NET::ERR_CERT_DATE_INVALID occurs every day

donie · January 26, 2024, 2:17am

1. The problem I’m having:

Every day I face this error complained by the browser when I visit a local domain the first time. If I refresh the page, the error is gone and everything will be fine.

I think it’s related to the certificates cache, but I can’t find any solution.

2. Error messages and/or full log output:

NET::ERR_CERT_DATE_INVALID

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

Docker inspection:

{
    "AppArmorProfile": "",
    "Args": [
        "run",
        "--config",
        "/etc/caddy/Caddyfile",
        "--adapter",
        "caddyfile"
    ],
    "Config": {
        "AttachStderr": false,
        "AttachStdin": false,
        "AttachStdout": false,
        "Cmd": [
            "caddy",
            "run",
            "--config",
            "/etc/caddy/Caddyfile",
            "--adapter",
            "caddyfile"
        ],
        "Domainname": "",
        "Entrypoint": null,
        "Env": [
            "TCP_PORT_443=2443",
            "CLOUDFLARE_API_TOKEN=DELETED",
            "CLOUDFLARE_EMAIL=DELETED",
            "ACME_AGREE=true",
            "TZ=Asia/Shanghai",
            "TCP_PORT_80=2080",
            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
            "CADDY_VERSION=v2.7.6",
            "XDG_CONFIG_HOME=/config",
            "XDG_DATA_HOME=/data",
            "HOST_HOSTNAME=$HOSTNAME"
        ],
        "ExposedPorts": {
            "2019/tcp": {},
            "443/tcp": {},
            "443/udp": {},
            "80/tcp": {}
        },
        "Hostname": "7b0f42ebb7bd",
        "Image": "slothcroissant/caddy-cloudflaredns:latest",
        "Labels": {
            "net.unraid.docker.icon": "https://d1q6f0aelx0por.cloudfront.net/product-logos/library-caddy-logo.png",
            "net.unraid.docker.managed": "dockerman",
            "org.opencontainers.image.description": "a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go",
            "org.opencontainers.image.documentation": "https://caddyserver.com/docs",
            "org.opencontainers.image.licenses": "Apache-2.0",
            "org.opencontainers.image.source": "https://github.com/caddyserver/caddy-docker",
            "org.opencontainers.image.title": "Caddy",
            "org.opencontainers.image.url": "https://caddyserver.com",
            "org.opencontainers.image.vendor": "Light Code Labs",
            "org.opencontainers.image.version": "v2.7.6"
        },
        "OnBuild": null,
        "OpenStdin": false,
        "StdinOnce": false,
        "Tty": false,
        "User": "",
        "Volumes": {
            "/config": {},
            "/data": {},
            "/etc/caddy/Caddyfile": {}
        },
        "WorkingDir": "/srv"
    },
    "Created": "2024-01-10T03:15:11.23190038Z",
    "Driver": "overlay2",
    "ExecIDs": [
        "363fbcde9e4901d5a8192b05e664bbce238f801c0b0bee22f965773ca1dd6531"
    ],
    "GraphDriver": {
        "Data": {
            "LowerDir": "/var/lib/docker/overlay2/eb4b7a62f7b029818921bbf4521a80a71300f90a30f122f3841afe4a1ec37784-init/diff:/var/lib/docker/overlay2/ca0c3743702e67c6f80baa46159d160c596c2b07c58df598d81bf8abbb46c6b4/diff:/var/lib/docker/overlay2/5848f8254c69f50ef7603da8fb7683e98e2b9cf9c52c6faaf80efdfe19f1f42f/diff:/var/lib/docker/overlay2/ff9b7037e1bf8c981c9f2c5cbb232fcaa0c45b940ac631a6ac464ecb37bb8461/diff:/var/lib/docker/overlay2/854bfa5aacf0635cb0530d7192dd269241ac74371e15cdfdcb30d08043ea1bea/diff:/var/lib/docker/overlay2/f5a1ec28c0c569d0568d0cb8492161549621599fef643c3c0542fab0dc0c8e05/diff",
            "MergedDir": "/var/lib/docker/overlay2/eb4b7a62f7b029818921bbf4521a80a71300f90a30f122f3841afe4a1ec37784/merged",
            "UpperDir": "/var/lib/docker/overlay2/eb4b7a62f7b029818921bbf4521a80a71300f90a30f122f3841afe4a1ec37784/diff",
            "WorkDir": "/var/lib/docker/overlay2/eb4b7a62f7b029818921bbf4521a80a71300f90a30f122f3841afe4a1ec37784/work"
        },
        "Name": "overlay2"
    },
    "HostConfig": {
        "AutoRemove": false,
        "Binds": [
            "/root/appdata/caddyv2/config:/config",
            "/root/appdata/caddyv2/data:/data",
            "/root/appdata/caddyv2/Caddyfile:/etc/caddy/Caddyfile"
        ],
        "BlkioDeviceReadBps": [],
        "BlkioDeviceReadIOps": [],
        "BlkioDeviceWriteBps": [],
        "BlkioDeviceWriteIOps": [],
        "BlkioWeight": 0,
        "BlkioWeightDevice": [],
        "CapAdd": [
            "AUDIT_WRITE",
            "CHOWN",
            "DAC_OVERRIDE",
            "FOWNER",
            "FSETID",
            "KILL",
            "MKNOD",
            "NET_BIND_SERVICE",
            "NET_RAW",
            "SETFCAP",
            "SETGID",
            "SETPCAP",
            "SETUID",
            "SYS_CHROOT"
        ],
        "CapDrop": [
            "AUDIT_CONTROL",
            "BLOCK_SUSPEND",
            "DAC_READ_SEARCH",
            "IPC_LOCK",
            "IPC_OWNER",
            "LEASE",
            "LINUX_IMMUTABLE",
            "MAC_ADMIN",
            "MAC_OVERRIDE",
            "NET_ADMIN",
            "NET_BROADCAST",
            "SYSLOG",
            "SYS_ADMIN",
            "SYS_BOOT",
            "SYS_MODULE",
            "SYS_NICE",
            "SYS_PACCT",
            "SYS_PTRACE",
            "SYS_RAWIO",
            "SYS_RESOURCE",
            "SYS_TIME",
            "SYS_TTY_CONFIG",
            "WAKE_ALARM"
        ],
        "Cgroup": "",
        "CgroupParent": "",
        "CgroupnsMode": "private",
        "ConsoleSize": [
            68,
            201
        ],
        "ContainerIDFile": "",
        "CpuCount": 0,
        "CpuPercent": 0,
        "CpuPeriod": 0,
        "CpuQuota": 0,
        "CpuRealtimePeriod": 0,
        "CpuRealtimeRuntime": 0,
        "CpuShares": 0,
        "CpusetCpus": "",
        "CpusetMems": "",
        "DeviceCgroupRules": null,
        "DeviceRequests": null,
        "Devices": [],
        "Dns": [],
        "DnsOptions": [],
        "DnsSearch": [],
        "ExtraHosts": [],
        "GroupAdd": null,
        "IOMaximumBandwidth": 0,
        "IOMaximumIOps": 0,
        "IpcMode": "private",
        "Isolation": "",
        "KernelMemory": 0,
        "KernelMemoryTCP": 0,
        "Links": null,
        "LogConfig": {
            "Config": {
                "max-file": "5",
                "max-size": "10m",
                "tag": "{{.Name}}"
            },
            "Type": "json-file"
        },
        "MaskedPaths": [
            "/proc/asound",
            "/proc/acpi",
            "/proc/kcore",
            "/proc/keys",
            "/proc/latency_stats",
            "/proc/timer_list",
            "/proc/timer_stats",
            "/proc/sched_debug",
            "/proc/scsi",
            "/sys/firmware",
            "/sys/devices/virtual/powercap"
        ],
        "Memory": 0,
        "MemoryReservation": 0,
        "MemorySwap": 0,
        "MemorySwappiness": null,
        "NanoCpus": 0,
        "NetworkMode": "bridge",
        "OomKillDisable": null,
        "OomScoreAdj": 0,
        "PidMode": "",
        "PidsLimit": null,
        "PortBindings": {
            "443/tcp": [
                {
                    "HostIp": "",
                    "HostPort": "443"
                }
            ],
            "80/tcp": [
                {
                    "HostIp": "",
                    "HostPort": "80"
                }
            ]
        },
        "Privileged": false,
        "PublishAllPorts": false,
        "ReadonlyPaths": [
            "/proc/bus",
            "/proc/fs",
            "/proc/irq",
            "/proc/sys",
            "/proc/sysrq-trigger"
        ],
        "ReadonlyRootfs": false,
        "RestartPolicy": {
            "MaximumRetryCount": 0,
            "Name": "unless-stopped"
        },
        "Runtime": "runc",
        "SecurityOpt": null,
        "ShmSize": 67108864,
        "UTSMode": "",
        "Ulimits": null,
        "UsernsMode": "",
        "VolumeDriver": "",
        "VolumesFrom": null
    },
    "HostnamePath": "/var/lib/docker/containers/14504590c13aff77f9bb158d93fb69f752324c7baa1352ec586efe03656aedaf/hostname",
    "HostsPath": "/var/lib/docker/containers/14504590c13aff77f9bb158d93fb69f752324c7baa1352ec586efe03656aedaf/hosts",
    "Id": "14504590c13aff77f9bb158d93fb69f752324c7baa1352ec586efe03656aedaf",
    "Image": "sha256:531880627e446d878ef2c1eb054d01aaef929701ca0fc83de5ff9de1cecff8ab",
    "LogPath": "/var/lib/docker/containers/14504590c13aff77f9bb158d93fb69f752324c7baa1352ec586efe03656aedaf/14504590c13aff77f9bb158d93fb69f752324c7baa1352ec586efe03656aedaf-json.log",
    "MountLabel": "",
    "Mounts": [
        {
            "Destination": "/config",
            "Mode": "",
            "Propagation": "rprivate",
            "RW": true,
            "Source": "/root/appdata/caddyv2/config",
            "Type": "bind"
        },
        {
            "Destination": "/data",
            "Mode": "",
            "Propagation": "rprivate",
            "RW": true,
            "Source": "/root/appdata/caddyv2/data",
            "Type": "bind"
        },
        {
            "Destination": "/etc/caddy/Caddyfile",
            "Mode": "",
            "Propagation": "rprivate",
            "RW": true,
            "Source": "/root/appdata/caddyv2/Caddyfile",
            "Type": "bind"
        }
    ],
    "Name": "/caddy",
    "NetworkSettings": {
        "Bridge": "",
        "EndpointID": "ea0a49b8774d82c0dc5f886be39e705ae9f9e40d745fc96f414dc8720a4a2a2c",
        "Gateway": "172.17.0.1",
        "GlobalIPv6Address": "",
        "GlobalIPv6PrefixLen": 0,
        "HairpinMode": false,
        "IPAddress": "172.17.0.3",
        "IPPrefixLen": 16,
        "IPv6Gateway": "",
        "LinkLocalIPv6Address": "",
        "LinkLocalIPv6PrefixLen": 0,
        "MacAddress": "02:42:ac:11:00:03",
        "Networks": {
            "bridge": {
                "Aliases": null,
                "DriverOpts": null,
                "EndpointID": "ea0a49b8774d82c0dc5f886be39e705ae9f9e40d745fc96f414dc8720a4a2a2c",
                "Gateway": "172.17.0.1",
                "GlobalIPv6Address": "",
                "GlobalIPv6PrefixLen": 0,
                "IPAMConfig": {},
                "IPAddress": "172.17.0.3",
                "IPPrefixLen": 16,
                "IPv6Gateway": "",
                "Links": null,
                "MacAddress": "02:42:ac:11:00:03",
                "NetworkID": "cf87c2e764e2747885fcb4e1302a8c4ecf12abb2819135aee80d315caf3fec77"
            }
        },
        "Ports": {
            "2019/tcp": null,
            "443/tcp": [
                {
                    "HostIp": "0.0.0.0",
                    "HostPort": "443"
                },
                {
                    "HostIp": "::",
                    "HostPort": "443"
                }
            ],
            "443/udp": null,
            "80/tcp": [
                {
                    "HostIp": "0.0.0.0",
                    "HostPort": "80"
                },
                {
                    "HostIp": "::",
                    "HostPort": "80"
                }
            ]
        },
        "SandboxID": "f8f9e8213fc0d3675b3f89da2143713a74ef236ec6fd652f257ad7ae478e4b06",
        "SandboxKey": "/var/run/docker/netns/f8f9e8213fc0",
        "SecondaryIPAddresses": null,
        "SecondaryIPv6Addresses": null
    },
    "Path": "caddy",
    "Platform": "linux",
    "Portainer": {
        "ResourceControl": {
            "Id": 102,
            "ResourceId": "14504590c13aff77f9bb158d93fb69f752324c7baa1352ec586efe03656aedaf",
            "SubResourceIds": [],
            "Type": 1,
            "UserAccesses": [],
            "TeamAccesses": [],
            "Public": false,
            "AdministratorsOnly": true,
            "System": false
        }
    },
    "ProcessLabel": "",
    "ResolvConfPath": "/var/lib/docker/containers/14504590c13aff77f9bb158d93fb69f752324c7baa1352ec586efe03656aedaf/resolv.conf",
    "RestartCount": 0,
    "State": {
        "Dead": false,
        "Error": "",
        "ExitCode": 0,
        "FinishedAt": "2024-01-25T02:36:02.857669604Z",
        "OOMKilled": false,
        "Paused": false,
        "Pid": 613,
        "Restarting": false,
        "Running": true,
        "StartedAt": "2024-01-25T02:36:58.48602787Z",
        "Status": "running"
    }
}

a. System environment:

Docker

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

d. My complete Caddy config:

nas.home {
    tls internal
    reverse_proxy nas
}

jellyfin.home {
    tls internal
    reverse_proxy nas:8096
}

photoprism.home {
    tls internal
    reverse_proxy nas:2342
}

prowlarr.home {
    tls internal
    reverse_proxy nas:9696
}

portainer.home {
    tls internal
    reverse_proxy /api/websocket pool:9000
    reverse_proxy pool:9000
}

pve.home {
    tls internal
    reverse_proxy https://pve:8006 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

pve2.home {
    tls internal
    reverse_proxy https://pve2:8006 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

pbs.home {
    tls internal
    reverse_proxy https://pbs:8007 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

5. Links to relevant resources:

francislavoie · January 26, 2024, 2:38am

Did you install Caddy’s root CA cert in your system/browser’s trust store?

If you didn’t and are clicking through the cert trust warning, then it’s because Caddy’s leaf certs have a short lifetime (12 hours by default I think) so your browser cached an expired copy of the certificate.

See Keep Caddy Running — Caddy Documentation for instructions

donie · January 26, 2024, 2:51am

Yes, I’ve installed the root CA.

francislavoie · January 26, 2024, 6:52am

What browser are you using? Are you sure that browser is using your system’s trust store? Many browsers now have their own trust stores so you might need to install the certificate for that browser.

Either way, this sounds like a browser cert caching bug, not a problem with Caddy.

donie · January 26, 2024, 7:19am

I use Microsoft Edge for macOS, it seems like Edge is using the system’s trust store, because it opens the system’s key chain when I click ‘Manage certificates’ in its settings.

I’ll try to troubleshoot this again by elimination and report the progress later. Thank you for your help.

matt · January 26, 2024, 2:35pm

I don’t think this is a trust store issue, since the browser’s error is about the certificate date specifically.

I’ve seen this before in Chrome (which Edge uses), which has a bug. It will not show the current certificate. This mainly happens for short-lived certificates like Caddy’s self-signed certs for localhost, which are 12 hour lifetimes. It’s caching it or something weird like that. If you make the same request using curl -v you’ll see the right certificate served by Caddy.

donie · January 31, 2024, 8:38am

After observing for a few days, I think it’s the browser’s issue. Thank you all.

matt · January 31, 2024, 8:33pm

Yeah, that’s what I’ve concluded as well. They do not handle short-lived certs very well.

system · March 1, 2024, 8:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.