1. The problem I’m having:
I have a service reverse proxied with caddy on macOS and two clients trying to connect to it.
I get 3 certificates: root.crt, intermediate.crt, service.crt (which is leaf + intermediate).
On the macOS client (another device, not the server), I trusted root.crt in keychain access, then it works fine.
On the ubuntu client, I cannot connect to the service. I tried curl --cacert to pass several different certificates and always get the same error. curl -k works with no problem.
Combinations I’ve tried:
- root
- leaf + intermediate
- leaf + intermediate + root
- intermediate + root
2. Error messages and/or full log output:
curl --cacert ~/ollma.local.crt https://ollama.local:8443 -v
* Host ollama.local:8443 was resolved.
* IPv6: (none)
* IPv4: 192.168.178.48
* Trying 192.168.178.48:8443...
* Connected to ollama.local (192.168.178.48) port 8443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /home/anqi/ollma.local.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
3. Caddy version:
v2.10.0
4. How I installed and ran Caddy:
a. System environment:
macOS
b. Command:
brew install caddy
c. Service/unit/compose file:
d. My complete Caddy config:
{
skip_install_trust
}
https://ollama.local:8443 {
reverse_proxy 127.0.0.1:11434
tls internal
}