Self signed certificate is not accepted

I installed Caddy locally on my Mac to try it out. Using this minimal Caddyfile:

foo {
  tls self_signed

And putting foo in my hosts file, Chrome does not accept the certificate:

Your connection is not private

Attackers might be trying to steal your information from foo (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Subject: Caddy Self-Signed
Issuer: Caddy Self-Signed
Expires on: Jun 29, 2017
Current date: Jun 22, 2017
PEM encoded chain:

Curl also doesn’t like it:

❯ curl -v https://foo:2015
* Rebuilt URL to: https://foo:2015/
*   Trying
* Connected to foo ( port 2015 (#0)
* SSL certificate problem: Invalid certificate chain
* Curl_http_done: called premature == 1
* Closing connection 0

The setup is too minimal for anything to be configured wrong, I think. Is the self signed certificate process broken maybe?

This is intended behaviour. Your client (cURL or Chrome) will never accept a self-signed certificate as valid because it is not signed by a Certificate Authority known to and trusted by your operating system.

Caddy won’t install its self-signing CA certificate into the trusted CA store of your OS, so you’d need to generate your own CA, add it to your trusted CA store, self-sign your own certificate, and use it in Caddy with the tls cert key form.

Alternately, you can bypass the Chrome warning (I think the shortcut is to type “badidea” on the keyboard, or just expand the info and click through), or tell cURL not to validate the certificate with the -k (--insecure) flag.

1 Like

I see. Before this, I always generated my own self-signed certs, and added them to the macOS keychain. Since Caddy keeps it in memory this isn’t an option.

I am curious to see if this still works with HSTS, as this caused some problems in the past. If it doesn’t, I’ll report back here.

Thanks for clarifying.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.