TLS Handshake error when reverse proxy requesting certificate

Whitestrake · May 14, 2023, 11:35pm

These errors from the backend:

Agrees with these errors from the frontend:

In that, during the attempt to requisition an ACME certificate from https://oin.dwarf/home/oin/.local, the backend could not verify the frontend certificate for oin.dwarf, and thus aborted the ACME attempt.

Have you followed this part of the guide you linked, specifically?

Use Caddy for local HTTPS (TLS) between front-end reverse proxy and LAN hosts

To request a certificate, a root certificate from the server is required. (Read this blog from Mike Malone to understand why). Once you have started the Caddy service on the frontend for the first time and there are no errors, a file named root.crt is generated in .local/share/caddy/pki/authorities/local

NOTE: The absolute path for the certificate depends on how you run Caddy. Typically when you use systemd the absolute path will be /var/lib/caddy/.local/share/caddy/pki/authorities/local but if you run caddy with caddy start the path .local/share/caddy/pki/authorities/local

You will have to copy this file to the backend and point to it in the Caddyfile. In the above example the file root.crt has been copied to /etc/ssl/certs/root.crt will be created in the in the directory you initiated the command (and where the Caddyfile is located).

If you have, I suspect there may be some issue with the backend recognising the root certificate you copied. If done correctly, the backend Caddy will explicitly trust the Caddy Local Authority - 2023 ECC Root issued certificate.