the sudo prompt doesn’t catch the Ctrl+C and it bubbles up to the main Caddy process as well which kills it. The trust installation happens asynchronously from the actual server running.

Argh, I see!

oktola · March 16, 2022, 4:37pm

For anyone that might find this in the future, my new Caddyfile is thus:

{
  skip_install_trust
}


http://syn7:8447, http://127.0.57.1:8447 {
  route {
    reverse_proxy 127.0.0.1:8080
  }
}

and it seems to work so far.

francislavoie · March 16, 2022, 4:38pm

It’s possible we may have fixed the issue with trust installation, if you’d like to try v2.5.0-beta.1.

oktola · March 16, 2022, 4:39pm

I just tried the beta now, and it has the same symptoms (prompts unless I add skip_install_trust)

francislavoie · March 16, 2022, 5:09pm

Okay, I see the problem and I can reproduce it… it’s strange. There’s an edgecase with the Caddyfile adapter and the automatic HTTPS enabling logic that ends up making making TLS automation policies in the config even though you have http://.

As a workaround, you can write your config like this, which doesn’t have the issue.

http://syn7:8447 {
    reverse_proxy 127.0.0.1:8080
}

http://127.0.57.1:8447 {
    reverse_proxy 127.0.0.1:8080
}

I opened an issue about it:

oktola · March 16, 2022, 5:22pm

Thanks for looking into it :)!

I’m fairly happy with skip_install_trust since at least it’s clear what I mean/wanted. (Maybe it could be more prominent; e.g. mentioned on the page about TLS: tls (Caddyfile directive) — Caddy Documentation but I’m pretty new to Caddy and it might just be my lack of intuition for where to look for the option.)

A problem with duplicating the two blocks is that I actually have a lot of logic in there (I created a smaller example to show the problem without any distraction for this thread) and duplicating that would get messy fast.

francislavoie · March 16, 2022, 5:50pm

Well, that option should ideally never be needed, especially in your case because you specified http://. I don’t think the tls directive docs is the right place to put it because it’s not an option for that directive.

You can use snippets to avoid duplication:

system · April 15, 2022, 4:00pm

This topic was automatically closed after 30 days. New replies are no longer allowed.