Use certificate on one server when accessing local site from second server

1. Caddy version (caddy version):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

I run Caddy through a Windows service with WinSW.

a. System environment:

OS: Windows Server 2019 Datacenter

b. Command:

I'm not using commands to run Caddy, just the service.

c. Service/unit/compose file:

n/a

d. My complete Caddyfile or JSON config:

example.com {
	handle_path /api* {
		reverse_proxy localhost:3001
	}

	handle {
		root * C:\Web\Webs\ExternalWeb
		encode gzip
		file_server
	}
}

example.domain.local {
	tls internal
	handle_path /api* {
		reverse_proxy localhost:3001
	}

	handle {
		root * C:\Web\Webs\ExternalWeb
		encode gzip
		file_server
	}
}

localhost {
	tls internal
	handle_path /api* {
		reverse_proxy localhost:3001
	}

	handle {
		root * C:\Web\Webs\ExternalWeb
		file_server
	}
}

3. The problem I’m having:

I asked a related question here yesterday: Getting HTTPS working on localhost in Windows

Now I am trying to connect to example.domain.local from a different machine and am once again getting the Warning: Potential Security Risk Ahead warning.

Now I’m pretty sure this paragraph from francislavoie’s answer is what I need to do:

If you’re trying to connect from a different machine, then you’ll need to do the cert installation on those machines as well. You can either do it manually, or you can run caddy trust on those machines, using the --address flag to point to the admin endpoint of your Caddy instance – note that the admin endpoint only listens on localhost:2019 by default, so you’d need to change that to :2019 to allow other machines on your network to access it – keep in mind this is risky though because then anyone on the network can change Caddy’s config or shut it down etc.

But I have questions and figured it was a different enough problem that required starting a new topic. So first, I need to install the cert manually or run caddy trust on that second machine. I figured out how to install a SSL certificate manually from that other link: Create Locally Trusted SSL Certificates with mkcert on Windows - TechnixLeo But I’m not sure if that is what I need to do. Secondly, Caddy is not installed on the second machine, so how do I run caddy trust. I wouldn’t think I would need to install caddy on the second machine just to access a website, would I? I’ll probably have more questions about the other sentences too, but this should get me started.

4. Error messages and/or full log output:

5. What I already tried:

I did try enabling “security.enterprise_roots.enabled” in Firefox on the second machine. But I know why that didn’t work, there is no certificate on that machine for Firefox to find. Somehow I have to tell it to use the cert on the original machine.

6. Links to relevant resources:

You wouldn’t use the mkcert part of that, no. But the steps to install the cert are probably valid.

You need to copy the root cert from Caddy’s storage (from the machine running Caddy as a server) to the second machine, and install that root cert in that machine’s trust store.

Caddy is just a static binary, just an .exe. You can download it to that machine to run caddy.exe trust. You wouldn’t actually run Caddy as a server there, just using Caddy as a CLI tool to perform the cert installation.

But like I said in the other post, you’d need to make sure your actual Caddy server has its admin endpoint configured such that it’s accessible from the other machine. Make sure the admin endpoint is not publicly accessible and that no untrusted users have access to it. Then you can run caddy.exe trust --address 192.168.x.x:2019 (whatever the IP of your Caddy server’s machine is) to have it fetch the root cert from your Caddy server, then install it on the current machine.

It sounds like manually installing it with those steps is more appropriate for you though, than using caddy trust in this case.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.