1. I’m trying to figure out where/how to provide externally generated certificates to the Caddy container for a specific site
I see how to specify the .crt and .key file names in Caddyfile:
https://abc.xyz/ {
tls <crt_file_name> <key_file_name>
reverse_proxy <my_container_name>:443
}
I also see that in the docker container, certificates are stored at /data/caddy/certificates/. I’ve attempted to copy my .crt and .key files there, but the container deletes them on start up. I’ve also attempted to use /data/caddy/certificates/local and the certs are deleted as well. Looking at the log it says they are being deleted because they key is empty. This folder is mounted in docker to the local filesystem on the host so I can readily copy files in and out as opposed to using a persistent volume. I should note that I’m unable to use Caddy generated certificates for this specific site.
SOOO I have a few questions I guess:
- What is the appropriate way of making some externally generated certificates available to the docker container? Am I using the right mechanism in Caddyfile for doing so?
- Is this not a good use case for Caddy?
- Is there additional setup I need to do rather than just copying the cert/key files? Am I just copying them into the wrong place, i.e., one that has special meaning and shouldn’t be used for this purpose?
3. Caddy version:
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
caddy:
image: caddy:latest
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- $PWD/caddy/Caddyfile:/etc/caddy/Caddyfile
- $PWD/caddy/data:/data
- $PWD/caddy/config:/config
- $PWD/caddy:/srv
Caddyfile:
http://identity.lab.fakeorg.test {
respond "Why are you looking here?!"
}
http://keycloak.lab.fakeorg.test {
reverse_proxy keycloak:80
}
https://keycloak.lab.fakeorg.test {
tls /data/caddy/certificates/keycloak.lab.fakeorg.test/keycloak.lab.fakeorg.test.crt /data/caddy/certificates/keycloak.lab.fakeorg.te
st/keycloak.lab.fakeorg.test.key
reverse_proxy keycloak:443
}
http://php-ldap-admin.lab.fakeorg.test {
reverse_proxy phpldapadmin:80
}
The domain in question is: identity.lab.fakeorg.test, certificate issued by a separate CA (which is self signed, outside my area of authority/responsiblity) but required by the in-house developed client that connects to this service.
a. System environment:
Ubuntu 20.02, Docker:
Client: Docker Engine - Community
Version: 23.0.3
API version: 1.42
Go version: go1.19.7
Git commit: 3e7cbfd
Built: Tue Apr 4 22:05:41 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 23.0.3
API version: 1.42 (minimum version 1.12)
Go version: go1.19.7
Git commit: 59118bf
Built: Tue Apr 4 22:05:41 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.20
GitCommit: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
runc:
Version: 1.1.5
GitCommit: v1.1.5-0-gf19387a
docker-init:
Version: 0.19.0
GitCommit: de40ad0
b. Command:
docker compose up&