Timbo
August 15, 2020, 7:27am
1
For a specific domain I would like to disable caddy’s automatic certificate retrieval and use my custom certificates.
Therefore I would like register the certificates using the caddy api (JSON Config Structure - Caddy Documentation ).
Unfortunately caddy does not recognize the certificates:
$ curl caddyhost:2019/config/apps/tls/certificates -X POST -H "Content-Type: application/json" -d '{"load_pem": [{"certificate": "-----BEGIN CERTIFICATE----MIIGfzCCBWegAwIBAgISA8A1M8hcnrtS0B9BnyoZpvlHMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dG[...]-----END CERTIFICATE-----", "key":"-----BEGIN RSA PRIVATE KEY-----
MIIJNBFTBAAKCAgEA/y7t3GTcrWHJ+lsWGEvhUtAo7/S9l7DHw/A6DW7F88+wO[...]-----END RSA PRIVATE KEY-----"}]}'
$ {"error":"loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: loading certificates: PEM pair 0: tls: failed to find any PEM data in certificate input"}
I already tried to base64 encode both the certificate and the key, but this does not work either (same error message).
I’m pretty sure you need to omit the ASCII armor (i.e. the bits with the ---) for it to work.
If you didn’t realize, PEM is a base64 encoded certificate already, it just has the ASCII armor around it and newlines every 64 characters. DER is the raw binary format, and base64 encoding a DER certificate, then splitting it with newlines every 64 chars, and adding the ASCII armor, gives you a PEM.
Timbo
August 15, 2020, 11:55am
3
Removing the ASCII armor didn’t work either.
What worked though was to use “load_files”, instead of “load_pem”. The content of the files is the same as the strings I have used with the “load_pem” method.
curl caddyhost:2019/config/apps/tls/certificates -X POST -H "Content-Type: application/json" -d '{"load_files": [{"certificate": "/certs/mydomain.com.cer", "key":"/certs/mydomain.com.key"}]}'
I’m confused, since I have validated the “load_pem” data with openssl. The strings were valid…
Since I extensively use the API to automate things as much as possible, I still would like to manage the certificates via the API instead of deploying those files on the host and then reloading caddy. Do you have any other suggestions or even a working example?
I’m basing this on the below test case that’s part of the codebase. It doesn’t map to exactly the same config field, but it should work the same:
localhost
respond "hello from localhost"
tls {
client_auth {
mode request
trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
show original
If not, I’ll need to do some digging in the codebase to figure out if there’s a meaningful difference.
This is the code that runs to load the certificates - so if you can find details about what tls.X509KeyPair takes, you should be able to figure it out.
// Copyright 2015 Matthew Holt and The Caddy Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package caddytls
import (
"crypto/tls"
"fmt"
show original
I’m just on my phone for the time being and my time is limited - I’ll come back to this when I can if you don’t figure it out.
system
September 14, 2020, 7:27am
6
This topic was automatically closed after 30 days. New replies are no longer allowed.