Self signed certificate is not accepted

pkruithof · June 22, 2017, 5:29am

I installed Caddy locally on my Mac to try it out. Using this minimal Caddyfile:

foo {
  tls self_signed
  browse
}

And putting 127.0.0.1 foo in my hosts file, Chrome does not accept the certificate:

Your connection is not private

Attackers might be trying to steal your information from foo (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Subject: Caddy Self-Signed
Issuer: Caddy Self-Signed
Expires on: Jun 29, 2017
Current date: Jun 22, 2017
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIRAILgF99zdthgKmrYUJ1h5kswCgYIKoZIzj0EAwIwHDEa
MBgGA1UEChMRQ2FkZHkgU2VsZi1TaWduZWQwHhcNMTcwNjIyMDUyNTQ0WhcNMTcw
NjI5MDUyNTQ0WjAcMRowGAYDVQQKExFDYWRkeSBTZWxmLVNpZ25lZDBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABKnzkV8DzA/dxqXAIf02cuznMx7FeIEeiNH+icgT
BpUXngob+ZugsmKoDqU4CYiYME9PkHUJmCMtKCNc+tb5FEOjNzA1MA4GA1UdDwEB
/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHREEBzAFggNmb28wCgYI
KoZIzj0EAwIDSAAwRQIgc1bJxTZ9JgA717nEAs4FB9Mz8AkEWT39+764XdEJZq4C
IQDqsBLAZk5qbgkh89nKJR1w5oMdo2997ZaJKAjhxeXwiA==
-----END CERTIFICATE-----

Curl also doesn’t like it:

❯ curl -v https://foo:2015
* Rebuilt URL to: https://foo:2015/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to foo (127.0.0.1) port 2015 (#0)
* SSL certificate problem: Invalid certificate chain
* Curl_http_done: called premature == 1
* Closing connection 0

The setup is too minimal for anything to be configured wrong, I think. Is the self signed certificate process broken maybe?

Whitestrake · June 22, 2017, 7:16am

This is intended behaviour. Your client (cURL or Chrome) will never accept a self-signed certificate as valid because it is not signed by a Certificate Authority known to and trusted by your operating system.

Caddy won’t install its self-signing CA certificate into the trusted CA store of your OS, so you’d need to generate your own CA, add it to your trusted CA store, self-sign your own certificate, and use it in Caddy with the tls cert key form.

Alternately, you can bypass the Chrome warning (I think the shortcut is to type “badidea” on the keyboard, or just expand the info and click through), or tell cURL not to validate the certificate with the -k (--insecure) flag.

pkruithof · June 23, 2017, 1:03pm

I see. Before this, I always generated my own self-signed certs, and added them to the macOS keychain. Since Caddy keeps it in memory this isn’t an option.

I am curious to see if this still works with HSTS, as this caused some problems in the past. If it doesn’t, I’ll report back here.

Thanks for clarifying.

system · September 21, 2017, 1:03pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.