V2: Comprehensive Guide to using Self-Signed Certs?

1. My Caddy version (caddy -version):

v2.0.0-beta12

2. How I run Caddy:

Installed as service according to tutorial with config file served as v2 json from /etc/caddy. Generated custom certificate using

sudo -u caddy openssl req -newkey rsa:2048 -nodes -keyout /var/lib/caddy/.local/share/caddy/key.pem -x509 -days 365 -out /var/lib/caddy/.local/share/caddy/certificate.pem

I tried providing public ip and “” as FQDN.

a. System environment:

Ubuntu 19.10 eoan (Budgie)

b. Command:

N/A (Service)

c. Service/unit/compose file:

[Unit]
Description=Caddy Web Server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --config /etc/caddy/caddy.json --resume --environ
ExecReload=/usr/bin/caddy reload --config /etc/caddy/caddy.json
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile:

{
	"apps": {
			"http": {
					"servers": {
							"mediabox": {
									"listen": [":443"],
									"routes": [
											{
													"handle": [{
															"handler": "file_server",
															"root": "/var/www"
													}]
											}
									],
									"tls_connection_policies": [
											{
													"match": {
															"sni": [""]
													},
													"certificate_selection": {
															"policy": "custom",
															"tag": "selfsigned"
													}
											}
									]
							}
					}
			},
			"tls": {
					"certificates": {
							"load_files": [
									{
											"certificate": "/var/lib/caddy/.local/share/caddy/certificate.pem",
											"key": "/var/lib/caddy/.local/share/caddy/key.pem",
											"format": "pem",
											"tags": ["selfsigned"]
									}
							]
					}
			}
	}
}

3. The problem I’m having:

I’d like to run a caddy server so that the connection to it is encrypted. It temporary for testing and I’d like to use a self-signed cert instead of ACME. It should be accesible via it’s local ip as well as the public ip with forwarded port 443. I don’t know how to configure caddy such that it will use the loaded cert for the SNI ‘’, according to error

http: TLS handshake error from xxx:57774: no certificate available for ''

4. Error messages and/or full log output:

http: TLS handshake error from xxxx:57774: no certificate available for ''

5. What I already tried:

Various permutations of the config file. The pasted one is the most “complete”.

Welcome @Xaser, thanks for using Caddy 2 while it’s still in beta!

That config looks good to me, let me see if I can get a chance to debug this more this weekend.

FWIW, we have a better solution in the works. @sarge has started a PR for this, I believe, where Caddy will be able to manage local/internal certs just as easily and automatically as it does public ones already. But it’ll be a while before that is ready.

1 Like