Localhost certificate invalid on Mac os

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

caddy run

a. System environment:

Mac os 10.15.5

b. Command:

caddy run

c. Service/unit/compose file:

no file

d. My complete Caddyfile or JSON config:

{
    email faradaytrs@gmail.com
    experimental_http3
}

(php) {
    encode zstd gzip
    #php_fastcgi /run/php/php7.4-fpm.sock
    php_fastcgi 127.0.0.1:9000
}

(headers) {
    header / {
        X-Frame-Options SAMEORIGIN
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options nosniff
    }
}

localhost {
    root * "/Users/imax/PhpstormProjects/globus/web"
    encode gzip zstd

    try_files {path} /index.php?p={path}&{query} /index.php?{query}

    php_fastcgi 127.0.0.1:9000
    file_server
}

3. The problem I’m having:

Certificate invalid in any browser NET::ERR_CERT_INVALID

4. Error messages and/or full log output:

2020/07/13 03:16:28.393 INFO automigrate beginning one-time data directory migration {“old_dir”: “/Users/imax/.local/share/caddy”, “new_dir”: “/Users/imax/Library/Application Support/Caddy”, “details”: “v2: Honor OS-specific file system storage conventions and migrate all assets to new locations · Issue #2955 · caddyserver/caddy · GitHub”}
2020/07/13 03:16:28.393 ERROR automigrate new data directory already exists; skipping auto-migration as conservative safety measure {“old_dir”: “/Users/imax/.local/share/caddy”, “new_dir”: “/Users/imax/Library/Application Support/Caddy”, “instructions”: “v2: Honor OS-specific file system storage conventions and migrate all assets to new locations · Issue #2955 · caddyserver/caddy · GitHub”}
2020/07/13 03:16:28.393 INFO using adjacent Caddyfile
2020/07/13 03:16:28.399 INFO admin admin endpoint started {“address”: “tcp/localhost:2019”, “enforce_origin”: false, “origins”: [“localhost:2019”, “[::1]:2019”, “127.0.0.1:2019”]}
2020/07/13 03:16:28.399 INFO http enabling automatic HTTP->HTTPS redirects {“server_name”: “srv1”}
2020/07/13 03:16:28.399 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {“server_name”: “srv0”, “https_port”: 443}
2020/07/13 03:16:28.399 INFO http enabling automatic HTTP->HTTPS redirects {“server_name”: “srv0”}
2020/07/13 11:16:28 [INFO][cache:0xc00007c240] Started certificate maintenance routine
2020/07/13 03:16:28.407 INFO tls setting internal issuer for automation policy that has only internal subjects but no issuer configured {“subjects”: [“localhost”]}
2020/07/13 03:16:28.409 INFO tls cleaned up storage units
2020/07/13 03:16:28.487 INFO pki.ca.local root certificate is already trusted by system {“path”: “storage:pki/authorities/local/root.crt”}
2020/07/13 03:16:28.487 INFO pki intermediate expires soon; renewing {“ca”: “local”, “time_remaining”: 9648.512764}
2020/07/13 03:16:28.489 INFO pki renewed intermediate {“ca”: “local”, “new_expiration”: “2020/07/20 03:16:28.000”}
2020/07/13 03:16:28.489 INFO http enabling experimental HTTP/3 listener {“addr”: “:443”}
2020/07/13 03:16:28.489 INFO http enabling experimental HTTP/3 listener {“addr”: “:3010”}
2020/07/13 03:16:28.489 INFO http enabling automatic TLS certificate management {“domains”: [“localhost”]}
2020/07/13 11:16:28 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/07/13 03:16:28.498 INFO autosaved config {“file”: “/Users/imax/Library/Application Support/Caddy/autosave.json”}
2020/07/13 03:16:28.498 INFO serving initial configuration
2020/07/13 11:16:28 [INFO][localhost] Renew certificate; acquiring lock…
2020/07/13 11:16:28 [INFO][localhost] Renew: Lock acquired; proceeding…
2020/07/13 11:16:28 [INFO][localhost] Renew: -55h15m15.501363s remaining
2020/07/13 11:16:28 [INFO][localhost] Certificate renewed successfully
2020/07/13 11:16:28 [INFO][localhost] Renew: Releasing lock
2020/07/13 11:16:28 [INFO] Reloading managed certificate for [localhost]
2020/07/13 11:16:28 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/07/13 11:16:28 [INFO] Replaced certificate in cache for [localhost] (new expiration date: 2020-07-13 15:16:28)
2020/07/13 11:16:38 http: TLS handshake error from [::1]:64273: remote error: tls: unknown certificate
2020/07/13 11:16:39 http: TLS handshake error from [::1]:64291: remote error: tls: unknown certificate
2020/07/13 11:16:44 http: TLS handshake error from [::1]:64303: remote error: tls: unknown certificate
2020/07/13 11:16:48 http: TLS handshake error from [::1]:64308: remote error: tls: unknown certificate

5. What I already tried:

6. Links to relevant resources:

Different browsers use different trust stores. Apparently the root cert is already installed into the system trust store:

2020/07/13 03:16:28.487 INFO pki.ca.local root certificate is already trusted by system {“path”: “storage:pki/authorities/local/root.crt”}

but not all browsers use it. You may also have to restart your browser. In any case, just add that root cert to your browser’s trust store (whichever one it uses) and it will work.

The root seems to be trusted and is marked as trusted, have a look.

Screenshot 2020-07-13 at 14.37.421860×2040 408 KB

Screenshot 2020-07-13 at 14.37.351866×2044 433 KB

Screenshot 2020-07-13 at 14.37.301870×2052 404 KB

And i have this problem is all browsers…

I dunno why “all browsers” are having the problem but Chrome recently had a change that we have fixed on master; try building the latest from source and see how that goes.

build from master works well… thanks

I used “brew install --HEAD caddy” to get the master build with commit “eda54c2” and I am still running into “NET::ERR_CERT_INVALID” on Chrome v83, macOS 10.15.5 and similar problems on FireFox, when trying to access my localhost dev server over https.

I did attempt to caddy untrust and caddy trust after upgrading but it did not help. Maybe the fact that I originally created the local CA with caddy v2.0.0 is contributing to the problem.

Let me know if you need anymore info to reproduce, or if I should file an issue.

Caddy will reuse an existing unexpired root and intermediate certificate, so to replace them make sure to untrust them then delete them from caddy’s data directory, then try again.

Great, that worked for me thanks!

This topic was automatically closed after 30 days. New replies are no longer allowed.