1. Caddy version (caddy version
):
2.4.1
2. How I run Caddy:
I run Caddy in Docker, this is the docker-compose file:
version: "3.8"
services:
caddy:
image: caddy:2.4.1-alpine
ports:
- 80:80
- 443:443
- 2019:2019
volumes:
- ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
- /usr/local/share/ca-certificates:/data/caddy/pki/authorities/local
- ./:/var/www
restart: unless-stopped
a. System environment:
Local development, docker 20.10.6 on Ubuntu 18.04
b. Command:
docker-compose up
or as inline:
$ docker run -d -p 80:80 -p 443:443 -p 2019:2019 \
-v home/code/caddy/Caddyfile:/etc/caddy/Caddyfile:ro \
-v /usr/local/share/ca-certificates:/data/caddy/pki/authorities/local \
-v /home/code:/var/www \
caddy:2.4.1-alpine
d. My complete Caddyfile or JSON config:
{
debug
local_certs
admin 0.0.0.0:2019
}
:443 {
tls internal {
on_demand
}
}
example.localhost {
root * /var/www
file_server
}
3. The problem I’m having:
I want to have HTTPS for local domains. I’ve been using mkcert and it’s been working great. I was hoping to make it a little easier with Caddy and on demand TLS.
Since I’m on Ubuntu, I’ve mounted the ca-certificates into the container so Caddy’s certificates are available on the host machine:
-v /usr/local/share/ca-certificates:/data/caddy/pki/authorities/local
I have confirmed that Caddy generates a root.crt
and an itermediate.crt
in this directory. After that I ran
sudo update-ca-certificates
When I curl
the URL, everything looks fine fine and it says SSL certificate verify ok
:
curl --insecure -vvI https://example.localhost 2>&1
* Rebuilt URL to: https://example.localhost/
* Trying ::1...
* TCP_NODELAY set
* Connected to example.localhost (::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: [NONE]
* start date: May 26 08:56:28 2021 GMT
* expire date: May 26 20:56:28 2021 GMT
* issuer: CN=Caddy Local Authority - ECC Intermediate
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x5639450e07f0)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> HEAD / HTTP/2
> Host: example.localhost
> User-Agent: curl/7.58.0
> Accept: */*
...
4. Error messages and/or full log output:
But when I run it in the browser (Chromium, Brave, Firefox), it complains about an invalid CA:
I have confirmed that the second part of the chain is the content of the intermediate.crt
generated by Caddy.
5. What I already tried:
This is pretty much all I’ve tried, I’m not sure how to proceed. My understanding is that the CA should be installed and trusted on the host machine, since CURL is not having any issues accessing the URL over HTTPS.
Also, this is exactly how I did it with mkcert
for another local domain (served with nginx) and it worked fine. The certificate generated by mkcert
is also located in /usr/local/share/ca-certificates
, like the ones generated by Caddy.
So any ideas would be appreciated. Thanks!