1. The problem I’m having:
I’m attempting to use Caddy as a fileserver and reverse proxy to serve files over https using (*.nsk.io
) a PositiveSSL Wildcard Cert.
The fileserver and reverse proxy are both working when I attempt to load a file using firefox, but I get an error from curl and other clients stating that it’s not trusted and it doesn’t have a known issuer.
I’m not an expert when it comes to certs; my understanding is that many platforms have a library of trusted CAs, which I would expect my issuer to be a part of since it was purchased, with which the CA is verified against of my cert. So a couple questions:
- In addition to my
.crt
and.key
files, I was provided aSTAR_nsk_io.ca-bundle
file. Does this last file need to be configured with Caddy in some way to ensure all clients trust my cert and use the ca-bundle to verify the authority automatically? - Why would my browser work fine, but curl does not? Is there a set of trusted CAs that work with firefox but not curl/wget because firefox trusts the CA but my system does not?
2. Error messages and/or full log output:
# wget -O /tmp/ipxe.efi https://boot.nsk.io/ipxe.efi
--2023-07-21 14:32:55-- https://boot.nsk.io/ipxe.efi
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving boot.nsk.io (boot.nsk.io)... 192.168.2.3
Connecting to boot.nsk.io (boot.nsk.io)|192.168.2.3|:443... connected.
ERROR: The certificate of ‘boot.nsk.io’ is not trusted.
ERROR: The certificate of ‘boot.nsk.io’ doesn't have a known issuer.
3. Caddy version:
Docker caddy 2.6-alpine
.
4. How I installed and ran Caddy:
Docker compose via systemd service.
c. Service/unit/compose file:
Systemd unit:
[Unit]
Description=Caddy docker-compose service
Requires=docker.service
After=docker.service
StartLimitIntervalSec=60
[Service]
WorkingDirectory=/srv/caddy
ExecStart=/usr/bin/docker compose up
ExecStop=/usr/bin/docker compose down
TimeoutStartSec=0
Restart=on-failure
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
docker-compose.yml
---
version: "3.4"
services:
caddy:
container_name: caddy
image: caddy:2.6-alpine
ports:
- 80:80
- 443:443
volumes:
- /mnt/smb/vol/caddy/data:/data
- /mnt/smb/private_static:/private_static
- /srv/caddy/pki:/pki
- /srv/caddy/Caddyfile:/etc/caddy/Caddyfile
d. My complete Caddy config:
Caddyfile
{
admin :2019
auto_https off
}
mux.nsk.io {
tls /pki/nsk.io.crt /pki/nsk.io.key
root * /private_static
file_server browse
}
boot.nsk.io {
tls /pki/nsk.io.crt /pki/nsk.io.key
reverse_proxy "http://{$DOCKER_GATEWAY}:1337"
}