Running caddy as non root user when using local TLS

agrajag · March 24, 2021, 1:44am

1. Caddy version (`caddy version`):

caddy version

v2.4.0-beta.1 h1:Ed/tIaN3p6z8M3pEiXWJL/T8JmCqV62FrSJCHKquW/I=

2. How I run Caddy:

a. System environment:

# cat /etc/*release*
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

b. Command:

systemctl start caddy

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# caddy run command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

Our caddyfile configuration does not modify TLS configuration, its using defaults for local CA at this point, for this discussion its not necessary.  If the discussion determines its needed I'll add it.

3. The problem I’m having:

I am attempting to use configure caddy to run as a service as a non root user (caddy) with a no login shell. I am slowly coming to the realization that there is no way to establish “trust” for the local CA from within caddy setup processes, if caddy is not running as root.

I’ve seen the other discussions on “why worry” regarding running caddy as root. This looks like the actual reason “why you must run caddy as root if you expect local auto-tls to work”.

Before completely redoing our system build I’m firing off a flare to the community on “has anyone gotten this working as non root user for caddy” before surrendering and switching our approach.

4. Error messages and/or full log output:

5. What I already tried:

github.com/caddyserver/caddy

Feature Request: Local CA issuer/subject DN uniqueness and system trust cleanup on new CA addition.

opened 12:43AM - 18 Mar 21 UTC

closed 12:53AM - 20 Apr 21 UTC

tgelite

feature

discussion

1) introduce "trust cleanup" for the caddy trust command and caddy server startu…p after a TLS configuration change to cleanup invalid previous CA instances **(and / or)** 2) use unique issuer/subject distinguished names (DN) when generating the caddy local CA's **<<< most important** The issue is a divergence between the system trust installed local caddy CA, and what caddy is using in its current runtime as root CA. The "new" caddy CA is not being installed because the caddy trust (and first start trust setup) does not recognize that the two certificates are actually different. This is due to issuer/subject DN being the same in the new and old CA certificates. When you examine the CA certificates, they are completly different CA certificates at the TLS cryptographic level. Our configuration files are present in the caddy forums, most recient being https://caddy.community/t/new-feature-caddy-trust-with-support-for-config-switch/11606. This issue appears to be related to caddyserver github issue#4058. I'm not 100% sure what scenario triggered the generation of a new rootCA. Regardless its important to understand that issuer/subject DN's being the same between 2 different CA certificates can break trust path evaluation for TLS. I believe we were seeing issues similar to this on windows in forum post https://caddy.community/t/local-caddy-selfsigned-ca-is-creating-certs-that-google-chrome-will-not-accept/10785 where there were duplicate instances of the CA's installed in the microsoft trust stores. Currently we are testing on linux, and this is the message seen when running "caddy trust" as root on a host where we have installed a new version of the caddy binary (adding plugins), and switched back to the default local TLS configuration with no storage location. The same kind of message is seen on caddy startup as well. ``` root@elite-pi:/var/lib/caddy# caddy trust 2021/03/17 23:02:55.352 INFO ca.local root certificate is already trusted by system {"path": "storage:pki/authorities/local/root.crt"} ``` This is incorrect, however. You can see this by directly inspecting the new caddy CA certificate and comparing with the CA certificate caddy currently has installed for system wide trust. I show the detail below, but first some context. The issue for TLS is that when a TLS client is attempting to build a path to trusting a server certificate, having duplicates of the same subject DN being present for the CA trust in the client's local trusted CA's, can cause failure to setup the TLS connection. Simply stated, when tls connection setup has to parse previous instances of its local CA configured in /etc/ssl/pki/certificates depending on the implementation, you can end up the first one found will be used to attempt to build the path of trust for the connection. When examining what caddy updated the system with for certificate trust, its a little messy (I think due to CA being generated for the new year at some point along the way on a new caddy binary install). There are both 2020 and 2021 instances of the CA, these have different issuer/subject DN's so they are NOT conflicting with each other. ``` root@elite-pi:/etc/ssl/certs# ls -l | grep -i caddy lrwxrwxrwx 1 root root 80 Feb 7 10:43 1e027192.0 -> Caddy_Local_Authority_-_2021_ECC_Root_69038497948112521170214703261324660100.pem lrwxrwxrwx 1 root root 80 Oct 23 20:23 a6f460bc.0 -> Caddy_Local_Authority_-_2020_ECC_Root_81229713952639004777245312604640354755.pem lrwxrwxrwx 1 root root 113 Oct 23 20:23 Caddy_Local_Authority_-_2020_ECC_Root_81229713952639004777245312604640354755.pem -> /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_81229713952639004777245312604640354755.crt lrwxrwxrwx 1 root root 113 Feb 7 10:43 Caddy_Local_Authority_-_2021_ECC_Root_69038497948112521170214703261324660100.pem -> /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2021_ECC_Root_69038497948112521170214703261324660100.crt ``` When I compare at the local CA file vs what was installed in the system in the /var/lib/caddy/.caddy path I see: ``` root@elite-pi:/var/lib/caddy# ls -l /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_81229713952639004777245312604640354755.crt -rw-r--r-- 1 root root 627 Oct 23 20:23 /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_81229713952639004777245312604640354755.crt root@elite-pi:/var/lib/caddy# ls -l /var/lib/caddy/.local/share/caddy/pki/authorities/local/root.crt -rw------- 1 caddy caddy 627 Oct 23 13:00 /var/lib/caddy/.local/share/caddy/pki/authorities/local/root.crt ``` Given the close timeframes I'm assuming we ended up triggering this due to issue#4058 **WHY IS TLS BREAKING?** The following shows that indeed, the current certificate that caddy is using is different than what is in the system CA certificate trusts. I've trunicated the full certificate detail (...) to focus on the key elements in the trust evaluation and what qualifies as "uniqueness". First we examine what the caddy runtime has as a local root CA. Note that Issuer and Subject DN are always the same in a root CA certificate. The serial number and subject key identifyer are unique "fingerprint" like qualities of the certificate, while the Issuer and Subject DN are just names, and can be re-used over unique serial number and fingerprint without users realizing the certificate has changed... ``` root@elite-pi:/var/lib/caddy# openssl x509 -in /var/lib/caddy/.local/share/caddy/pki/authorities/local/root.crt -noout -text Certificate: ... Serial Number: e0:ce:9d:36:2e:25:55:07:1d:dc:9b:68:ec:fc:3c:5b ... Issuer: CN = Caddy Local Authority - 2020 ECC Root Validity Not Before: Oct 23 19:00:27 2020 GMT Not After : Sep 1 19:00:27 2030 GMT Subject: CN = Caddy Local Authority - 2020 ECC Root ... Subject Public Key Info: X509v3 Subject Key Identifier: 8A:92:A0:82:67:B0:C3:B6:D2:C2:CF:2A:ED:F8:D7:8B:6C:85:62:3D ``` And finally the "proof" of the problem, in that even tho "caddy trust" and caddy startup after config change indicate the CA is already installed, as you see below it is not the same certificate (focus on serial number and subject key identifier). Unfortunately, its the Distinguished Name that is used as the point of selection at the RFC level (https://tools.ietf.org/html/rfc8446#section-4.2.4) so having duplicates or mismatched instances of different certificates with the same distinguished names (issuer/subject DN) is poison for trust evaluation. ``` root@elite-pi:/var/lib/caddy# openssl x509 -noout -text -in /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2020_ECC_Root_81229713952639004777245312604640354755.crt Certificate: ... Serial Number: 3d:1c:46:1a:df:53:26:9c:6d:b5:91:f4:0a:87:a1:c3 ... Issuer: CN = Caddy Local Authority - 2020 ECC Root Validity Not Before: Oct 24 02:23:05 2020 GMT Not After : Sep 2 02:23:05 2030 GMT Subject: CN = Caddy Local Authority - 2020 ECC Root ... X509v3 Subject Key Identifier: EB:1E:1E:8F:AD:E1:6D:5F:58:94:3F:0F:58:E0:4F:8C:5F:2D:00:3A ``` **So I would suggest as a fix:** Use unique subject DN strings for caddy generated local CA's, so something like the following where the CA is absolutely uniqe to that node at the moment of time of generation (hash or uuid seeded by mac address and current system time? user configured unique value?) regardless whatever it is the issuer/subject DN should include a unique-string for that system. ``` Issuer: CN = Caddy Local Authority - 2020 ECC Root [unique-string] ``` This same issue could arise over collisions in clients importing the caddy CA for whatever reason where multiple discrete caddy deployments are being run in an internal scenario, using their local CA's. For example an intranet scenario where a number of services integrated together, need to connect to each over TLS through discrete local caddy CA instances.

github.com/caddyserver/caddy

Rework `caddy trust` to use the admin API for fetching the root cert

opened 05:37AM - 11 Mar 21 UTC

closed 06:08PM - 02 Mar 22 UTC

tgelite

feature

I’m trying to script setup and configuration of caddy server based on a custom d…ownload that includes additional plugins (caddy-auth-portal, caddy-auth-jwt, caddy-trace, and various caddy-dns modules ). During setup, the caddy unit file is configured to run caddy as a non priveledged user (by design). To get certificates configured properly we are attempting to use the caddy trust command as root during install/config. I think this is performing the trust install based on the default caddy CA location created upon install, rather than the custom storage file_system root declaration I’m passing in my /etc/caddy/Caddyfile (provided below) The result is on first startup from systemctl is throwing errors indicating it can not import the root ca because the service is not running as a priveledged user. What would be nice is to be able to run caddy trust as root, indicating the custom location for all local CA certificate files. Here is an example of the preamble to the Caddyfile configuration I use to expose the certificate deployment for shared use by our combined components on the processing node. In this scenario letsEncrypt/ZeroTLS is not being used... { storage file_system { root /opt/caddy/storage } local_certs http_port 80 https_port 443 } The rest of our deployment detail is in forum issue https://caddy.community/t/new-feature-caddy-trust-with-support-for-config-switch/11606

6. Links to relevant resources:

Why we are chasing non root services configuration:

francislavoie · March 24, 2021, 3:15am

You can run the internal issuer/local CA as non-root, but then Caddy won’t be able to install the root CA cert automatically in your system’s trust store. But you can do that yourself manually.

You can find the root CA cert in Caddy’s storage location (depends how you run Caddy), at pki/authorities/local/root.crt

You can find plenty of guides online for how to install certificates in linux or your browsers.

That should be all you need.

agrajag · March 24, 2021, 4:28am

Francis, thanks. Indeed I do know how to do that manually. We will look at first setup being the point of manual insertion & configuration.

When I first posted I was lamenting CA rollover, however, when examining the Caddy root CA, its a 10 year lifetime (I was assuming its 1 year), so worrying about automation to capture the CA rollover is moot at that scale.

root@elite-pi:/home/caddy/.local/share/caddy/pki/authorities/local# openssl x509 -in /home/caddy/.local/share/caddy/pki/authorities/local/root.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fc:31:3e:dc:28:55:8f:51:86:8d:97:47:56:11:1a:fb
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = Caddy Local Authority - 2021 ECC Root
        Validity
            Not Before: Mar 24 04:06:13 2021 GMT
            Not After : Jan 31 04:06:13 2031 GMT
        Subject: CN = Caddy Local Authority - 2021 ECC Root

One other thing I noticed was the announce over sudo being available for the caddy user, which means its at least trying to get it installed as non root user.

We could provide a restrictive sudoers file definition for caddy to execute this step… is there a full breakdown of the commands caddy is attempting to run (beyond the “tee” indicated as I assume there is a chain of errors behind it waiting) I’ve been looking at caddy/autohttps.go at master · caddyserver/caddy · GitHub but I’m not seeing when/where the system level commands to actually inject the caddy CA are being run to create a set of more specific sudoers file rules for what caddy can do as root…

Mar 23 22:06:14 elite-pi caddy[8649]: {"level":"warn","ts":1616558774.066763,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Mar 23 22:06:14 elite-pi caddy[8649]: 2021/03/23 22:06:14 not NSS security databases found
Mar 23 22:06:14 elite-pi caddy[8649]: 2021/03/23 22:06:14 define JAVA_HOME environment variable to use the Java trust
Mar 23 22:06:14 elite-pi sudo[8659]: pam_unix(sudo:auth): conversation failed
Mar 23 22:06:14 elite-pi sudo[8659]: pam_unix(sudo:auth): auth could not identify password for [caddy]
Mar 23 22:06:14 elite-pi sudo[8659]:    caddy : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2021_ECC_Root_335221152435941021957087867284048911099.crt
Mar 23 22:06:14 elite-pi caddy[8649]: {"level":"error","ts":1616558774.0844543,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}

That “tee” command being referenced is probably part of a larger string of commands piping the output of that certificate into another larger set of commands?

agrajag · March 24, 2021, 4:50am

So blasting sudoers to allow caddy to do anything works (as expected) but it would be nice to define a “template” to share with community on what the actual commands are to exception for caddy in the /etc/sudoers file.

A cookie crumb trail into github on where to be reading through to understand the system commands would be Awesome </jazz hands>

francislavoie · March 24, 2021, 5:19am

The trust stuff is in the smallstep libs, I think specifically here:

agrajag · March 26, 2021, 1:17am

So its looking like the “tee” that is visible in the logging, is the OS level command being run that needs priveledged access.

github.com

smallstep/truststore/blob/23dd8829443eb0fd7dbb4e43bc22d2ab7a1affa3/truststore_linux.go#L68-L73

    
      
          	cmd := CommandWithSudo("tee", systemTrustFilename(cert))
          	cmd.Stdin = bytes.NewReader(data)
          	out, err := cmd.CombinedOutput()
          	if err != nil {
          		return NewCmdError(err, cmd, out)
          	}

The next command with sudo is here, and its responsible for establishing the system trust once tee has placed the caddy local CA root certificate in place to be configured over. This is what invokes the proper command, but the the logic that selects the command based on the implementation is in the if/then logic’s init function…

github.com

smallstep/truststore/blob/23dd8829443eb0fd7dbb4e43bc22d2ab7a1affa3/truststore_linux.go#L75-L79

    
      
          	cmd = CommandWithSudo(SystemTrustCommand...)
          	out, err = cmd.CombinedOutput()
          	if err != nil {
          		return NewCmdError(err, cmd, out)
          	}

The init function code is checking if paths exist based on the linux distro its on, and then picking out its proper command to use in the systemTrustCommand. That logic is laid out here:

github.com

smallstep/truststore/blob/23dd8829443eb0fd7dbb4e43bc22d2ab7a1affa3/truststore_linux.go#L30-L47

    
      
          func init() {
          	if pathExists("/etc/pki/ca-trust/source/anchors/") {
          		SystemTrustFilename = "/etc/pki/ca-trust/source/anchors/%s.pem"
          		SystemTrustCommand = []string{"update-ca-trust", "extract"}
          	} else if pathExists("/usr/local/share/ca-certificates/") {
          		SystemTrustFilename = "/usr/local/share/ca-certificates/%s.crt"
          		SystemTrustCommand = []string{"update-ca-certificates"}
          	} else if pathExists("/etc/ca-certificates/trust-source/anchors/") {
          		SystemTrustFilename = "/etc/ca-certificates/trust-source/anchors/%s.crt"
          		SystemTrustCommand = []string{"trust", "extract-compat"}
          	}
          	if SystemTrustCommand != nil {
          		_, err := exec.LookPath(SystemTrustCommand[0])
          		if err != nil {
          			SystemTrustCommand = nil
          		}
          	}
          }

So based on our build environment (raspbian lite / debian on ARM7) the command line would be

update-ca-certificates

SO our /etc/sudoers will have the following (if you are playing along from home folks, use sudo visudo !!!)

This still needs fine tuning to strip away caddy being able to run commands as ALL users, I’m reading for more context there and will update…

caddy  ALL=(ALL) NOPASSWD: /usr/bin/tee, /usr/sbin/update-ca-certificates

agrajag · March 30, 2021, 3:07pm

Ok so we are still missing a step in that the final trust configuration is still failing with just those two commands enabled for cady.

Mar 30 09:02:32 elite-pi caddy[1275]: {"level":"error","ts":1617116552.1770575,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}

I’ll continue to review, might be subcommands within the update-ca-certificates

agrajag · March 31, 2021, 12:52am

Trying to track down where this is, I cant get a clean strace as the caddy user of the process

agrajag · March 31, 2021, 1:49am

Oh this is absolutely brutal, I give up. So the difference between what is working and what doesn’t work is the fact that a user with sudo that has a login shell for their account, performs the certificate update with no issue, while the hardened user we intend to use that has /usr/sbin/nologin fails

As the caddy user who has /usr/sbin/nologin but identical sudoers file config for all/all nopasswd, it fails.

caddy:x:998:1002:Caddy web server:/var/lib/caddy:/usr/sbin/nologin

Mar 30 19:33:41 elite-pi caddy[988]: {"level":"warn","ts":1617154421.0475287,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Mar 30 19:33:41 elite-pi caddy[988]: 2021/03/30 19:33:41 not NSS security databases found
Mar 30 19:33:41 elite-pi caddy[988]: 2021/03/30 19:33:41 define JAVA_HOME environment variable to use the Java trust
Mar 30 19:33:41 elite-pi sudo[998]:    caddy : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2021_ECC_Root_295918027004045786159331586156969744716.crt
Mar 30 19:33:41 elite-pi sudo[998]: pam_unix(sudo:session): session opened for user root by (uid=0)
Mar 30 19:33:41 elite-pi sudo[998]: pam_unix(sudo:session): session closed for user root
Mar 30 19:33:41 elite-pi caddy[988]: {"level":"error","ts":1617154421.0718782,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}

where as the user that has login shell works

eeuser:x:1001:1001::/home/eeuser:/bin/bash

2021/03/31 01:47:42.142 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["127.0.0.1:2019", "localhost:2019", "[::1]:2019"]}
2021/03/31 01:47:42.144 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0x3538230"}
2021/03/31 01:47:42.159 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2021/03/31 01:47:42.160 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/03/31 01:47:42.164 INFO    http.handlers.auth_portal       JWT token name found    {"instance_name": "portal-1", "token_name": "access_token"}
2021/03/31 01:47:42.165 WARN    http.handlers.auth_portal       JWT token origin not found, using default       {"instance_name": "portal-1"}
2021/03/31 01:47:42.166 INFO    http.handlers.auth_portal       local backend configuration     {"db_path": "/opt/caddy/auth/user_db.json", "require_mfa": false}
2021/03/31 01:47:42.172 INFO    http.handlers.auth_portal       validating local backend        {"db_path": "/opt/caddy/auth/user_db.json"}
2021/03/31 01:47:42.188 INFO    http.handlers.auth_portal       JWT token validator provisioned {"instance_name": "portal-1", "access_list": [{"action":"allow","values":["anonymous","guest","*"],"claim":"roles"}]}
2021/03/31 01:47:42.190 INFO    http.handlers.auth_portal       provisioned plugin instance     {"instance_name": "portal-1", "started_at": "2021/03/31 01:47:42.164"}
2021/03/31 01:47:42.192 INFO    http.authentication.providers.jwt       provisioned plugin instance     {"instance_name": "jwt-4", "started_at": "2021/03/31 01:47:42.191"}
2021/03/31 01:47:42.283 WARN    pki.ca.local    installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
2021/03/30 19:47:42 not NSS security databases found
2021/03/30 19:47:42 define JAVA_HOME environment variable to use the Java trust
2021/03/30 19:47:46 certificate installed properly in linux trusts
2021/03/31 01:47:46.192 INFO    tls     cleaned up storage units
2021/03/31 01:47:46.193 INFO    http    enabling automatic TLS certificate management   {"domains": ["192.168.37.127", "mg.int.elite-env.com"]}

agrajag · March 31, 2021, 10:02pm

So we are falling back to our original plan of running caddy trust in a controlled way during setup, now that the caddy user has shell we can do it from our setup script.

/bin/su -c "(/usr/bin/caddy trust)" - caddy

I dont have time to rebuild based on caddy being root to test, but I’m really wondering if caddy sets up trust from a caddyfile that is already configured with https and local_certs as setting, when starting up from a systemd unit file… If anyone could share journalctl -xe output of a root based caddy starting up from systemctl, properly setting up local CA in the current 2.4.0beta that would be very helpful.

system · April 23, 2021, 1:44am

This topic was automatically closed after 30 days. New replies are no longer allowed.

1. Caddy version (caddy version):

caddy version

2. How I run Caddy:

a. System environment:

b. Command:

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

3. The problem I’m having:

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

1. Caddy version (`caddy version`):