How to get the caddy cert working in windows

Help
1

1. The problem I’m having:

I managed to enable https for my local not exposed apps by pointing openwebui.lan to caddy and then proxiing to openwebui.fromproxy:8080 with the help of local dns.

But how do I get windows to trust the caddy cert?

currently it seems not working. Thank you!

2. Error messages and/or full log output:

I get this error when accessing the app

net::ERR_CERT_COMMON_NAME_INVALID
Subject:

Issuer: Caddy Local Authority - ECC Intermediate

Expires on: Nov 12, 2025

Current date: Nov 12, 2025

PEM encoded chain:
-----BEGIN CERTIFICATE-----
cipher
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cipher
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cipher
-----END CERTIFICATE-----

3. Caddy version:

v2.9.1

4. How I installed and ran Caddy:

LXC container in proxmox.

a. System environment:

LXC, debian 12

b. Command:

Caddy runs fine

c. Service/unit/compose file:

d. My complete Caddy config:

*.lan {
	tls internal
    
	@owui host openwebui.lan
	handle @owui {
		reverse_proxy openwebui.fromproxy:8080
		header {
			# Prevent the site from being embedded in an iframe, mitigating clickjacking.
			X-Frame-Options DENY
		}
	}
}

5. Links to relevant resources:

I did copy the local cert to windows like this:

scp root@caddy:/var/lib/caddy/.local/share/caddy/pki/authorities/local/root.crt $env:USERPROFILE/caddy.crt

Import-Certificate -FilePath "$env:USERPROFILE\caddy.crt" -CertStoreLocation Cert:\LocalMachine\Root
2

Upon further inspection, I noticed the root.crt copied to my os trusted store does not have Subject Alternative Name (SAN) field. Hence the error probably.

I tried to copy the local cert that gets generated for my entry in Caddyfile which has SAN defined. But this cert has other validation issues (CA not valid) and the OS does not trust it.

Is it even possible to just copy a cert from Caddy and make this work? or should I drop it?

Any hints on how I should fix this would be much appreciated

3

I fixed it!

I had to change my config to separate entries (not using wildcard). This way the cert gets the valid domain not just *.lan.

openwebui.lan {
	tls internal

	reverse_proxy openwebui.fromproxy:8080
}

code.lan {
	tls internal

	reverse_proxy code.fromproxy:8080
}

love caddy!

2 Likes