Tls internal, invalid certificat, lifetime

1. Output of caddy version:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

Under docker and listening on :80 and :443

a. System environment:

Docker on debian

b. Command:

docker restart caddy

c. Service/unit/compose file:

version: '3.9'

services:
    caddy:
        image: 'caddy:latest'
        container_name: 'caddy'
        restart: always
        ports:
            - '80:80'
            - '443:443'
        volumes:
            - './Caddyfile:/etc/caddy/Caddyfile'
            - './caddy_config:/config'
            - './caddy_data:/data'
        networks:
            - webgateway

networks:
    webgateway:
        external: true

d. My complete Caddy config:

{
        debug
}

http://glpi-test.exemple.fr {
        handle /plugins/fusioninventory/ {
                rewrite * /front/inventory.php
                reverse_proxy http://glpi
        }

        handle {
                redir https://glpi-test.exemple.fr{uri} 308
        }
}

https://glpi-test.exemple.fr {
        reverse_proxy glpi
        rewrite /plugins/fusioninventory/ /front/inventory.php
        encode gzip
        tls internal
}

3. The problem I’m having:

I’m having this message also the lifetime is only for 12h.
image

4. Error messages and/or full log output:

Example of some logs when I restart caddy container.

{"level":"info","ts":1662022544.543957,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"info","ts":1662022544.5439808,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"info","ts":1662022545.5124028,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1662022545.5134559,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":14}
{"level":"info","ts":1662022545.5142753,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1662022545.5145247,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0005540e0"}
{"level":"info","ts":1662022545.5149813,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1662022545.5149958,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1662022545.5150056,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
{"level":"info","ts":1662022545.528168,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"debug","ts":1662022545.5283196,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"debug","ts":1662022545.5283628,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"info","ts":1662022545.5283701,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["glpi-test.exemple.fr"]}
{"level":"info","ts":1662022545.528363,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1662022545.5289001,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"warn","ts":1662022545.5289724,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [glpi-test.exemple.fr]: no OCSP server specified in certificate","identifiers":["glpi-test.exemple.fr"]}
{"level":"debug","ts":1662022545.5289843,"logger":"tls.cache","msg":"added certificate to cache","subjects":["glpi-test.exemple.fr"],"expiration":1662042220,"managed":true,"issuer_key":"local","hash":"cb24c530f3c0dbec5455ee3e72c001675a1f9df749f21eca8ce4527861412a93","cache_size":1,"cache_capacity":10000}
{"level":"info","ts":1662022545.5290875,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1662022545.5290964,"msg":"serving initial configuration"}
{"level":"info","ts":1662022880.5496376,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1662022880.5497053,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":1662022880.5525012,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0005540e0"}
{"level":"info","ts":1662022880.5538657,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"info","ts":1662022880.5539005,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"info","ts":1662022881.5112975,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1662022881.512584,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":14}
{"level":"info","ts":1662022881.513337,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1662022881.5135903,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00037e540"}
{"level":"info","ts":1662022881.5138211,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1662022881.513833,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1662022881.513843,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
{"level":"info","ts":1662022881.5280483,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1662022881.528191,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"debug","ts":1662022881.528245,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"debug","ts":1662022881.528304,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"info","ts":1662022881.5283103,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["glpi-test.exemple.fr"]}
{"level":"warn","ts":1662022881.5286298,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [glpi-test.exemple.fr]: no OCSP server specified in certificate","identifiers":["glpi-test.exemple.fr"]}
{"level":"debug","ts":1662022881.5286417,"logger":"tls.cache","msg":"added certificate to cache","subjects":["glpi-test.exemple.fr"],"expiration":1662042220,"managed":true,"issuer_key":"local","hash":"cb24c530f3c0dbec5455ee3e72c001675a1f9df749f21eca8ce4527861412a93","cache_size":1,"cache_capacity":10000}
{"level":"info","ts":1662022881.5287273,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1662022881.528807,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1662022881.5288162,"msg":"serving initial configuration"}

5. What I already tried:

I tried to change lifetime of the certificat, put email address, path of the certificat with “/data/caddy/pki/authorities/local/*” key and crt… But it doesn’t work. So, I tried a lot of things lol.

6. Links to relevant resources:

You’re using tls internal which means Caddy self-manages a CA and issues certs from that. Caddy’s internal CA won’t be trusted by browsers.

If you’re using a public domain, your server is publicly accessible, and you want to use a cert from Let’s Encrypt, just remove tls internal and restart Caddy.

I read this documentation tls (Caddyfile directive) — Caddy Documentation but can’t understand everything.
The site is just accessible with internal network.

So, I tought it was ok to use tls internal.

edit: Without internal tls it obviously doesn’t work…

{"level":"error","ts":1662033035.4155374,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"glpi-test.exemple.fr","issuer":"acme.zerossl.com-v2-DV90","error":"[glpi-test.exemple.fr] solving challenges: [glpi-test.exemple.fr] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/JZz4QMoqIFDL5KLtwOOvSQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1662033035.4155738,"logger":"tls.obtain","msg":"will retry","error":"[glpi-test.exemple.fr] Obtain: [glpi-test.exemple.fr] solving challenges: [glpi-test.exemple.fr] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/JZz4QMoqIFDL5KLtwOOvSQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":8,"retrying_in":1800,"elapsed":6442.25581745,"max_duration":2592000}
{"level":"debug","ts":1662033355.4677472,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"glpi-test.exemple.fr"}
{"level":"debug","ts":1662033355.4678087,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exemple.fr"}
{"level":"debug","ts":1662033355.4678226,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.fr"}
{"level":"debug","ts":1662033355.4678323,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1662033355.467843,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"glpi-test.exemple.fr"}
{"level":"debug","ts":1662033355.46786,"logger":"tls.handshake","msg":"no certificate matching TLS 

Everything is working fine with tls internal, but sometimes you need to install Caddy’s root cert into your various trust stores in order for it to be trusted. Caddy can try to do this automatically but it requires root privileges (or a password prompt) and it doesn’t always work for all clients on every platform. For example Firefox ships with their own trust store.

The 12 hour lifetime is an intentional security feature. Caddy automatically renews it, so don’t worry about that.

I see. I think Caddy isn’t adapted for our usage ?
Our glpi application is available on local network, so each user who of the enterprise can access it. We deploy the certificat with GPO, so we should modify it each day ? Lifetime can’t be change for internal tls ?
And the root cert is the one in “/data/caddy/pki/authorities/local” ?

Noooo. No, add the root certificate to the trust store (make sure to protect the private key), then the lifetime of the leaf certificate doesn’t matter. The root is good for 10 years.

It can, but there is almost never a good reason to.

Yep! Make sure it’s the public key (certificate file) not the private key.

1 Like

Ok I think I’m understanding better, thanks.

Root.key in this path is the private key. Where can I find the public one ?

edit: Anyway, thanks you for all your help !! It seems like it’s working, we also tried to deploy it for one user. So, in its 12 hours it will be automatically regenerate and no alert with “invalid cert error” ?

The public key is in the certificate. The reason for a certificate is to show a proof that a CA signed the public key, saying “yes, this public key is okay to use for securing connections for this domain, as long as you trust us, the CA”. You keep the private part private, and it’s separate from the certificate.

2 Likes