Populating $_SERVER['SERVER_CERT'] and $_SERVER['CLIENT_CERT']

1. The problem I’m having:

I am migrating my PHP app from Apache to FrankenPHP, which uses Caddy as the HTTP server. I am using the Docker image.

My code relies on values of $_SERVER[‘SERVER_CERT’] and $_SERVER[‘CLIENT_CERT’] to analyze and process server and client certificates used in the communication, respectively. In Apache, there is a special configuration flag +ExportCertData that instructs mod_ssl to populate these values.

I am unable to find how to do the same in Caddy, though. Could anyone tell me if it is even possible?

Yeah that’s a shortcoming right now, we don’t automatically pass that info down.

You can do it with the php_fastcgi directive’s env option, which sets $_SERVER vars, plus placeholders to pull the value.

I think this is what you want:

php_fastcgi <upstream> {
	env CLIENT_CERT {tls_client_certificate_pem}
}

I’m not sure why you would need SERVER_CERT, that doesn’t make sense to need in the app. The server’s TLS cert has no application-layer auth behaviour.

1 Like

Thnk you for your guidance, Francis!

As for the server certificate, it actually makes sense. Within the Admin UI of our app, we have a telemetry panel that indicates overall health of the system, and one of the indicated params is the state of the server certificate, especially for the expiration purposes. (I am attaching a screenshot, in Czech, but you will get an idea.)

We have been doing similar deployments since 2004 and, among our clients, no 1 reason for unplanned downtimes in the last 20 years was actually an expired certificate. (It can happen even in very high circles: https://cybernews.com/news/starlink-outage-certificate-elon-musk/, so it happens in mid-size corps too.) And these are mostly organizations that don’t use Let’s Encrypt. Many of them have their own CA for that purpose, especially for Intranet services.

So in order to prevent this, our telemetry starts nagging the admins about 30 days in advance that the certificate should be changed soon, then very soon, then ASAP. It can even send encrypted e-mails and text messages to them in the ASAP period.

This works well and no one who has this sort of telemetry deployed ever experienced a sudden expiration of the certificate. But it means that we need to be aware of our own server cert server-side.

1 Like

Yeah, here is the telemetry. SRV-CRT is the one. This is a fresh Docker install, so a lot of the icons are blaring red.

Fair enough. We don’t have placeholders for server cert stuff right now I believe. You could open an issue on Github and/or write a PR to add that functionality if you want.

Done! Thank you.