Problem with tls directive

1. Caddy version (caddy version):

2.5.0

2. How I run Caddy:

a. System environment:

Docker

b. Command:

caddy run -watch -config /etc/caddy/Caddyfile

c. Service/unit/compose file:

edge:
image: caddy:2.5.0
command: caddy run -resume -config /etc/caddy/Caddyfile
networks:
- backend
ports:
- 80:80
- 443:443
volumes:
- caddy_data:/etc/caddy/caddy
- ~/certs:/etc/caddy/certs
environment:
XDG_CONFIG_HOME: /etc/caddy

d. My complete Caddyfile or JSON config:

{
  auto_https off
  servers {
    timeouts {
			read_body   60s
			read_header 60s
		}
  }
}

(common) {
  log

  header -Server
}

http://api.guoard.ir {
  import common

  redir https://{host}{uri} permanent

}
https://api.guoard.ir {
  import common

  tls /etc/caddy/certs/guoard.ir.crt /etc/caddy/certs/guoard.key
  
  api:3000
}

certificates are for *.guoard.ir

3. The problem I’m having:

When I use Mkcert in local everything is fine but when I use Letsencrypt to issue certificates it get couple of issues:

  1. My cert file is like this:
-----BEGIN CERTIFICATE-----
BASE64 STRING
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
BASE64 STRING
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
BASE64 STRING
-----END CERTIFICATE-----

but caddy give me this error:

{"level":"error","ts":1651740472.2255423,"logger":"admin.api","msg":"request error","error":"loading config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: loading certificates: tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: [CERTIFICATE CERTIFICATE CERTIFICATE]","status_code":400}
  1. When I reduce the certificate to 1 section (just for the test), I get another error for key.
    content of key file:
-----BEGIN EC PRIVATE KEY-----
BASE64 STRING
-----END EC PRIVATE KEY-----

caddy give me this error:

{"level":"error","ts":1651901534.5980713,"logger":"admin.api","msg":"request error","error":"loading config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: loading certificates: tls: found a certificate rather than a key in the PEM for the private key","status_code":400}

5. What I already tried:

I tried to change tls to this:

tls /etc/caddy/certs/guoard.ir.crt /etc/caddy/certs/guoard.key {
    key_type ed25519
}

It seem caddy can not handle full chain of certificates and does not support this type of key encryption or my configs are wrong.

Are you sure you have the right contents in the right files? The errors seem to indicate you have certs in the key file.

1 Like

The problem was a typo in one of the domains.
That would be great if we get the line number of Caddy file which gives us an error.

another question:
when key and cert file do not exists in tls directive caddy give 400 error and stop working
Is there any way to bypass this domain and keep working for other domains?

Glad you figured it out!

A little tricky in this case. Caddy can’t know which one is the typo and which one is correct. Maybe we could do some clever spelling-correct against the site names in the Caddyfile and all the loaded certs and just highlight discrepancies, but then again, that sounds rather complex for a mistake that I’ve only heard of, maybe three times now.

No; Caddy will either run your config successfully or it won’t. While it does retry cert automation errors in the background, if you explicitly provide your own cert and key, they must be correct, otherwise it’s a security/availability risk.