SSL for IP? ZeroSSL provides that

inna · November 28, 2022, 7:16pm

1. Output of `caddy version`:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

a. System environment: Docker

b. Command:

I run with docker-compose.

c. Service/unit/compose file:

version: '3'

services:
 caddy:
  image: caddy:alpine
  hostname: caddy
  container_name: caddy
  ports:
   - 80:80
   - 443:443
  volumes:
   - ./Caddyfile:/etc/caddy/Caddyfile

d. My complete Caddy config:

104.237.252.57 {
        root * /usr/share/caddy
        file_server
}

3. The problem I’m having:

It generates certificate for my IP Address, but it’s only valid for one day:

Subject Alternative Names: IP Address:104.237.252.57
Valid From: November 28, 2022
Valid To: November 28, 2022

I checked the issued certificate in /data from Certificate Decoder - Decode certificates to view their contents.

4. Error messages and/or full log output:

{"level":"info","ts":1669661966.5556698,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["104.237.252.57"]}
{"level":"info","ts":1669661966.5573916,"logger":"tls.obtain","msg":"acquiring lock","identifier":"104.237.252.57"}
{"level":"info","ts":1669661966.5604575,"logger":"tls.obtain","msg":"lock acquired","identifier":"104.237.252.57"}
{"level":"info","ts":1669661966.5610628,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"104.237.252.57"}
{"level":"info","ts":1669661966.5824776,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1669661966.5829363,"msg":"serving initial configuration"}
{"level":"info","ts":1669661966.5917335,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"104.237.252.57"}
{"level":"info","ts":1669661966.5918114,"logger":"tls.obtain","msg":"releasing lock","identifier":"104.237.252.57"}
{"level":"warn","ts":1669661966.592534,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [104.237.252.57]: no OCSP server specified in certificate","identifiers":["104.237.252.57"]}

5. What I already tried:

I tried using zerossl-bot but no luck.

6. Links to relevant resources:

francislavoie · November 28, 2022, 8:57pm

See this issue:

Essentially, it seems like they support IP certs via their REST API, but not via the ACME protocol.

Currently Caddy is set up to always generate certs using its internal issuer for IP certs, i.e. using its own CA (self-signed, ish) because none of the ACME issuers actually seem to support IP certs.

inna · November 29, 2022, 11:12am

Thanks,
I am trying both via REST API and Caddyfile.
This is my new Caddyfile:

{
        http_port 80
        https_port 443
#    acme_ca https://acme.zerossl.com/v2/DV90 # it thows error acme_ca is unknown directive
    acme_eab {
        key_id  KEY_ID
        mac_key MAC_KEY
    }
104.237.252.58 {
        root * /usr/share/caddy
        file_server
}

This is docker logs caddy:

{"level":"info","ts":1669720185.4050546,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1669720185.4062505,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1669720185.406399,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["104.237.252.58"]}
{"level":"warn","ts":1669720185.4103563,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [104.237.252.58]: no OCSP server specified in certificate","identifiers":["104.237.252.58"]}
{"level":"info","ts":1669720185.4110456,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1669720185.411852,"msg":"serving initial configuration"}

Regarding REST API, I am trying to use curl but I do not find any examples.
I tried something myself, but it does not work.
Do you have any example for the REST API?

francislavoie · November 29, 2022, 9:04pm

I don’t. It’s not a pattern supported by Caddy itself. You’ll need to reach out to ZeroSSL for help.

inna:

This is my new Caddyfile:

{
        http_port 80
        https_port 443
#    acme_ca https://acme.zerossl.com/v2/DV90 # it thows error acme_ca is unknown directive
    acme_eab {
        key_id  KEY_ID
        mac_key MAC_KEY
    }
104.237.252.58 {
        root * /usr/share/caddy
        file_server
}

Like I said, Caddy always uses its internal issuer for sites using an IP address. It completely ignores your ACME config.

system · December 28, 2022, 7:17pm

This topic was automatically closed after 30 days. New replies are no longer allowed.