On fly Certificate Generation based on SNI?

Hello ,
Is it possible to generate ssl certificates on fly by using our OWN rootCA based on SNI instead of calling Lets’ Encrypt or ZeroSSl?.

We have a new requirement to generate ssl certificate for all domain names, we want to use caddy as a reverse proxy to serve some static pages.

Yes it’s possible, but it’s currently only possible to specify your own root CA cert/key via JSON config. If you’re okay with letting Caddy generate its own CA, then it’s trivial with a Caddyfile. Just use the tls internal option in each site, or the local_certs global option to force all cert issuance to use the local CA.

Next time, please fill out the help topic template. The contextual questions it asks you to answer are very relevant to getting precisely the right answers to your questions.

Thank you very much for your reply @francislavoie , sure here after i will use the template while creating a topic.

I tried locally tls internal like below
localhost:443 {
root * /usr/share/caddy
tls internal
it worked and server is automatically created certificate with DNS name as localhost.

But in our case we have multiple domains assigned single ip and we need to create certificates based on the host name(SNI) and we don’t want hard code any domain names in the Caddayfile ,server should resolve it automatically and create certificate based on hostname, is there any way we can achieve this?

You’re looking for on-demand TLS: Automatic HTTPS — Caddy Documentation

To use locally-issued certs, just make sure TLS automation policies use Caddy’s internal CA instead of a public one by default. Using the local_certs global option should do the trick if I recall correctly.

Thank you @matt , it worked for me i am able to generate certificate on fly by using Caddy internl CA.

After that i tried to use our own rootCa , by storing it in the folder ,when i tried to update the pki using load api, i am getting memory address error like below

2022/01/07 10:33:45 http: panic serving runtime error: invalid memory address or nil pointer dereference
caddy-service | goroutine 7 [running]:
caddy-service | net/http.(*conn).serve.func1()
caddy-service | net/http/server.go:1801 +0xb9
caddy-service | panic({0x1487700, 0x242ea70})
caddy-service | runtime/panic.go:1047 +0x266
caddy-service | github.com/caddyserver/caddy/v2/modules/caddypki.pemDecodePrivateKey({0xc000171900, 0xd, 0xc0009b5580}) …

i tried /load api like below :
http://localhost:2019/config/apps/pki -X POST -H “Content-Type: application/json” -d @pki.json

json i tried to update :
“certificate_authorities”: {
“caname”: {
“name”: “rootCa”,
“root”: {
“certificate”: “/usr/share/caddy/certs/rootCACert.crt”,
“private_key”: “/usr/share/caddy/certs/rootCAKey.key”,
“format”: “pem_file”

My docker compose file
version: ‘3.7’
# Run the caddy server
image: caddy
container_name: caddy-service
restart: unless-stopped
- “8080:80”
- “443:443”
- “2019:2019”
- /C/Users/Desktop/nginx-auto-ssl/Caddy/Caddyfile:/etc/caddy/Caddyfile
- /C/Users/Desktop/nginx-auto-ssl/Caddy/block_page/:/usr/share/caddy/block_page
- /C/Users/Desktop/nginx-auto-ssl/Caddy/certs/:/usr/share/caddy/certs
- caddy_data:/data
- caddy_config:/config


What is the full config and stack trace? Unfortunately I can’t do much to fix it with this.

I looked at the function at the end of the stack trace snippet though and took a best guess that it’s failing to find any PEM data in your .key file. Caddy should now return an error instead of panic:

If you can test Caddy with that build, it would be appreciated. Then make sure your .key file has PEM private key in it.

Thank you very much @matt , by updating my rootCa and privateKey to pem format , i am no longer getting any error as before.

Will test same(runtime error) scenario with latest build and update the topic.

Can you please provide us some instructions or doc related to custom PKI feature , like what are conditions caddy is validating while using custom rootCa(constraints) and how we can configure expiration date for ssl certificates those are generating on-demand?

1 Like

Glad you got it fixed! Thanks for the trial.

I don’t recall any particular constraints on custom root CAs right now (I’d have to look at the code more but I’m in the middle of something).

You can configure the cert lifetime in the internal issuer module that you configure: Modules - Caddy Documentation

Now i am able to customize the expiration date of certificates while generating those on-demand , thank you very much @matt for the doc and we tried to update the our own custom rootCa and intermediate CA in server and we are able to generate the ssl certificates signed by our intermediate Ca.

While implementing custom PKI by using our rootCa , i observed a pattern that we need to provide both rootCa and intermediate Ca(along with private keys) then only ssl certificates are generating , if we provide only rootCa and rootCa privateKey , i think caddy is generating new intermediate certificate and we are getting some errors like below

{“level”:“error”,“ts”:1641627747.4992325,“logger”:“tls.obtain”,“msg”:“could not get certificate from issuer”,“identifier”:“domain_name”,“issuer”:“caname”,“error”:“authority.Sign; error creating certificate: error creating certificate: x509: provided PrivateKey doesn’t match parent’s PublicKey”,“errorVerbose”:"x509: provided PrivateKey doesn’t match parent’s PublicKey\nerror creating certificate\ngo.step.sm/crypto/x509util.CreateCertificate…

Is it mandatory to upload intermediate certificate too?

This topic was automatically closed after 30 days. New replies are no longer allowed.