Https on localhost using docker compose

Silvio_Ney · August 6, 2023, 1:34pm

1. The problem I’m having:

I am using Caddy 2.7 with docker compose documentation suggestion, copying the generated cert from container to host but o chrome it stills shows “not secure - certificate is not valid”

2. Error messages and/or full log output:

 caddy curl -vL https://localhost
*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: [NONE]
*  start date: Aug  6 13:25:13 2023 GMT
*  expire date: Aug  7 01:25:13 2023 GMT
*  subjectAltName: host "localhost" matched cert's "localhost"
*  issuer: CN=Caddy Local Authority - ECC Intermediate
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x558b3f747e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: localhost
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< server: Caddy
< content-length: 13
< date: Sun, 06 Aug 2023 13:26:46 GMT
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host localhost left intact
Hello, world!%

3. Caddy version:

v2.7.2 h1:QqThyoyUFAv1B7A2NMeaWlz7xmgKqU49PXBX08A+6xg=

4. How I installed and ran Caddy:

docker compose

a. System environment:

Ubuntu 22.04.3 LTS
Docker version 24.0.5, build ced0996
Docker Compose version v2.18.1

b. Command:

docker compose up -d --build --force-recreate

c. Service/unit/compose file:

version: '3.9'

services:

  caddy:
    image: caddy:2.7.2
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
volumes:
  caddy_data:
  caddy_config:

d. My complete Caddy config:

{
    debug
}

localhost {
	respond "Hello, world!"
}

5. Links to relevant resources:

Silvio_Ney · August 6, 2023, 1:35pm

docker compose logs -f caddy output

➜ caddy docker compose logs -f caddy
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.8986907,“msg”:“using provided configuration”,“config_file”:“/etc/caddy/Caddyfile”,“config_adapter”:“caddyfile”}
caddy-caddy-1 | {“level”:“warn”,“ts”:1691328928.8997047,“msg”:“Caddyfile input is not formatted; run ‘caddy fmt --overwrite’ to fix inconsistencies”,“adapter”:“caddyfile”,“file”:“/etc/caddy/Caddyfile”,“line”:2}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9005573,“logger”:“admin”,“msg”:“admin endpoint started”,“address”:“localhost:2019”,“enforce_origin”:false,“origins”:[“//localhost:2019”,“//[::1]:2019”,“//127.0.0.1:2019”]}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9007483,“logger”:“http.auto_https”,“msg”:“server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS”,“server_name”:“srv0”,“https_port”:443}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9007628,“logger”:“http.auto_https”,“msg”:“enabling automatic HTTP->HTTPS redirects”,“server_name”:“srv0”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9008005,“logger”:“tls.cache.maintenance”,“msg”:“started background certificate maintenance”,“cache”:“0xc00071a080”}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.9052072,“logger”:“http.auto_https”,“msg”:“adjusted config”,“tls”:{“automation”:{“policies”:[{“subjects”:[“localhost”]},{}]}},“http”:{“servers”:{“remaining_auto_https_redirects”:{“listen”:[“:80”],“routes”:[{},{}]},“srv0”:{“listen”:[“:443”],“routes”:[{“handle”:[{“handler”:“subroute”,“routes”:[{“handle”:[{“body”:“Hello, world!”,“handler”:“static_response”}]}]}],“terminal”:true}],“tls_connection_policies”:[{}],“automatic_https”:{}}}}}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9057379,“logger”:“http”,“msg”:“enabling HTTP/3 listener”,“addr”:“:443”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9058292,“msg”:“failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See UDP Buffer Sizes · quic-go/quic-go Wiki · GitHub for details.”}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.905953,“logger”:“http”,“msg”:“starting server loop”,“address”:“[::]:443”,“tls”:true,“http3”:true}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9059644,“logger”:“http.log”,“msg”:“server running”,“name”:“srv0”,“protocols”:[“h1”,“h2”,“h3”]}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.9060173,“logger”:“http”,“msg”:“starting server loop”,“address”:“[::]:80”,“tls”:false,“http3”:false}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.906028,“logger”:“http.log”,“msg”:“server running”,“name”:“remaining_auto_https_redirects”,“protocols”:[“h1”,“h2”,“h3”]}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9060347,“logger”:“http”,“msg”:“enabling automatic TLS certificate management”,“domains”:[“localhost”]}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9061542,“logger”:“tls”,“msg”:“cleaning storage unit”,“description”:“FileStorage:/data/caddy”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.906202,“logger”:“tls”,“msg”:“finished cleaning storage units”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9064713,“logger”:“tls.obtain”,“msg”:“acquiring lock”,“identifier”:“localhost”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9088635,“logger”:“tls.obtain”,“msg”:“lock acquired”,“identifier”:“localhost”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9089684,“logger”:“tls.obtain”,“msg”:“obtaining certificate”,“identifier”:“localhost”}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.909,“logger”:“events”,“msg”:“event”,“name”:“cert_obtaining”,“id”:“34b0487a-30d3-4d33-b558-5a67ca05ef3b”,“origin”:“tls”,“data”:{“identifier”:“localhost”}}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.909375,“logger”:“tls.obtain”,“msg”:“trying issuer 1/1”,“issuer”:“local”}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.909971,“logger”:“pki.ca.local”,“msg”:“using intermediate signer”,“serial”:“43392011051282107580898623067351752696”,“not_before”:“2023-08-06 13:35:28 +0000 UTC”,“not_after”:“2023-08-13 13:35:28 +0000 UTC”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9107869,“logger”:“tls.obtain”,“msg”:“certificate obtained successfully”,“identifier”:“localhost”}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.9108846,“logger”:“events”,“msg”:“event”,“name”:“cert_obtained”,“id”:“4de04bd7-81c2-4c9f-b4f7-bcdb0147158a”,“origin”:“tls”,“data”:{“certificate_path”:“certificates/local/localhost/localhost.crt”,“identifier”:“localhost”,“issuer”:“local”,“metadata_path”:“certificates/local/localhost/localhost.json”,“private_key_path”:“certificates/local/localhost/localhost.key”,“renewal”:false,“storage_path”:“certificates/local/localhost”}}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9109106,“logger”:“tls.obtain”,“msg”:“releasing lock”,“identifier”:“localhost”}
caddy-caddy-1 | {“level”:“warn”,“ts”:1691328928.9113524,“logger”:“tls”,“msg”:“stapling OCSP”,“error”:“no OCSP stapling for [localhost]: no OCSP server specified in certificate”,“identifiers”:[“localhost”]}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.9113693,“logger”:“tls.cache”,“msg”:“added certificate to cache”,“subjects”:[“localhost”],“expiration”:1691372129,“managed”:true,“issuer_key”:“local”,“hash”:“96043dfae69479651e385ec49bb01ba68fb875317e15b5d20e3a37af67e757e8”,“cache_size”:1,“cache_capacity”:10000}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328928.9113889,“logger”:“events”,“msg”:“event”,“name”:“cached_managed_cert”,“id”:“d4f61f9f-4c8f-4440-a1d3-b807105ff910”,“origin”:“tls”,“data”:{“sans”:[“localhost”]}}
caddy-caddy-1 | {“level”:“warn”,“ts”:1691328928.931096,“logger”:“pki.ca.local”,“msg”:“installing root certificate (you might be prompted for password)”,“path”:“storage:pki/authorities/local/root.crt”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9314368,“msg”:“define JAVA_HOME environment variable to use the Java trust”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9314532,“msg”:“warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9790227,“msg”:“certificate installed properly in linux trusts”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9792337,“msg”:“autosaved config (load with --resume flag)”,“file”:“/config/caddy/autosave.json”}
caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9792478,“msg”:“serving initial configuration”}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328932.681355,“logger”:“events”,“msg”:“event”,“name”:“tls_get_certificate”,“id”:“8e99e2fc-a3be-4982-a72d-84b39a8dd4fc”,“origin”:“tls”,“data”:{“client_hello”:{“CipherSuites”:[39578,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],“ServerName”:“localhost”,“SupportedCurves”:[35466,29,23,24],“SupportedPoints”:“AA==”,“SignatureSchemes”:[1027,2052,1025,1283,2053,1281,2054,1537],“SupportedProtos”:[“h2”,“http/1.1”],“SupportedVersions”:[43690,772,771],“Conn”:{}}}}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328932.6816857,“logger”:“tls.handshake”,“msg”:“choosing certificate”,“identifier”:“localhost”,“num_choices”:1}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328932.6817124,“logger”:“tls.handshake”,“msg”:“default certificate selection results”,“identifier”:“localhost”,“subjects”:[“localhost”],“managed”:true,“issuer_key”:“local”,“hash”:“96043dfae69479651e385ec49bb01ba68fb875317e15b5d20e3a37af67e757e8”}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328932.6817288,“logger”:“tls.handshake”,“msg”:“matched certificate in cache”,“remote_ip”:“172.31.0.1”,“remote_port”:“51322”,“subjects”:[“localhost”],“managed”:true,“expiration”:1691372129,“hash”:“96043dfae69479651e385ec49bb01ba68fb875317e15b5d20e3a37af67e757e8”}
caddy-caddy-1 | {“level”:“debug”,“ts”:1691328932.6837966,“logger”:“http.stdlib”,“msg”:“http: TLS handshake error from 172.31.0.1:51322: remote error: tls: unknown certificate”}

Silvio_Ney · August 6, 2023, 1:37pm

Just noticed this error on logs:

caddy-caddy-1 | {“level”:“info”,“ts”:1691328928.9314532,“msg”:“warning: “certutil” is not available, install “certutil” with “apt install libnss3-tools” or “yum install nss-tools” and try again”}

it is normal?

francislavoie · August 6, 2023, 1:37pm

You need to install Caddy’s root CA cert on your host machine. There’s instructions for doing that here: Keep Caddy Running — Caddy Documentation

Silvio_Ney · August 6, 2023, 1:43pm

Thanks for your reply @francislavoie

i already did this step before and did not worked, logs from the command:

sudo docker compose cp \
    caddy:/data/caddy/pki/authorities/local/root.crt \
    /usr/local/share/ca-certificates/root.crt \
  && sudo update-ca-certificates
[+] Copying 1/0
 ✔ caddy-caddy-1 copy caddy-caddy-1:/data/caddy/pki/authorities/local/root.crt to /usr/local/share/ca-certificates/root.crt Copied                                                                            0.0s 
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.

francislavoie · August 6, 2023, 1:56pm

Ah right – it works with curl because it uses the system trust store, but Chrome has its own separate trust store. You’ll need to manually install the root cert in Chrome’s trust store as well (Google for instructions).

Silvio_Ney · August 6, 2023, 2:12pm

Thank you! it solved on Chrome but in postman i am trying to add the certificate and got an error.
Googling i found a debug command and it gave this output:

openssl s_client -state -connect localhost:443 | openssl x509 -text

SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:fatal:internal error
SSL_connect:error in error
806B8127017F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1584:SSL alert number 80
Could not read certificate from <stdin>
807B01D9247F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:
Unable to load certificate

francislavoie · August 6, 2023, 5:11pm

I can’t help with trust setup with other apps. This isn’t a problem with Caddy in particular at this point.

system · September 5, 2023, 5:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.