Ignore the above message @francislavoie … I changed my config to this:
Config
{
"admin": {
"disabled": false,
"listen": "127.0.0.1:7443",
"enforce_origin": false,
"origins": [
"https://caddy.example.com:443"
],
"config": {
"persist": false
}
},
"logging": {
"logs": {
"default": {
"encoder": {
"format": "console"
},
"level": "debug",
"writer": {
"output": "stdout"
}
}
},
"sink": {
"writer": {
"output": "stderr"
}
}
},
"storage": {
"address": "https://vault.localdev.klmh.co:8443",
"approle_role_id": "dead-beef",
"approle_secret_id": "ea7-beef",
"log_level": "debug",
"module": "vault",
"insecure_skip_verify": true,
"path_prefix": "production/api/certificates",
"secrets_path": "klm/secrets"
},
"apps": {
"tls": {
"certificates": {
"load_folders": [
"/tmp/certificates"
]
}
},
"http": {
"grace_period": "30s",
"servers": {
"default": {
"automatic_https": {
"disable_redirects": true
},
"listen": [
"0.0.0.0:10443"
],
"metrics": {},
"routes": [
{
"group": "static",
"handle": [
{
"handler": "static_response",
"status_code": 200,
"body": "SUCCESS",
"close": true
}
]
}
],
"tls_connection_policies": [{}]
}
}
}
}
}
And when I make a request, I see this in the logs now (still not able to use my TLS cert from Storage):
Log
2023/05/16 17:22:13.252 INFO using provided configuration {"config_file": "config.json", "config_adapter": ""}
2023/05/16 17:22:13.253 INFO [INFO] Redirecting sink to: stderr
[INFO] Redirected sink to here (stderr)
2023/05/16 17:22:13.253 INFO redirected default logger {"from": "stderr", "to": "stdout"}
2023/05/16 17:22:13.254 INFO admin admin endpoint started {"address": "127.0.0.1:7443", "enforce_origin": false, "origins": ["https://caddy.example.com:443"]}
2023/05/16 17:22:13.255 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00024c230"}
2023/05/16 17:22:13.255 DEBUG caddy.storage.vault Load() from url {"url": "https://vault.localdev.klmh.co:8443/v1/klm/secrets/data/production/api/certificates/ocsp/localhost-843a3daf"}
2023/05/16 17:22:13.255 INFO caddy.storage.vault Logging in to vault using approle credentials
2023/05/16 17:22:13.271 DEBUG caddy.storage.vault Using newly created approle token for auth
2023/05/16 17:22:13.274 WARN tls stapling OCSP {"error": "no OCSP stapling for [localhost *.localdev.klmh.co *.localdev.us-west.mywordpress.io 127.0.0.1 ::1]: no OCSP server specified in certificate"}
2023/05/16 17:22:13.274 DEBUG events event {"name": "cached_unmanaged_cert", "id": "a9561d40-cbd5-4af4-b166-18fd4a7f9947", "origin": "tls", "data": {"sans":["localhost","*.localdev.klmh.co","*.localdev.us-west.mywordpress.io","127.0.0.1","::1"]}}
2023/05/16 17:22:13.274 DEBUG tls.cache added certificate to cache {"subjects": ["localhost", "*.localdev.klmh.co", "*.localdev.us-west.mywordpress.io", "127.0.0.1", "::1"], "expiration": "2025/08/15 20:43:05.000", "managed": false, "issuer_key": "", "hash": "74424cf96176266af94f548c9d80c0d3541f2ae1c10d54da5f545ff3cfcac114", "cache_size": 1, "cache_capacity": 10000}
2023/05/16 17:22:13.274 WARN http automatic HTTP->HTTPS redirects are disabled {"server_name": "default"}
2023/05/16 17:22:13.274 INFO http enabling HTTP/3 listener {"addr": "0.0.0.0:10443"}
2023/05/16 17:22:13.274 INFO tls cleaning storage unit {"description": "&{0xc0005d86c0}"}
failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/05/16 17:22:13.274 DEBUG caddy.storage.vault List() at url {"url": "https://vault.localdev.klmh.co:8443/v1/klm/secrets/metadata/production/api/certificates/ocsp", "recursive": false}
2023/05/16 17:22:13.274 DEBUG caddy.storage.vault Using approle client token for auth
2023/05/16 17:22:13.274 DEBUG http starting server loop {"address": "[::]:10443", "tls": true, "http3": true}
2023/05/16 17:22:13.274 INFO http.log server running {"name": "default", "protocols": ["h1", "h2", "h3"]}
2023/05/16 17:22:13.274 INFO serving initial configuration
2023/05/16 17:22:13.277 DEBUG caddy.storage.vault List() at url {"url": "https://vault.localdev.klmh.co:8443/v1/klm/secrets/metadata/production/api/certificates/certificates", "recursive": false}
2023/05/16 17:22:13.277 DEBUG caddy.storage.vault Using approle client token for auth
2023/05/16 17:22:13.281 DEBUG caddy.storage.vault List() at url {"url": "https://vault.localdev.klmh.co:8443/v1/klm/secrets/metadata/production/api/certificates/certificates/acme-staging-v02.api.letsencrypt.org-directory/", "recursive": false}
2023/05/16 17:22:13.281 DEBUG caddy.storage.vault Using approle client token for auth
2023/05/16 17:22:13.284 DEBUG caddy.storage.vault List() at url {"url": "https://vault.localdev.klmh.co:8443/v1/klm/secrets/metadata/production/api/certificates/certificates/acme-staging-v02.api.letsencrypt.org-directory/abc123.localdev.mywordpress.io/", "recursive": false}
2023/05/16 17:22:13.284 DEBUG caddy.storage.vault Using approle client token for auth
2023/05/16 17:22:13.288 DEBUG caddy.storage.vault Load() from url {"url": "https://vault.localdev.klmh.co:8443/v1/klm/secrets/data/production/api/certificates/certificates/acme-staging-v02.api.letsencrypt.org-directory/abc123.localdev.mywordpress.io/abc123.localdev.mywordpress.io.crt"}
2023/05/16 17:22:13.288 DEBUG caddy.storage.vault Using approle client token for auth
2023/05/16 17:22:13.291 DEBUG caddy.storage.vault List() at url {"url": "https://vault.localdev.klmh.co:8443/v1/klm/secrets/metadata/production/api/certificates/certificates/acme-staging-v02.api.letsencrypt.org-directory/abc123.localdev.mywordpress.io/", "recursive": false}
2023/05/16 17:22:13.291 DEBUG caddy.storage.vault Using approle client token for auth
2023/05/16 17:22:13.296 INFO tls finished cleaning storage units
2023/05/16 17:22:20.991 DEBUG events event {"name": "tls_get_certificate", "id": "1b1effab-9d6f-44b3-9451-d44cb505b62b", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"abc123.localdev.mywordpress.io","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
2023/05/16 17:22:20.992 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "abc123.localdev.mywordpress.io"}
2023/05/16 17:22:20.992 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.localdev.mywordpress.io"}
2023/05/16 17:22:20.992 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.mywordpress.io"}
2023/05/16 17:22:20.992 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.io"}
2023/05/16 17:22:20.992 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*.*.*"}
2023/05/16 17:22:20.992 DEBUG tls.handshake all external certificate managers yielded no certificates and no errors {"remote_ip": "127.0.0.1", "remote_port": "48750", "sni": "abc123.localdev.mywordpress.io"}
2023/05/16 17:22:20.992 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "127.0.0.1", "remote_port": "48750", "server_name": "abc123.localdev.mywordpress.io", "remote": "127.0.0.1:48750", "identifier": "abc123.localdev.mywordpress.io", "cipher_suites": [4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199, 158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161, 49171, 51, 157, 156, 61, 60, 53, 47, 255], "cert_cache_fill": 0.0001, "load_if_necessary": true, "obtain_if_necessary": true, "on_demand": false}
2023/05/16 17:22:20.992 DEBUG http.stdlib http: TLS handshake error from 127.0.0.1:48750: no certificate available for 'abc123.localdev.mywordpress.io'