How to enable local https using a Raspberry Pi 3?

nicolinux · April 7, 2020, 12:05pm

1. My Caddy version (`caddy version`):

v2.0.0-rc.1 h1:DxUlg4kMisXwXVnWND7KEPl1f+vjFpIOzYpKpfmwyj8=

2. How I run Caddy:

a. System environment:

Raspberry Pi 3+, Raspbian GNU/Linux 10 (buster), manual install of Caddy2 from the GitHub releases and systems service.

c. Service/unit/compose file:

[Unit]
Description=Caddy Web Server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy run --config /etc/caddy/Caddyfile --resume --environ
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
	email nicolinux@gmail.com
}

(logs) {
	log {
		output file /var/log/caddy/access.log
	}
}

raspberry.local:80 {
	root * /var/www/recettes/_site
	file_server
	import logs
}

3. The problem I’m having:

I’m a using a Raspberry Pi to host a local website, with no access from outside the local network. The config above works perfectly, but only on the port 80 and so on HTTP.

Since I think it should be possible, I’m trying to activate the local HTTPS mode of Caddy2. I’m not sure how it should work though, or if I have to do something about it.

5. What I already tried:

I tried the obvious one :

{
   email nicolinux@gmail.com
}

(logs) {
   log {
   	output file /var/log/caddy/access.log
   }
}

raspberry.local {
   root * /var/www/recettes/_site
   file_server
   import logs
}

At restart, here are the relevant logs :

Apr  7 13:57:27 raspberry caddy[3999]: {"level":"info","ts":1586260647.534609,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["raspberry.local"]}
Apr  7 13:57:27 raspberry caddy[3999]: {"level":"info","ts":1586260647.5353696,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Apr  7 13:57:27 raspberry caddy[3999]: {"level":"info","ts":1586260647.5354424,"msg":"serving initial configuration"}
Apr  7 13:57:27 raspberry caddy[3999]: 2020/04/07 13:57:27 [INFO][raspberry.local] Obtain certificate; acquiring lock...
Apr  7 13:57:27 raspberry caddy[3999]: 2020/04/07 13:57:27 [INFO][raspberry.local] Obtain: Lock acquired; proceeding...
Apr  7 13:57:27 raspberry caddy[3999]: 2020/04/07 13:57:27 [INFO][raspberry.local] Certificate obtained successfully
Apr  7 13:57:27 raspberry caddy[3999]: 2020/04/07 13:57:27 [INFO][raspberry.local] Obtain: Releasing lock
Apr  7 13:57:27 raspberry caddy[3999]: 2020/04/07 13:57:27 [WARNING] Stapling OCSP: no OCSP stapling for [raspberry.local]: no OCSP server specified in certificate

Using localhost as in the documentation generates certificates, but I can’t access the website using localhost, since I’m using a different device, for instance my phone. I (think I) have to use the raspberry.local domain, and then, as one could predict :

Apr  7 13:58:57 raspberry caddy[4159]: 2020/04/07 13:58:57 http: TLS handshake error from [fe80::c:4403:769e:ba96%eth0]:59507: no certificate available for 'raspberry.local'
Apr  7 13:58:57 raspberry caddy[4159]: 2020/04/07 13:58:57 http: TLS handshake error from [fe80::c:4403:769e:ba96%eth0]:59508: no certificate available for 'raspberry.local'
Apr  7 13:58:57 raspberry caddy[4159]: 2020/04/07 13:58:57 http: TLS handshake error from [fe80::c:4403:769e:ba96%eth0]:59509: tls: client offered only unsupported versions: [301]

Is there a solution for this setup ? Or should I just keep using http, which is fine in this context obviously but…

Bonus question

Is there an easy way to create a second fake local domain ? I also have homebridge running on this Raspberry Pi and I’m using a web interface on port 8080. I could do a proxy with Caddy, but could I have, for example, a homebridge.local domain name ?

Thanks for your help on this really niche subject !

matt · April 7, 2020, 1:01pm

Odd, I took your Caddyfile, added raspberry.local to my hosts file, and was not able to reproduce this:

no certificate available for ‘raspberry.local’

Everything worked as expected…

Yep, simply add one to your hosts file to point to your loopback interface of choice.

francislavoie · April 7, 2020, 1:03pm

I think you just need to specify tls internal?

nicolinux · April 7, 2020, 1:14pm

This error appeared only when I tried the Caddyfile with localhost instead of raspberry.local. Maybe my explanations were not precise enough, sorry about that.

matt · April 7, 2020, 2:40pm

Ah, so, yes, that was confusing

If you tell your Caddyfile to serve localhost, it will manage a cert for localhost, not raspberry.local. You can do both though:

raspberry.local, localhost {
}

if you want to.

@francislavoie Domains that are localhost or end with .localhost or end with .local will be managed with the internal issuer by default.

So, anyway, what is the question here exactly? You can use any domain names you want. But if it’s a public-looking name that you don’t actually own, you have to use a non-public CA like Caddy’s internal issuer. Does that answer the question?

nicolinux · April 7, 2020, 2:43pm

Well, this config :

{
   email nicolinux@gmail.com
}

(logs) {
   log {
   	output file /var/log/caddy/access.log
   }
}

raspberry.local {
   root * /var/www/recettes/_site
   file_server
   import logs
}

Does not work for me.

But as I have tried one more time, I noticed some new error messages I had not seen before :

Apr  7 16:42:35 raspberry caddy[4159]: 2020/04/07 16:42:35 [WARNING] Stapling OCSP: no OCSP stapling for [homebridge.local]: no OCSP server specified in certificate
Apr  7 16:42:35 raspberry caddy[4159]: {"level":"warn","ts":1586270555.224387,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Apr  7 16:42:35 raspberry caddy[4159]: 2020/04/07 16:42:35 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Apr  7 16:42:35 raspberry caddy[4159]: 2020/04/07 16:42:35 define JAVA_HOME environment variable to use the Java trust
Apr  7 16:42:35 raspberry caddy[4159]: {"level":"error","ts":1586270555.2764072,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Apr  7 16:42:35 raspberry caddy[4159]: 2020/04/07 16:42:35 [INFO][cache:0x31ae4c0] Stopped certificate maintenance routine
Apr  7 16:42:35 raspberry caddy[4159]: {"level":"info","ts":1586270555.278496,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Apr  7 16:42:35 raspberry caddy[4159]: {"level":"info","ts":1586270555.2786036,"logger":"admin.api","msg":"load complete"}
Apr  7 16:42:35 raspberry systemd[1]: Reloaded Caddy Web Server.
Apr  7 16:42:35 raspberry caddy[4159]: {"level":"info","ts":1586270555.6975627,"logger":"admin","msg":"stopped previous server"}

It seems I miss one of the requirements. I will try to install that and get back.

matt · April 7, 2020, 2:44pm

I think we’ve fixed that already, try pulling the latest on master (or download a recent build artifact).

So what about the above config doesn’t work, exactly?

nicolinux · April 7, 2020, 2:48pm

I had to install this package to make it work : apt-get install libnss3-tools. Maybe it’s not installed by default on the Raspberry Pi ?

And now, everything works fine. I don’t know why I had not seen the error earlier, maybe I missed it in the logs…

matt · April 7, 2020, 3:35pm

Upgrading to the latest commit on master would also have solved the problem But that works!

system · May 7, 2020, 3:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.