How to run caddy locally without adding anything to the trusted CA certs store

1. Caddy version (caddy version):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

download from github releases page and run binary from terminal

a. System environment:

Linux thingpad 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

b. Command:

~/Desktop/programs/caddy/caddy reverse-proxy --from https://localhost:4443 --to http://localhost:8080

3. The problem I’m having:

The docs say “The first time a root key is used, Caddy will try to install it into the system’s local trust store(s). If it does not have permission to do so, it will prompt for a password. This behavior can be disabled in the configuration if it is not desired.” but the docs lack any link or example to back up this claim that it can be disabled.

I would like to point out this is a widespread, pervasive issue with the Caddy documentation and its the reason yall have to have people spending all day answering “stupid” questions on this forum. Almost all of the documentation pages don’t contain practical examples that show how to use the documented feature. More often than not the only way to learn how to use any given caddy feature is:

  1. look at the test code (this is the best and easiest but not every caddy feature has “integration” style test code that contains config files)
  2. find forum posts or other discussions where someone posted their config while working with the feature you are studying
  3. looking at the source code which implements the feature

4. Error messages and/or full log output:

forest@thingpad:~/Desktop/programs/caddy$ ~/Desktop/programs/caddy/caddy reverse-proxy --from https://localhost:4443 --to http://localhost:8080
2021/02/19 01:36:31.289 WARN    admin   admin endpoint disabled
2021/02/19 01:36:31.290 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "proxy"}
2021/02/19 01:36:31.290 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0003325b0"}
2021/02/19 01:36:31.300 INFO    tls     cleaned up storage units
2021/02/19 01:36:31.330 WARN    pki.ca.local    installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
2021/02/18 19:36:31 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
2021/02/18 19:36:31 define JAVA_HOME environment variable to use the Java trust
[sudo] password for forest:

5. What I already tried:

I spent about 10 minutes google searching and looking around on this forum for anyone who had figured out how to configure it so it will start without trying to mess with the trust store.

I ended up just running it inside docker container because that was the only thing I found while searching, and I simply wanted to run it to test performance of an app under HTTP/2 but didn’t want it to mess with my trust store.

forest@thingpad:~/Desktop/programs/caddy$ sudo docker run -v `pwd`:/caddy --net host --entrypoint /caddy/caddy ubuntu reverse-proxy --from https://localhost:4443 --to http://localhost:8080

You’ll need to use JSON config to disable it, via the install_trust option in the pki app:

You may be surprised to hear this, but you’re the first person I’ve seen ask about turning this off. If you’re running HTTPS locally, you almost always want to establish trust to avoid warnings from your various tooling and browsers. And installing a root certificate is pretty non-invasive, it just adds the root CA cert (one file) to the trust store, which on debian systems is in /etc/ssl/certs. You can run caddy untrust at any time to remove it.

1 Like