Problem with caddy root certificate

BiscuitsLayer · June 19, 2024, 12:26pm

1. The problem I’m having:

I’m using caddy for HTTPS requests from client VM to server VM
Caddy was setup on server VM using Docker

after that I copied root.crt file from /data/caddy/pki/authorities/local in the container on server VM and installed it on client VM (by putting it to the /usr/local/share/ca-certificates/mydomain and running sudo update-ca-certificates)

also on client VM I added <IP> mydomain.localhost to /etc/hosts

after that i tried curl to request server VM, and secure connection failed, despite I installed the certificate

# Both command executed on client VM

curl https://mydomain.localhost # FAILS with SSL certificate problem: authority and subject key identifier mismatch

curl -k https://mydomain.localhost # OK

2. Error messages and/or full log output:

Simple request (without --cacert option)

curl -v https://mydomain.localhost

*   Trying <IP>:443...
* Connected to mydomain.localhost (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /usr/lib/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, certificate unknown (558):
* SSL certificate problem: authority and subject key identifier mismatch
* Closing connection 0
curl: (60) SSL certificate problem: authority and subject key identifier mismatch
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I also tried providing root.crt file to the instruction manually

curl --cacert /root/root.crt -v https://mydomain.localhost

*   Trying <IP>:443...
* Connected to mydomain.localhost (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /root/root.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, certificate unknown (558):
* SSL certificate problem: authority and subject key identifier mismatch
* Closing connection 0
curl: (60) SSL certificate problem: authority and subject key identifier mismatch
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu

b. Command:

docker-compose up -d

c. Service/unit/compose file:

Contents of docker-compose.yaml

version: '3'

name: control_node

services:
  caddy:
    image: caddy:latest
    volumes:
      - /root/Caddyfile:/etc/caddy/Caddyfile
      - /root/caddy.log:/var/log/caddy.log
      - /root/caddy_certificates:/data/caddy/certificates/local/mydomain.localhost
      - /root/caddy_certificates_pki:/data/caddy/pki/authorities/local
    restart: always
    network_mode: host

  nginx:
    image: nginx:stable-alpine3.17
    restart: always
    volumes:
      - /root/nginx.conf:/etc/nginx/nginx.conf:ro
    ports:
      - 8080:8080
    network_mode: host

d. My complete Caddy config:

mydomain.localhost {
    log {
                output file /var/log/caddy.log
        }

        reverse_proxy localhost:8080
}

5. Links to relevant resources:

Used that topic to find out about root.crt

francislavoie · June 21, 2024, 9:15pm

BiscuitsLayer:

    volumes:
      - /root/Caddyfile:/etc/caddy/Caddyfile
      - /root/caddy.log:/var/log/caddy.log
      - /root/caddy_certificates:/data/caddy/certificates/local/mydomain.localhost
      - /root/caddy_certificates_pki:/data/caddy/pki/authorities/local

You don’t have a volume for /data. This means that you’re not necessarily persisting all of Caddy’s storage (as you should). So if you at some point restarted/recreated your Caddy container, then the storage would be lost.

Set up a /data volume as per our docs: Keep Caddy Running — Caddy Documentation, then delete the old root cert from your machine, then try again to install the cert and make a request with curl -v.

system · July 21, 2024, 9:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.