PKI with default CAs not working

Help
1

1. Caddy version (caddy version): 2.3.0

2. How I run Caddy:

docker-compose

a. System environment:

Docker (2.3.0-alpine)

b. Command:

docker-compose up

c. Service/unit/compose file:

version: "3.7"

services:
  caddy:
    image: caddy:2.3.0-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "2019:2019"
    volumes:
      - caddy_data:/data
      - caddy_config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile

  other_container:
    build:
      dockerfile: ./Dockerfile
      context: ./
    restart: unless-stopped
volumes:
  caddy_data:
  caddy_config:

d. My complete Caddyfile or JSON config:

Caddyfile used to initialise server

{
	admin 0.0.0.0:2019
}

mycaddy.local {

	reverse_proxy other_container:8080 {
		header_up X-mTLScertHash {http.request.tls.client.fingerprint}
	}

	tls {
		issuer internal {
			ca "local"
		}
	}
}

After init I try to /load the following JSON config (the same happens if just POSTing the new segment to /config/apps/pki etc.):

{
    "admin": {
        "listen": "0.0.0.0:2019"
    },
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [
                        ":443"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "subroute",
                                    "routes": [
                                        {
                                            "handle": [
                                                {
                                                    "handler": "reverse_proxy",
                                                    "headers": {
                                                        "request": {
                                                            "set": {
                                                                "X-Mtlscerthash": [
                                                                    "{http.request.tls.client.fingerprint}"
                                                                ]
                                                            }
                                                        }
                                                    },
                                                    "upstreams": [
                                                        {
                                                            "dial": "other_container:8080"
                                                        }
                                                    ]
                                                }
                                            ]
                                        }
                                    ]
                                }
                            ],
                            "match": [
                                {
                                    "host": [
                                        "mycaddy.local"
                                    ]
                                }
                            ],
                            "terminal": true
                        }
                    ]
                }
            }
        },
        "tls": {
            "automation": {
                "policies": [
                    {
                        "issuers": [
                            {
                                "ca": "local",
                                "module": "internal"
                            }
                        ],
                        "subjects": [
                            "mycaddy.local"
                        ]
                    }
                ]
            }
        },
        "pki": {
            "certificate_authorities": {
                "local": {
                    "name": "Default Client CA",
                    "root": {},
                    "intermediate": {}
                }
            }
        }
    }
}

3. The problem I’m having:

Im trying to get PKI working with default CA for both. The server starts fine with Caddyfile above. When updating the config by POSTing the above JSON config to /load it does not result in a working PKI configuration but the below error message.

4. Error messages and/or full log output:

{“error”:“loading config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: loading TLS automation management module: position 0: loading module ‘internal’: provision tls.issuance.internal: loading pki app module: provision pki: provisioning CA ‘local’: open : no such file or directory”}

5. What I already tried:

I have had a look in container and a key pair has been generated in /data/caddy/pki/authorities/local

2

Hmm. My guess is that these lines are messing it up. I think setting these to empty objects means that Caddy is looking for a file at "", i.e. empty string.

2 Likes
3

Ah yes. Sorry I thought that when it said ‘empty’ in documentation it meant empty object. Thanks for your help.

2 Likes
4

I’ll change that to “null”.

5

This topic was automatically closed after 30 days. New replies are no longer allowed.