Issues switching from .local to .localhost TLD

kgoblue01 · March 28, 2023, 10:21pm

1. The problem I’m having:

I am trying to host some of my docker containers locally using caddy. I have successfully gotten it to work using the .local TLD, but nothing is resolving when I switch them over to the .localhost TLD.

2. Error messages and/or full log output:

INF ts=1680041538.9001062 msg=using provided configuration config_file=/etc/caddy/Caddyfile config_adapter=caddyfile
WRN ts=1680041538.9020388 msg=Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies adapter=caddyfile file=/etc/caddy/Caddyfile line=1
INF ts=1680041538.9030972 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]
INF ts=1680041538.903509 logger=http msg=server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS server_name=srv0 https_port=443
INF ts=1680041538.903525 logger=http msg=enabling automatic HTTP->HTTPS redirects server_name=srv0
INF ts=1680041538.9036286 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0xc0001f12d0
INF ts=1680041538.920608 logger=pki.ca.local msg=root certificate is already trusted by system path=storage:pki/authorities/local/root.crt
INF ts=1680041538.9208004 logger=http msg=enabling HTTP/3 listener addr=:443
INF ts=1680041538.9208927 msg=failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
INF ts=1680041538.9209976 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]
INF ts=1680041538.9210474 logger=http.log msg=server running name=remaining_auto_https_redirects protocols=["h1","h2","h3"]
INF ts=1680041538.9210558 logger=http msg=enabling automatic TLS certificate management domains=["adguard.local","portainer.local","portainer.localhost"]
WRN ts=1680041538.9217272 logger=tls msg=stapling OCSP error=no OCSP stapling for [adguard.local]: no OCSP server specified in certificate identifiers=["adguard.local"]
WRN ts=1680041538.9220595 logger=tls msg=stapling OCSP error=no OCSP stapling for [portainer.local]: no OCSP server specified in certificate identifiers=["portainer.local"]
WRN ts=1680041538.9225974 logger=tls msg=stapling OCSP error=no OCSP stapling for [portainer.localhost]: no OCSP server specified in certificate identifiers=["portainer.localhost"]
INF ts=1680041538.922717 logger=tls msg=cleaning storage unit description=FileStorage:/data/caddy
INF ts=1680041538.9227748 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json
INF ts=1680041538.9227893 msg=serving initial configuration
INF ts=1680041538.9248555 msg=[ERROR] Deleting expired certificates: certificate file certificates/acme-v02.api.letsencrypt.org-directory/caddy/root.crt does not contain PEM-encoded certificate
INF ts=1680041538.9248672 logger=tls msg=finished cleaning storage units

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy

Docker Compose

b. Command:

c. Service/unit/compose file:

  caddy:
    image: caddy:latest
    container_name: caddy
    restart: always
    volumes:
      - ${USERDIR}/Caddy/config:/etc/caddy
      - ${USERDIR}/Caddy/.caddy:/root/.caddy
      - ${USERDIR}/Caddy:/data
    ports:
      - "80:80"
      - "443:443"

d. My complete Caddy config:

adguard.local {
	reverse_proxy 192.168.0.107:3080
}

portainer.local, portainer.localhost {
	reverse_proxy portainer:9000
}

5. Links to relevant resources:

I am switching to .localhost from .local because .local does not work on my Mac for I think this reason: .local domain not working

I have made sure .local and .localhost both have DNS rewrites on my adguard server. They are both getting redirected to the correct internal IP when I curl

$ curl -v https://karaoke.localhost
*   Trying 192.168.0.107:443...
* Connected to karaoke.localhost (192.168.0.107) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

When I navigate to portainer.local, it successfully resolves. When I navigate to portainer.localhost, I get ERR_CONNECTION_REFUSED

francislavoie · March 29, 2023, 4:43am

I don’t recommend using .localhost for anything you want to reach from another machine. That TLD is reserved for “this same machine”.

You could use .home.arpa which is the “more correct” TLD for home use. .test would be fine as well.

Did you install Caddy’s root CA cert on your host machine? Since you’re running in Docker, Caddy can’t automate installation of the root cert because it’s obviously isolated from the host.

kgoblue01 · March 29, 2023, 2:14pm

I have installed the root certificate on all of my personal machines and am having no connection issues with .local except for on my Mac. The only reason I tried .localhost instead of .home.arpa is because I noticed there were only .local and .localhost that were tagged as internal and used the root.crt file instead of trying to get an acme cert. This is where I saw that. When trying to use .home.arpa I am receiving these errors starting up caddy:

ERR ts=1680099215.007353 logger=tls.obtain msg=could not get certificate from issuer identifier=portainer.home.arpa issuer=acme-v02.api.letsencrypt.org-directory error=HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for "portainer.home.arpa": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy
INF ts=1680099215.0100114 logger=http msg=waiting on internal rate limiter identifiers=["portainer.home.arpa"] ca=https://acme.zerossl.com/v2/DV90 account=
INF ts=1680099215.0100858 logger=http msg=done waiting on internal rate limiter identifiers=["portainer.home.arpa"] ca=https://acme.zerossl.com/v2/DV90 account=
ERR ts=1680099216.2487102 logger=tls.obtain msg=could not get certificate from issuer identifier=portainer.home.arpa issuer=acme.zerossl.com-v2-DV90 error=HTTP 401 urn:ietf:params:acme:error:unauthorized - A requested identifier is not permitted [portainer.home.arpa]
ERR ts=1680099216.2489011 logger=tls.obtain msg=will retry error=[portainer.home.arpa] Obtain: [portainer.home.arpa] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 401 urn:ietf:params:acme:error:unauthorized - A requested identifier is not permitted [portainer.home.arpa] (ca=https://acme.zerossl.com/v2/DV90) attempt=1 retrying_in=60 elapsed=1.552628917 max_duration=2592000

francislavoie · March 29, 2023, 7:02pm

You just need to add tls internal to each site in your Caddyfile to tell Caddy to use the internal issuer.

kgoblue01 · March 29, 2023, 7:52pm

Okay, that seems to have worked! For some reason I thought that tls internal was deprecated.

Thank you so much for your quick help!

system · April 28, 2023, 7:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.