HTTP -> HTTPS redirect testing on localhost

1. Caddy version (caddy version):

v2.4.6

2. How I run Caddy:

sudo ./caddy reverse-proxy --to 127.0.0.1:8080

a. System environment:

Solus OS (latest release)

d. My complete Caddyfile or JSON config:

3. The problem I’m having:

I am new to webdevelopment and server stuff, so trying to set up HTTP → HTTPS is a bit of a mess.
When I start Caddy using sudo ./caddy reverse-proxy --to 127.0.0.1:8080 I can correctly do:
curl -k https://localhost:443 and curl --cacert mycert.pem https://localhost:443, which then shows me the content handled by my webserver, listening on port 8080.

For a website to be mostly accessible it would have to support HTTP (right?). When launching Caddy this is inside the start message:
2022/02/03 21:40:59.733 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "proxy"}

However, I’m still not able to do: curl https://localhost:80 or access it from my browser. I get no errors except for: 2022/02/03 21:40:59.744 ERROR pki.ca.local failed to install root certificate {"error": "install is not supported on this system", "certificate_file": "storage:pki/authorities/local/root.crt"} which I’m assuming is because I’m on localhost.

I have looked at several sources:

How would I allow this and should it be allowed for something like a public website?

No, this error is because you’re running on Solus OS (which I’ve never even heard of) which doesn’t have an implementation of trust installation in the https://github.com/smallstep/truststore library we use.

This doesn’t really make sense. What happens, if not an error? What do you see? Explain the behaviour.

I just saw that in the log when starting Caddy, there’s the following:
2022/02/03 21:40:59.733 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443} which is probably why. How do I make it listen on port 80 (if that should even be done).

It should, automatically. Check netstat to see what ports the Caddy process has bound to.

I don’t see anything.
So for example:

> curl -k https://localhost:443
<html>
   a lot of content in here
</html>

> curl http://localhost:80
>

It shows nothing, not an error from Caddy or curl.

Use curl -v. It’s probably serving a redirect, i.e. a response with a Location header. curl doesn’t follow redirects unless you specify the -L option (L for “Location”).

*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://localhost/
< Server: Caddy
< Date: Thu, 03 Feb 2022 22:06:56 GMT
< Content-Length: 0
< 
* Closing connection 0

If I use curl -v -L http://localhost:80
I get:

*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://localhost/
< Server: Caddy
< Date: Thu, 03 Feb 2022 22:07:44 GMT
< Content-Length: 0
< 
* Closing connection 0
* Issue another request to this URL: 'https://localhost/'
*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: none
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 1
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.```

Solus OS is Linux. Sorry for the confusion. Or well… it’s built on the kernel, not sure if they’ve done something, so that it does not count as Linux.

Sorry it feels like I’m spamming.
If I do:
curl -v -L -k http://localhost:80
or
curl -v -L --cacert mycert.pem http://localhost:80 it returns the index.html content.
Is that to be expected, or should it be possible for me to use localhost:80 without a certificate?

Back to the original comment, the root CA certificate that Caddy generated was not installed in your system’s trust store, so your HTTP clients are not trusting connections to Caddy.

Since Solus isn’t currently supported for the trust installation, you’ll need to do that yourself, manually.

See here in the docs, it explains where you can find the root CA cert. You’ll need to find the appropriate instructions for your system to update your trust store (Google it).

I’m not sure why this is. Solus OS is based on the Linux kernel.
If I do caddy trust I found out that I had not set the JAVA_HOME variable.
But after I did, I tried caddy trust which returned the following:

2022/02/03 22:30:28.823	WARN	ca.local	installing root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
Password: 
2022/02/03 23:30:32 certificate installed properly in Java keystore
trust: install is not supported on this system

So there’s a certificate now, now I’m not sure what to do. What does trust: install do?

Like I said:

Alright, I’m having a hard time making it work. But I can see that all of the certificates for Solus OS is in /etc/ssl/certs/, so I have made an issue in the truststore repo.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.