tcurdt
(Torsten Curdt)
December 2, 2023, 5:32pm
1
1. The problem I’m having:
I am trying to run caddy
with tls internal
on nixOS. Instead of just getting an “untrusted cert” problem I get an internal error.
curl -k https://localhost -i -H "Host: example.org"
curl: (35) OpenSSL/3.0.12: error:0A000438:SSL routines::tlsv1 alert internal error
Given it’s a systemd service on nixOS - I am not quite sure how to run caddy trust
exactly.
Also I don’t understand why it would be required if I am OK for testing with self-signed certs.
2. Error messages and/or full log output:
Dec 02 16:23:17 nixos systemd[1]: Starting Caddy...
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.8684616,"msg":"using provided configuration","confi>
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.886671,"msg":"warning: \"certutil\" is not availabl>
Dec 02 16:23:17 nixos caddy[898]: {"level":"info","ts":1701534197.8866982,"msg":"define JAVA_HOME environment variabl>
Dec 02 16:23:17 nixos caddy[898]: {"level":"error","ts":1701534197.8867226,"logger":"pki.ca.local","msg":"failed to i>
3. Caddy version:
caddy version
2.6.4
4. How I installed and ran Caddy:
opened 11:22PM - 26 Nov 23 UTC
0.kind: bug
### Describe the bug
### Steps To Reproduce
Steps to reproduce the behav… ior:
1.
```
{ config, pkgs, ... }:
{
services.caddy = {
enable = true;
virtualHosts."example.org" = {
extraConfig = ''
respond "Hello, world!"
tls internal
'';
};
};
}
```
2.
```
curl -k -i -H "Host: example.org" https://localhost
curl: (35) OpenSSL/3.0.12: error:0A000438:SSL routines::tlsv1 alert internal error
```
### Expected behavior
The command `curl -k -i -H "Host: example.org" https://localhost` should return "Hello, world!".
### Screenshots
```
journalctl -u caddy
Nov 26 23:49:42 debian12arm systemd[1]: /nix/store/g5pvwdqa0ccyck8w8gvx60kzgr51zxc1-system-units/caddy.service.d/overrides.conf:22: Unknown key name 'RestartSecs' in section 'Service', ignoring.
Nov 26 23:49:43 debian12arm systemd[1]: Starting Caddy...
Nov 26 23:49:43 debian12arm caddy[18756]: {"level":"info","ts":1701038983.2202404,"msg":"using provided configuration","config_file":"/etc/caddy/caddy_config","config_adapter":"caddyfile"}
Nov 26 23:49:43 debian12arm caddy[18756]: {"level":"info","ts":1701038983.2356768,"msg":"warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\">
Nov 26 23:49:43 debian12arm caddy[18756]: {"level":"info","ts":1701038983.2357092,"msg":"define JAVA_HOME environment variable to use the Java trust"}
Nov 26 23:49:43 debian12arm caddy[18756]: {"level":"error","ts":1701038983.2357378,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"install is not supported on this system","certificate_>
Nov 26 23:49:43 debian12arm systemd[1]: Started Caddy.
```
### Notify maintainers
cc @fpletz @flokli @andir @Mic92 ?
### Metadata
```console
nix-shell -p nix-info --run "nix-info -m"
- system: `"aarch64-linux"`
- host os: `Linux 6.1.63, NixOS, 24.05 (Uakari), 24.05.20231124.5a09cb4`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.19.1`
- channels(root): `"nixos-23.05"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
```
### Priorities
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
a. System environment:
nix-shell -p nix-info --run "nix-info -m"
- system: `"aarch64-linux"`
- host os: `Linux 6.1.63, NixOS, 24.05 (Uakari), 24.05.20231124.5a09cb4`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.19.1`
- channels(root): `"nixos-23.05"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
b. Command:
This is what systemd
seems to be running (from ps
)
/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy run --config /etc/caddy/caddy_config --adapter caddyfile
c. Service/unit/compose file:
$ systemctl show -p FragmentPath caddy
FragmentPath=/etc/systemd/system/caddy.service
$ cat /etc/systemd/system/caddy.service
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/nix/store/abhnrp893q8nwgzb8lhrv5gladdinn0m-caddy-2.7.5/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
{
log {
level ERROR
}
}
example.org {
log {
output file /var/log/caddy/access-example.org.log
}
respond "OK"
tls internal
}
5. Links to relevant resources:
The problem is you’re making a request which has localhost
in TLS SNI, so Caddy is trying to find a certificate for localhost
and doesn’t find one.
You should use the --resolve
option to fix this:
curl -k --resolve example.org:443:127.0.0.1 https://example.org
tcurdt
(Torsten Curdt)
December 2, 2023, 8:26pm
3
Aaaargh! Sneaky - and now makes sense.
@francislavoie to the rescues once again Thanks!
One thing I still cannot figure out from the docs:
Why would the internal root CA need to be registered to be trusted - or as seems not at all after all. Isn’t this all about who the client trust?
I found that part a little confusing when reading through the docs.
Yes, and adding the CA’s root cert to your system’s trust store is how you get clients on your local machine to trust the server. Clients read from the system’s trust store.
1 Like
system
(system)
Closed
January 1, 2024, 9:46pm
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.