Need help modifying .yaml config to use preferred_chains with ISRG Root X1

1. Caddy version: 2.5.1

2. How I installed, and run Caddy:

I am using the Docker Image from LiveKit https://hub.docker.com/r/livekit/caddyl4/tags

a. System environment:

NixOS 22.05

b. Command:

command: run --config /etc/caddy.yaml --adapter yaml

c. Service/unit/compose file:

 LiveKit requires host networking, which is only available on Linux
# This compose will not function correctly on Mac or Windows
version: "3.9"
services:
  caddy:
    image: livekit/caddyl4
    command: run --config /etc/caddy.yaml --adapter yaml
    restart: unless-stopped
    network_mode: "host"
    volumes:
      - ./caddy.yaml:/etc/caddy.yaml
      - ./caddy_data:/data
  livekit:
    image: livekit/livekit-server:latest
    command: --config /etc/livekit.yaml
    restart: unless-stopped
    network_mode: "host"
    volumes:
      - ./livekit.yaml:/etc/livekit.yaml
  redis:
    image: redis:6-alpine
    command: redis-server /etc/redis.conf
    network_mode: "host"
    volumes:
      - ./redis.conf:/etc/redis.conf

d. My complete Caddy config:

logging:
  logs:
    default:
      level: INFO
storage:
  "module": "file_system"
  "root": "/data"
apps:
  tls:
    certificates:
      automate:
        - live.therapy-lift.net
        - live-turn.therapy-lift.net
  layer4:
    servers:
      main:
        listen: [":443"]
        routes:
          - match:
            - tls:
                sni:
                  - "live-turn.therapy-lift.net"
            handle:
              - handler: tls
              - handler: proxy
                upstreams:
                  - dial: ["23.88.43.252:5349"]
          - match:
              - tls:
                  sni:
                    - "live.therapy-lift.net"
            handle:
              - handler: tls
                connection_policies:
                  - alpn: ["http/1.1"]
              - handler: proxy
                upstreams:
                  - dial: ["localhost:7880"]

3. The problem I’m having:

I am having problems on iOS with my Flutter Frontend.
https://community.letsencrypt.org/t/r3-cert-not-trusted-by-iphone-ios-15-1/170755/3
I want to make caddy only serve the ISRG Root X1 chain.

But I don’t know anything about caddy so I am having trouble applying
the preferred_chains option correctly
to the config without breaking it.
I want this option to be set for all domains.

Thanks in advance.

That’s quite an old version at this point.

Please upgrade to v2.6.2.

I think it would look like this:

"preferred_chains": {
	"root_common_name": [
		"ISRG Root X1"
	]
}

This will match only a chain whose root matches that name.

If you used any_common_name then it would look at any link in the chain, not just the root. And it seems from your LE community forum thread that the problem is your client not checking intermediate certs for trust, but only checking the root, i.e. DST Root CA X3 which is still used for compatibility reasons. See Certificate Compatibility - Let's Encrypt

1 Like

Thank you so much for your fast help. :slight_smile:

I opened up an Issue at the LiveKit GitHub,
if there is no movement, I will get into how to build the Docker Image with the needed modules myself.

I am not familiar with the Caddy config structure.
Does this look good for you?
Again thank you a lot for your help.

logging:
  logs:
    default:
      level: INFO
storage:
  "module": "file_system"
  "root": "/data"
apps:
  tls:
    certificates:
      automate:
        - live.therapy-lift.net
        - live-turn.therapy-lift.net
        policies :
          issuers:
            acme:
              preferred_chains:
                root_common_name: ["ISRG Root X1"]
  layer4:
    servers:
      main:
        listen: [":443"]
        routes:
          - match:
            - tls:
                sni:
                  - "live-turn.therapy-lift.net"
            handle:
              - handler: tls
              - handler: proxy
                upstreams:
                  - dial: ["23.88.43.252:5349"]
          - match:
              - tls:
                  sni:
                    - "live.therapy-lift.net"
            handle:
              - handler: tls
                connection_policies:
                  - alpn: ["http/1.1"]
              - handler: proxy
                upstreams:
                  - dial: ["localhost:7880"]

Seems fine. But you can run caddy validate to check that your config is valid and loads properly.

1 Like

A fellow NixOS user! :smiley:
Just be aware that NixOS 22.05 is EOL.
The latest stable channel is NixOS 22.11, following the usual 6-month release cycle.

Regarding your TLS issues:
Element (Matrix.org client) and Jitsi have similar TLS problems, both on Android and iOS, with LE.
A common workaround is to use a ZeroSSL certificate instead.
Might be worth a try in your case as well, especially since Caddy supports ZeroSSL out of the box.
Though it should be noted that I am not familiar with LiveStack or how Flutter might handle the trust chain.

A few references to issues around encrypted TURN and LE:

2 Likes

Oh hi @IndeedNotJames we are becoming more and more, haha :wink:
23.05 … it was a typo, but thanks for the reminder.

For the sake of completeness, this was the config did what I wanted to do (I confirmed it with SSLabs, that only one chain was served.
But the TLS issue did not go away.

logging:
  logs:
    default:
      level: INFO
storage:
  "module": "file_system"
  "root": "/data"
apps:
  tls:
    certificates:
      automate:
        - live.therapy-lift.net
        - live-turn.therapy-lift.net
    automation:
      policies:
        - issuers:
            - module: acme
              preferred_chains:
                root_common_name:
                  - "ISRG Root X1"

  layer4:
    servers:
      main:
        listen: [":443"]
        routes:
          - match:
              - tls:
                  sni:
                    - "live-turn.therapy-lift.net"
            handle:
              - handler: tls
              - handler: proxy
                upstreams:
                  - dial: ["23.88.43.252:5349"]
          - match:
              - tls:
                  sni:
                    - "live.therapy-lift.net"
            handle:
              - handler: tls
                connection_policies:
                  - alpn: ["http/1.1"]
              - handler: proxy
                upstreams:
                  - dial: ["localhost:7880"]

Yes, good idea and thanks for the resources.

I tried searching the caddy docs and tried modding the config like this.
But it throws a “tls: json: unknown field “issuer””.

logging:
  logs:
    default:
      level: INFO
storage:
  "module": "file_system"
  "root": "/data"
apps:
  tls:
    issuer: zerossl SUPERSECRETAPIKEY
    certificates:
      automate:
        - live.therapy-lift.net
        - live-turn.therapy-lift.net
  layer4:
    servers:
      main:
        listen: [":443"]
        routes:
          - match:
              - tls:
                  sni:
                    - "live-turn.therapy-lift.net"
            handle:
              - handler: tls
              - handler: proxy
                upstreams:
                  - dial: ["23.88.43.252:5349"]
          - match:
              - tls:
                  sni:
                    - "live.therapy-lift.net"
            handle:
              - handler: tls
                connection_policies:
                  - alpn: ["http/1.1"]
              - handler: proxy
                upstreams:
                  - dial: ["localhost:7880"]

How would I force Caddy to only use ZeroSSL?
Would you modify my config please? :see_no_evil:

Thank you very much for your help.

See JSON Config Structure - Caddy Documentation, issuers go in apps > tls > automation > policies > issuers

1 Like

Thank you all so much for your help.
I solved the issue with the suggested workaround @IndeedNotJames.

For folks coming along from search engines, this is the config with which I had success.

logging:
  logs:
    default:
      level: INFO
storage:
  "module": "file_system"
  "root": "/data"
apps:
  tls:
    certificates:
      automate:
        - live.therapy-lift.net
        - live-turn.therapy-lift.net
    automation:
      policies:
        - issuers:
            - module: zerossl
              api_key: 
              apikey:  SUPERSECRETZEROSSLAPIKEY 

  layer4:
    servers:
      main:
        listen: [":443"]
        routes:
          - match:
              - tls:
                  sni:
                    - "live-turn.therapy-lift.net"
            handle:
              - handler: tls
              - handler: proxy
                upstreams:
                  - dial: ["23.88.43.252:5349"]
          - match:
              - tls:
                  sni:
                    - "live.therapy-lift.net"
            handle:
              - handler: tls
                connection_policies:
                  - alpn: ["http/1.1"]
              - handler: proxy
                upstreams:
                  - dial: ["localhost:7880"]

Again, thank you a lot.
Caddy is an amazing project and I also switched other deployments now from NGINX to Caddy :slight_smile:

1 Like