How to use self signed cert with reverse proxy

1. The problem I’m having:

I am trying to setup a reverse proxy with a selfsigned cert where caddy is responsible for encrypted traffic with a client and forwards traffic to an internal http server. I have no hostnames and only using IPs. I have also tried to have the server serve https but caddy denied the cert.

generating my certs:

openssl req -newkey rsa:4096 -nodes -keyout /etc/ssl/private/key.pem -x509 -days 365 -out /etc/ssl/private/cert.pem

my caddy file:

:443 {
    tls /etc/ssl/private/cert.pem /etc/ssl/private/key.pem
    reverse_proxy http://127.0.0.1:8080
}

2. Error messages and/or full log output:

Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: caching unmanaged certificate: certificate has no names

3. Caddy version:

$ caddy --version
v2.8.4

4. How I installed and ran Caddy:

I installed the binary from Download Caddy

a. System environment:

lsb_release -a
Distributor ID:	Ubuntu
Description:	Ubuntu 24.04 LTS
Release:	24.04
Codename:	noble

b. Command:

caddy run --config caddyfile

Howdy @yerb, welcome to the Caddy community.

Caddy can’t requisition a certificate without any names at all - not even an internal one.

You’ll need to give your site address a qualifying name (an IP address does qualify, for example 192.168.0.100:443), or you’ll need to use On-Demand TLS to generate certs on-the-fly for whichever IP address is used to access your host.

Hi thanks for the reply. I ended up going with the following config and it seems to work.

https://127.0.0.1:443 {
    tls internal
    reverse_proxy http://127.0.0.1:8080
}

Now another question I have is that a part of my security is configuring a certificate fingerprint before hand, I can get this once I start caddy. But If I need to move servers is it possible to copy the existing certificate created by tls internal? Another part of my original question was have the actual service handle the certificate and caddy forward the encrypted traffic, if this is possible how would the config look like. Thanks

As for the actual generated certificates themselves:

Caddy will store public certificates, private keys, and other assets in its configured storage facility (or the default one, if not configured – see link for details).

—https://caddyserver.com/docs/automatic-https#storage

It mentions public certificates, but that doesn’t mean it’s limited to publicly-trusted certs; it stores local CA-generated certificates here as well. Following that trail takes you to Conventions — Caddy Documentation, which tells you where on disk you can find the default data directory (it changes based on your OS, but for Ubuntu it should be $HOME/.local/share/caddy).

That said, extracting just the cert itself is much less useful because they last for like 12 hours or something.

What you probably want to save is the root CA and keys, so that you can transfer them to a new system and have another Caddy start signing new certificates with the previously-generated CA. As for that:

To serve non-public sites over HTTPS, Caddy generates its own certificate authority (CA) and uses it to sign certificates. The trust chain consists of a root and intermediate certificate. Leaf certificates are signed by the intermediate. They are stored in Caddy’s data directory at pki/authorities/local.

—https://caddyserver.com/docs/automatic-https#local-https

So, essentially, they’re both in the data directory, normally; certs under certificates and the CA/intermediate under pki.

GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy can take raw traffic and proxy it on, including encrypted TLS traffic, with or without unwrapping it first. I’d recommend looking at the config examples for more there. You can get a copy of Caddy with the caddy-l4 plugin from the same download page you got your binary from originally.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.