Starting with caddy2 - basic Caddyfile trying to use port 80

1. My Caddy version (caddy version):

./caddy version
v2.0.0-rc.1 h1:DxUlg4kMisXwXVnWND7KEPl1f+vjFpIOzYpKpfmwyj8=

2. How I run Caddy:

caddy run

a. System environment:

Ubuntu 18.04

b. Command:

caddy run

c. Service/unit/compose file:

NA

d. My complete Caddyfile or JSON config:

localhost:2016 {
  respond "Goodbye, world!"
}

3. The problem I’m having:

Following instructions at Caddyfile Quick-start — Caddy Documentation with a basic Caddyfile. Based on the Caddyfile seems it should be listening on port 2016, yet it tries to listen on port 80.

4. Error messages and/or full log output:

2020/04/07 14:59:09.042 ERROR pki.ca.local failed to install root certificate {“error”: “trust not supported”, “certificate_file”: “storage:pki/authorities/local/root.crt”}
run: loading initial config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: permission denied

5. What I already tried:

Works if I run as root, which is expected for port 80, but trying to understand why it is trying to listen on port 80 to begin with.

The very first line seems to indicate it is using CaddyFile
2020/04/07 14:59:09.000 INFO using adjacent Caddyfile

6. Links to relevant resources:

URL to instructions I am trying to follow Caddyfile Quick-start — Caddy Documentation

Caddy automatically redirects HTTP to HTTPS, and port 80 is the HTTP port.

You can customize the HTTP port though for internal purposes; see the http_port option: Global options (Caddyfile) — Caddy Documentation

Thanks. Will look into options.

This other part also not working:

curl https://localhost:2016
Goodbye, world!

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Will go over the documentation to figure out how to serve an actual domain with DNS, but wanted to point out the issues with the instructions.

Hm, were you prompted for a password or anything? It should have installed the cert into your trust store. Did that fail?

This is the output when I try: caddy run

2020/04/07 20:42:13.204 INFO using adjacent Caddyfile
2020/04/07 20:42:13.205 INFO admin admin endpoint started {“address”: “localhost:2019”, “enforce_origin”: false, “origins”: [“localhost:2019”]}
2020/04/07 20:42:13.205 INFO http enabling automatic HTTP->HTTPS redirects {“server_name”: “srv0”}
2020/04/07 13:42:13 [INFO][cache:0xc00072bb30] Started certificate maintenance routine
2020/04/07 20:42:13.214 INFO tls setting internal issuer for automation policy that has only internal subjects but no issuer configured {“subjects”: [“localhost”]}
2020/04/07 20:42:13.215 INFO tls cleaned up storage units
2020/04/07 20:42:13.238 WARN pki.ca.local installing root certificate (you might be prompted for password) {“path”: “storage:pki/authorities/local/root.crt”}
2020/04/07 13:42:13 Note: NSS support is not available on your platform
2020/04/07 13:42:13 define JAVA_HOME environment variable to use the Java trust
2020/04/07 20:42:13.238 ERROR pki.ca.local failed to install root certificate {“error”: “trust not supported”, “certificate_file”: “storage:pki/authorities/local/root.crt”}
2020/04/07 20:42:13.238 INFO http enabling automatic TLS certificate management {“domains”: [“localhost”]}
2020/04/07 13:42:13 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/04/07 20:42:13.239 INFO autosaved config {“file”: “/root/.config/caddy/autosave.json”}
2020/04/07 20:42:13.239 INFO serving initial configuration

It mentions may be prompted for a password, but there was no prompt.

Ah, what happens if you use the latest on master? (You can find CI artifacts to download rather than building from source if you prefer.) We fixed something there recently related to those errors.

root@web.natserv.net:/home/francisco#./caddy version
(devel)

Built from latest code in github.

#./caddy run
2020/04/08 17:48:13.857 INFO using adjacent Caddyfile
2020/04/08 17:48:13.858 INFO admin admin endpoint started {“address”: “localhost:2019”, “enforce_origin”: false, “origins”: [“localhost:2019”]}
2020/04/08 17:48:13.858 INFO http enabling automatic HTTP->HTTPS redirects {“server_name”: “srv0”}
2020/04/08 10:48:13 [INFO][cache:0xc000279b30] Started certificate maintenance routine
2020/04/08 17:48:13.872 INFO tls setting internal issuer for automation policy that has only internal subjects but no issuer configured {“subjects”: [“localhost”]}
2020/04/08 17:48:13.872 INFO tls cleaned up storage units
2020/04/08 17:48:13.890 WARN pki.ca.local installing root certificate (you might be prompted for password) {“path”: “storage:pki/authorities/local/root.crt”}
2020/04/08 10:48:13 Note: NSS support is not available on your platform
2020/04/08 10:48:13 define JAVA_HOME environment variable to use the Java trust
2020/04/08 17:48:13.890 ERROR pki.ca.local failed to install root certificate {“error”: “trust not supported”, “certificate_file”: “storage:pki/authorities/local/root.crt”}
2020/04/08 17:48:13.890 INFO http enabling automatic TLS certificate management {“domains”: [“localhost”]}
2020/04/08 10:48:13 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/04/08 17:48:13.891 INFO autosaved config {“file”: “/root/.config/caddy/autosave.json”}
2020/04/08 17:48:13.891 INFO serving initial configuration
2020/04/08 10:48:46 http: TLS handshake error from 174.136.110.235:15936: local error: tls: bad record MAC

Still, was not prompted for a password.

Judging by your paste, it looks like you’re running as root already, so you won’t get a password prompt.

And from this log line:

2020/04/08 17:48:13.890 ERROR pki.ca.local failed to install root certificate {“error”: “trust not supported”, “certificate_file”: “storage:pki/authorities/local/root.crt”}

It seems like your system isn’t supported for the automatic trust store installation for some reason. You can always install the cert manually as a workaround.

Also, a correction… I am trying this on FreeBSD. Will try on Ubuntu 18.04 (which is my desktop, but was actually deploying to FreeBSD).

1 Like

Oh. That’s why. GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.

You’re the first I’ve heard of using FreeBSD. Maybe file an issue upstream?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.