Manual issuance from internal PKI?

9peppe · May 9, 2022, 8:55am

1. Caddy version (`caddy version`):

2.5.1 from apt

2. How I run Caddy:

Stock systemd unit on Ubuntu 22.04.

d. My complete Caddyfile or JSON config:

{
        servers :443 {
                protocol {
                        experimental_http3
                        #strict_sni_host
                }
        }
        email ...
        pki {
                ca {
                        name "Quake CA"
                }
        }
}

localhost:2020, Quake:2020 {
        tls internal
        acme_server
        file_server /var/www/acme
}
# ...

3. The problem I’m having:

No problem, actually. I was just trying to use the internal CA, either via acme or not, to issue certificates for containers I want to reverse proxy.

4. Error messages and/or full log output:

5. What I already tried:

I tried looking pretty much anywhere to see if I can disable validation in the acme server, like it were pebble, or if there’s a command somewhere to issue a certificate manually from the intermediates Caddy produces, but I am not sure I want to go that route with openssl and its CLI.

6. Links to relevant resources:

francislavoie · May 9, 2022, 2:11pm

We don’t currently have a way to do it directly, but we’ll likely add it eventually, as an admin API endpoint that takes basically a CSR (certificate signing request) and gives you back a cert.

If you want to use ACME then yeah, use the acme_server directive and point your ACME client to Caddy.

9peppe · May 9, 2022, 3:15pm

It’s not that I want to use it. I just explored using it to get a certificate. But I would have to also point the acme server to a fake resolver that always answers “yeah, that’s 127.0.0.1” for every possible query

francislavoie · May 9, 2022, 3:40pm

You can run CoreDNS:

https://coredns.io/

9peppe · May 9, 2022, 5:15pm

Sounds fun

system · June 8, 2022, 8:55am

This topic was automatically closed after 30 days. New replies are no longer allowed.