How would I use tls_insecure_skip_verify in my caddyfile?

1. The problem I’m having:

I’m trying to get my browsers to ignore the certificate warning in my browser for the self-signed certificate caddy uses. I’ve preformed a few searches here but can’t make out what I’m supposed to do in my Caddyfile to get it working. I only need this for internal addresses, not external use. There is no external access to my local services.

2. Error messages and/or full log output:

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

https://caddyserver.com/docs/install#debian-ubuntu-raspbian

a. System environment:

Ubuntu 23.10.1

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.
{
	admin 0.0.0.0:2020
}

nc.sceptic.au: {
	tls internal
	reverse_proxy localhost:11000
}

sceptic.au {
    tls {
        dns godaddy h1JeCcCMFBYt_2i4PUv5PejJKQJ353bhW34
    }
    # Additional configuration for your local domain
    reverse_proxy localhost:443
}

sonarr.sceptic.au {
	tls internal
	reverse_proxy 192.168.50.242:8989
}

homepage.sceptic.au {
	tls internal
	reverse_proxy localhost:3000
}

overseerr.sceptic.au {
    tls internal
	reverse_proxy localhost:5055
}

maintainerr.sceptic.au {
	tls internal
	reverse_proxy localhost:8154
}

radarr.sceptic.au {
	tls internal
	reverse_proxy localhost:7878
}

readarr.sceptic.au {
	tls internal
	reverse_proxy localhost:8787
}

lidarr.sceptic.au {
	tls internal
	reverse_proxy localhost:8686
}

sabnzbd.sceptic.au {
	tls internal
	reverse_proxy localhost:8089
}

prowlarr.sceptic.au {
	tls internal
	reverse_proxy localhost:9696
}

https://audio.sceptic.au:443 {
	tls internal
	reverse_proxy localhost:13378
}

tautulli.sceptic.au {
	tls internal
	reverse_proxy localhost:8181
}

paperless.sceptic.au {
	tls internal
	reverse_proxy localhost:8003
}

actual.sceptic.au {
	tls internal
	reverse_proxy localhost:5006
}

freshrss.sceptic.au {
	tls internal
	reverse_proxy localhost:8282
}

immich.sceptic.au {
	tls internal
	reverse_proxy localhost:2283
}

dozzle.sceptic.au {
	tls internal
	reverse_proxy localhost:8888
}

ukuma.sceptic.au {
	tls internal
	reverse_proxy localhost:3001
}

filebrowser.sceptic.au {
	tls internal
	reverse_proxy localhost:8383
}

dockge.sceptic.au {
	tls internal
	reverse_proxy localhost:5001
}

linkding.sceptic.au {
	tls internal
	reverse_proxy localhost:9090
}

change.sceptic.au {
	tls internal
	reverse_proxy localhost:5000
}

duplicati.sceptic.au {
	tls internal
	reverse_proxy localhost:8200
}

stirlingpdf.sceptic.au {
	tls internal
	reverse_proxy localhost:8088
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

5. Links to relevant resources:

The solution is to install Caddy’s root CA cert in your system & browser’s trust store. Automatic HTTPS — Caddy Documentation

tls_insecure_skip_verify is specifically for reverse_proxy connecting to an HTTPS upstream, not for incoming connections. It’s almost never the right thing to use (hence the insecure in the name, to deter you from using it).

2 Likes

How would I make caddy trust use port 2020?

skepticalme@PlexServer:~$ caddy trust
Error: requesting CA info: performing request: Get "http://localhost:2019/pki/ca/local": dial tcp 127.0.0.1:2019: connect: connection refused

Run caddy trust --help, use the --address option or specify your config so it loads the admin address from it. You’ll need to run it with sudo so it has permissions to update trust stores.

1 Like

Thank you, done.

With the browser, is there a way to obtain the certificate to load into Brave browser? I know how to load it, I just don’t know where to get the certificate. But now I think of it, is it found in the Ubuntu “trust store” on my machine?

Many browsers use their own trust stores. You’ll need to find out on your how to install root certs in Brave. You can get the cert file from Caddy’s storage to install it manually if necessary.

1 Like

I added the root.crt from here:

/home/skepticalme/.local/share/caddy/pki/authorities/local

To brave and Firefox, but it didn’t work, they’re still giving the certificate warning.

I followed different guides on how to load the certificates into Firefox and Brave but no luck.

When running as a systemd service, the caddy user’s home is /var/lib/caddy, not /home.

2 Likes

Done! Thank you for your patience with me.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.