[Solved] Wrong certificate for available domains

kevinfilipe · May 21, 2021, 5:56pm

1. Caddy version (`caddy version`):

2.4.0

2. How I run Caddy:

a. System environment:

Docker

b. Command:

docker run --detach --publish 80:80 --publish 443:443 --name "caddy" --volume "$PWD/Caddyfile:/etc/caddy/Caddyfile" --volume "caddy_data:/data" --volume "$PWD/certs:/certs" caddy

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

{
    debug
    local_certs
}
(InternalAccess) {
    @InternalNetwork {
        remote_ip 192.168.0.0/24
    }
}
(Headers) {
    header {
        -Server
    }
}
(Compression) {
    encode zstd gzip
}
(Handle404) {
    @404 {
        status 404
    }
    handle_response @404 {
        respond 404
    }
}
(AccessLog) {
    log
}
(DefaultResponse) {
    respond 404
}
:443 {
    import AccessLog
    import Headers
    import Compression
    tls /certs/default.crt /certs/default.key
    import DefaultResponse
}
guacamole.local {
    import AccessLog
    import Headers
    import Compression
    rewrite * /guacamole{path}
    reverse_proxy 192.168.0.104:8080 {
        import Handle404
    }
}
vaultwarden.local {
    import AccessLog
    import Headers
    import Compression
    import InternalAccess
    handle @InternalNetwork {
        reverse_proxy /notifications/hub 192.168.0.105:3012 {
            import Handle404
        }
        reverse_proxy 192.168.0.105:80 {
            header_up X-Real-IP {remote_host}
            import Handle404
        }
    }
    import DefaultResponse
}

3. The problem I’m having:

When I access these domains in the web browser, the certificate of the catch-all block is always displayed.

guacamole.local -> self-signed default cert [non ok]
vaultwarden.local -> self-signed default cert [non ok]
test.local -> self-signed default cert [ok]
bahamas.local -> self-signed default cert [ok]

The intended behavior would be

guacamole.local -> Caddy generated cert [ok]
vaultwarden.local -> Caddy generated cert [ok]
test.local -> self-signed default cert [ok]
bahamas.local -> self-signed default cert [ok]

Please, what am I doing wrong?

4. Error messages and/or full log output:

{"level":"info","ts":1621615739.3131924,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1621615739.3155637,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1621615739.316909,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1621615739.3184674,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000276850"}
{"level":"warn","ts":1621615739.3390055,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [local]: no OCSP server specified in certificate"}
{"level":"info","ts":1621615739.3393815,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1621615739.6958838,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
2021/05/21 16:48:59 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
2021/05/21 16:48:59 define JAVA_HOME environment variable to use the Java trust
2021/05/21 16:48:59 certificate installed properly in linux trusts
{"level":"debug","ts":1621615739.8077984,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"debug","ts":1621615739.807836,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"info","ts":1621615739.8078413,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["guacamole.local","vaultwarden.local"]}
{"level":"info","ts":1621615739.808032,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1621615739.808045,"msg":"serving initial configuration"}
{"level":"info","ts":1621615739.808302,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1621615739.8083317,"logger":"tls.obtain","msg":"acquiring lock","identifier":"guacamole.local"}
{"level":"info","ts":1621615739.8085334,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1621615739.8090577,"logger":"tls.obtain","msg":"acquiring lock","identifier":"vaultwarden.local"}
{"level":"info","ts":1621615739.8148382,"logger":"tls.obtain","msg":"lock acquired","identifier":"guacamole.local"}
{"level":"info","ts":1621615739.8201706,"logger":"tls.obtain","msg":"lock acquired","identifier":"vaultwarden.local"}
{"level":"info","ts":1621615739.8201902,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"guacamole.local"}
{"level":"info","ts":1621615739.8205101,"logger":"tls.obtain","msg":"releasing lock","identifier":"guacamole.local"}
{"level":"warn","ts":1621615739.821255,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [guacamole.local]: no OCSP server specified in certificate"}
{"level":"info","ts":1621615739.8220675,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"vaultwarden.local"}
{"level":"info","ts":1621615739.8221374,"logger":"tls.obtain","msg":"releasing lock","identifier":"vaultwarden.local"}
{"level":"warn","ts":1621615739.8226361,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [vaultwarden.local]: no OCSP server specified in certificate"}

5. What I already tried:

Remove tls directive or force tls internal in catch-all block

guacamole.local -> Caddy generated cert [ok]
vaultwarden.local -> Caddy generated cert [ok]
test.local -> ERR_SSL_PROTOCOL_ERROR [non ok]
bahamas.local -> ERR_SSL_PROTOCOL_ERROR [non ok]

{"level":"debug","ts":1621617702.6297212,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.7:53967: no certificate available for 'test.local'"}
{"level":"debug","ts":1621617702.6317542,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.7:53968: no certificate available for 'test.local'"}
{"level":"debug","ts":1621617703.1940742,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.7:53970: no certificate available for 'test.local'"}

6. Links to relevant resources:

N/A

francislavoie · May 21, 2021, 6:07pm

When you use the local_certs global option, it overrides all sites to use the local CA. It’s just meant as a quick way to override everything for development purposes.

If you want other sites to use other certs, then remove local_certs and put tls internal on the ones that you want to have certs from the local CA.

kevinfilipe · May 22, 2021, 1:42pm

Hi… Got it! Thank you so much for the quick reply.

system · June 20, 2021, 5:57pm

This topic was automatically closed after 30 days. New replies are no longer allowed.