Using externally generated certificates for one site through dockerized Caddy

1. I’m trying to figure out where/how to provide externally generated certificates to the Caddy container for a specific site

I see how to specify the .crt and .key file names in Caddyfile: { 
  tls <crt_file_name> <key_file_name>
  reverse_proxy <my_container_name>:443

I also see that in the docker container, certificates are stored at /data/caddy/certificates/. I’ve attempted to copy my .crt and .key files there, but the container deletes them on start up. I’ve also attempted to use /data/caddy/certificates/local and the certs are deleted as well. Looking at the log it says they are being deleted because they key is empty. This folder is mounted in docker to the local filesystem on the host so I can readily copy files in and out as opposed to using a persistent volume. I should note that I’m unable to use Caddy generated certificates for this specific site.

SOOO I have a few questions I guess:

  1. What is the appropriate way of making some externally generated certificates available to the docker container? Am I using the right mechanism in Caddyfile for doing so?
  2. Is this not a good use case for Caddy?
  3. Is there additional setup I need to do rather than just copying the cert/key files? Am I just copying them into the wrong place, i.e., one that has special meaning and shouldn’t be used for this purpose?

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

    image: caddy:latest
    container_name: caddy
    restart: unless-stopped
      - "80:80"
      - "443:443"
      - $PWD/caddy/Caddyfile:/etc/caddy/Caddyfile
      - $PWD/caddy/data:/data
      - $PWD/caddy/config:/config
      - $PWD/caddy:/srv


http://identity.lab.fakeorg.test {
  respond "Why are you looking here?!"

http://keycloak.lab.fakeorg.test {
  reverse_proxy keycloak:80

https://keycloak.lab.fakeorg.test {
  tls /data/caddy/certificates/keycloak.lab.fakeorg.test/keycloak.lab.fakeorg.test.crt /data/caddy/certificates/keycloak.lab.fakeorg.te
  reverse_proxy keycloak:443

http://php-ldap-admin.lab.fakeorg.test {
  reverse_proxy phpldapadmin:80

The domain in question is: identity.lab.fakeorg.test, certificate issued by a separate CA (which is self signed, outside my area of authority/responsiblity) but required by the in-house developed client that connects to this service.

a. System environment:

Ubuntu 20.02, Docker:

Client: Docker Engine - Community
 Version:           23.0.3
 API version:       1.42
 Go version:        go1.19.7
 Git commit:        3e7cbfd
 Built:             Tue Apr  4 22:05:41 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
  Version:          23.0.3
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.7
  Git commit:       59118bf
  Built:            Tue Apr  4 22:05:41 2023
  OS/Arch:          linux/amd64
  Experimental:     false
  Version:          1.6.20
  GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
  Version:          1.1.5
  GitCommit:        v1.1.5-0-gf19387a
  Version:          0.19.0
  GitCommit:        de40ad0

b. Command:

docker compose up&

Yeah, /data is a managed storage location. Not the right place to put user-managed files. You can make a /certs bind-mount if you like.

Careful here, the site address is not a URL. It should just be a hostname and optionally a scheme; no path. Make sure to remove that trailing /.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.