1. Caddy version (caddy version
):
v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
2. How I run Caddy:
docker run -d -p 80:80 -p 443:443 caddy caddy file-server --domain mac.local
a. System environment:
server: Docker version 19.03.8, build afacb8b
clients: macOS10.15.5, Safari 13.1.1, Chrome 83.0.4103.116
alternate clients: macOS 10.14.5 Safari 13.1.1, Chrome 83
works on (clients): macOS10.15.5, Firefox 78.0.1
b. Command:
#prep a "domain"
sudo bash -c "echo 127.0.0.1 mac.local >> /etc/hosts"
#run caddy (fresh docker image)
docker pull caddy
docker run -d -p 80:80 -p 443:443 caddy caddy file-server --domain mac.local
#get caddy's root.crt
docker exec $(docker ps |grep caddy|awk '{ print $1; }') cat /data/caddy/pki/authorities/local/root.crt >./caddy-docker.crt
#install root crt
open ./caddy-docker.crt
#install to system keychain, set trust (ssl, x.509)
3. The problem I’m having:
Trying to use Caddy 2.1 to serve https on internal domains to (mostly) mac clients. All is working except for Safari and Chrome (both using Keychain) on macOS. No matter what I do so far they are giving errors and not connecting. AFAICT the certs are complying with [1], but they both give the “certificate invalid” message with an additional info “certificate is not standards compliant” (please see below). Firefox on the same machines works (it also uses the separate cert store and handling).
4. Error messages and/or full log output:
Chrome’s certificate details:
Chrome’s message:
Your connection is not private
Attackers might be trying to steal your information from mac.local (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_INVALID
Subject:
Issuer: Caddy Local Authority - ECC Intermediate
Expires on: 3 Jul 2020
Current date: 2 Jul 2020
PEM encoded chain:-----BEGIN CERTIFICATE-----
MIIBuzCCAWGgAwIBAgIRAMGDzv0suRkkU3eIWoDbePIwCgYIKoZIzj0EAwIwMzEx
MC8GA1UEAxMoQ2FkZHkgTG9jYWwgQXV0aG9yaXR5IC0gRUNDIEludGVybWVkaWF0
ZTAeFw0yMDA3MDIxNTM1MzZaFw0yMDA3MDMwMzM2MzZaMAAwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATjupQHoH3xEwQC6PXxX1e0C4oYLfIATo5p3z5osc+9oB3d
p7SWcb0sKtgbqRyzC2mCzVBlKin5Ld9ur5ndhebdo4GIMIGFMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFBW8
wMrBVJDulZUFtgbxS9xOUVohMB8GA1UdIwQYMBaAFBqZ8rK4lWcHiTn2Z4pu2riK
tto5MBQGA1UdEQQNMAuCCW1hYy5sb2NhbDAKBggqhkjOPQQDAgNIADBFAiEA4M0k
AYt3GuLjWSccvOkBZTex6TTbCAzRootmbVRDhxkCIDNUb0N8iWdbFSIutBu1Fl/M
RL2GKINJEjAPX1cYwJIl
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIByDCCAW6gAwIBAgIRAOyDkcQZDIVb1lv/kE0A1AUwCgYIKoZIzj0EAwIwMDEu
MCwGA1UEAxMlQ2FkZHkgTG9jYWwgQXV0aG9yaXR5IC0gMjAyMCBFQ0MgUm9vdDAe
Fw0yMDA3MDIxNTM2MzZaFw0yMDA3MDkxNTM2MzZaMDMxMTAvBgNVBAMTKENhZGR5
IExvY2FsIEF1dGhvcml0eSAtIEVDQyBJbnRlcm1lZGlhdGUwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAARdJos1Uq4KlWcZViTDNiAOpmLgWQcTbacYOQEaIYZPKxwh
+KeWj/m8n3Zn9BRvT3DNtICKpFoUpj/xwb76825Qo2YwZDAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUGpnysriVZweJOfZnim7a
uIq22jkwHwYDVR0jBBgwFoAUXF+yBOlGlhXratOfulsmlkGWsIIwCgYIKoZIzj0E
AwIDSAAwRQIgDZNui3GCY6cch8WmnCLaKYV5o7tlo0RO6mKCpo/NyYcCIQC/2CsF
dpRGddv7/Te4xVTCMDCMAFvqwd20dRkM60Z7NA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBozCCAUmgAwIBAgIQXAXuCY0O/Fc1gMxKinF94TAKBggqhkjOPQQDAjAwMS4w
LAYDVQQDEyVDYWRkeSBMb2NhbCBBdXRob3JpdHkgLSAyMDIwIEVDQyBSb290MB4X
DTIwMDcwMjE1MzYzNloXDTMwMDUxMTE1MzYzNlowMDEuMCwGA1UEAxMlQ2FkZHkg
TG9jYWwgQXV0aG9yaXR5IC0gMjAyMCBFQ0MgUm9vdDBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABCL0no9kPHxEwfnkumytp5G/3FZDH8YEqbpg5SYvMIaZKHZilCH2
AEGBWDhx2xc0ZtZMjd1xka4qyv+qt5twEoujRTBDMA4GA1UdDwEB/wQEAwIBBjAS
BgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRcX7IE6UaWFetq05+6WyaWQZaw
gjAKBggqhkjOPQQDAgNIADBFAiEA4DSYd5dWf1POgHJ6WDAmgASgz0TK9cvT8+7y
ZvH0zZcCIH39816+jy9BbKeyfkFwMjsh+An1OW0yg5Ph9XcHQbTR
-----END CERTIFICATE-----Help improve Chrome security by sending URLs of some pages that you visit, limited system information and some page content to Google. Privacy Policy
ReloadHide advanced
mac.local normally uses encryption to protect your information. When Google Chrome tried to connect to mac.local this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be mac.local, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
You cannot visit mac.local at the moment because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.
caddy’s output (when reloading that page)
For Safari it gives:
2020/07/02 15:52:05 http: TLS handshake error from 172.17.0.1:55420: EOF
For Chrome it gives:
2020/07/02 16:11:30 http: TLS handshake error from 172.17.0.1:55610: remote error: tls: unknown certificate
5. What I already tried:
Tried caddy 2.0, tried macOS14 and 15. Multiple machines. Multiple domains with more or less specific Caddy configurations. Multiple ways of “delegating” those domains. Tried Caddy in Docker, bare Debian, and macOS. Longer cert expiry. And yes, rebooted…
I seem to be running out of the obvious options to try (less of reimplementing/using external certs) and if anyone was able to give me a hint of what I might’ve been doing wrong I’d be deeply obliged! Thanks!
6. Links to relevant resources:
[1] Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support