1. Caddy version (caddy version
):
v2.3.0
2. How I run Caddy:
via systemd service in archlinux
# /etc/hosts/
127.0.0.1 localhost
127.0.0.1 code.localhost
127.0.0.1 cockpit.localhost
# /etc/caddy/Caddyfile
import /etc/caddy/conf.d/*
## code-server (vscode on server, listens on port 8080)
# /etc/caddy/conf.d/code-server
code.localhost {
reverse_proxy localhost:8080
}
## cockpit
/etc/caddy/conf.d/cockpit
cockpit.localhost {
reverse_proxy localhost:9090
}
a. System environment:
Archlinux, systemd-248.2
b. Command:
I run this as root
# Paste command here.
systemctl start caddy
c. Service/unit/compose file:
Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.
systemctl enable --now caddy
d. My complete Caddyfile or JSON config:
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy web server
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=14400
StartLimitBurst=10
[Service]
User=caddy
Group=caddy
Environment=XDG_DATA_HOME=/var/lib
Environment=XDG_CONFIG_HOME=/etc
ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket
# Do not allow the process to be restarted in a tight loop. If the
# process fails to start, something critical needs to be fixed.
Restart=on-abnormal
# Use graceful shutdown with a reasonable timeout
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
# Hardening options
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
3. The problem I’m having:
I can’t connect to the given localhost sites using https.
4. Error messages and/or full log output:
Brave (chrome) gives the error NET::ERR_CERT_AUTHORITY_INVALID
.
$ curl -v cockpit.localhost
* Trying 127.0.0.1:80...
* Connected to cockpit.localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: cockpit.localhost
> User-Agent: curl/7.76.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://cockpit.localhost/
< Server: Caddy
< Date: Sun, 23 May 2021 08:37:03 GMT
< Content-Length: 0
<
* Closing connection 0
$ curl -v https://cockpit.localhost
* Trying 127.0.0.1:443...
* Connected to cockpit.localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ curl -v code.localhost
* Trying 127.0.0.1:80...
* Connected to code.localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: code.localhost
> User-Agent: curl/7.76.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://code.localhost/
< Server: Caddy
< Date: Sun, 23 May 2021 08:42:41 GMT
< Content-Length: 0
<
* Closing connection 0
$ curl -v https://code.localhost
* Trying 127.0.0.1:443...
* Connected to code.localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
5. What I already tried:
I was wondering if the certificate was considered self signed, but then I’m not sure if curl would give any error in that case.
Went through suggested answers in similar posts (everything seems to be already done / similar to what the docs said).
6. Links to relevant resources:
I just consulted caddy docs and past posts. Will post the specific ones in a bit.