Maybe this should be a new thread or a bug report, but I’m having trouble getting the local CA working. Maybe this just needs more documentation so I know what dependencies the local CA has?
Here’s my current Caddyfile for the test server running Arch Linux:
# global options block
{
storage file_system {
root /etc/caddy/storage
}
experimental_http3
local_certs
}
# reusable snippets
(boilerplate) {
encode gzip zstd
file_server
}
# start site blocks
# public test page
brockovich.sunrisemovement.dev {
root * /srv/sunrisemovement.dev/www/public/
import boilerplate
tls {{ admin_email }}
}
# local test page
www.sunrisemovement.dev {
root * /srv/sunrisemovement.dev/www/public/
import boilerplate
}
# redirect no-www to www
sunrisemovement.dev {
redir https://www.sunrisemovement.dev
}
The public site using Let’s Encrypt is still functional. However, the local CA is not doing well. First, it complained I didn’t have certutil / nss installed:
Apr 10 16:40:45 brockovich systemd[1]: Reloading Caddy v2 web server.
Apr 10 16:40:45 brockovich caddy[142957]: {"level":"info","ts":1586551245.1005006,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.1050384,"logger":"admin.api","msg":"received request","method":"POST","uri":"/load","remote_addr":"127.0.0.1:44560","headers":{"Accept-Encoding":["gzip"],"Content-Length":["1167"],"Content-Type":["application/json"],"Origin":["localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.1059146,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["localhost:2019"]}
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.1086466,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.1089435,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Apr 10 16:40:45 brockovich caddy[139462]: 2020/04/10 16:40:45 [INFO][cache:0xc000788a50] Started certificate maintenance routine
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"warn","ts":1586551245.3589947,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Apr 10 16:40:45 brockovich caddy[139462]: 2020/04/10 16:40:45 define JAVA_HOME environment variable to use the Java trust
Apr 10 16:40:45 brockovich caddy[139462]: 2020/04/10 16:40:45 Warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"error","ts":1586551245.3625145,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.3633766,"logger":"tls","msg":"cleaned up storage units"}
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.3635137,"logger":"http","msg":"enabling experimental HTTP/3 listener","addr":":443"}
Apr 10 16:40:45 brockovich caddy[139462]: 2020/04/10 16:40:45 [DEBUG] udp/:443: Usage counter should not go above 2 or maybe 3, is now: 2
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.363721,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["brockovich.sunrisemovement.dev","www.sunrisemovement.dev","sunrisemovement.dev"]}
Apr 10 16:40:45 brockovich caddy[139462]: 2020/04/10 16:40:45 [DEBUG] Fake-closing underlying packet conn
Apr 10 16:40:45 brockovich caddy[139462]: 2020/04/10 16:40:45 [INFO][cache:0xc000788410] Stopped certificate maintenance routine
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.3648434,"msg":"autosaved config","file":"/srv/http/.config/caddy/autosave.json"}
Apr 10 16:40:45 brockovich caddy[139462]: {"level":"info","ts":1586551245.3649354,"logger":"admin.api","msg":"load complete"}
Apr 10 16:40:45 brockovich systemd[1]: Reloaded Caddy v2 web server.
So I “fixed” that by installing the nss Arch package. Unfortunately, Caddy is still unhappy, and I don’t fully understand the error messages:
Apr 10 18:42:55 brockovich systemd[1]: Stopped Caddy v2 web server.
Apr 10 18:42:55 brockovich systemd[1]: Started Caddy v2 web server.
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.306561,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.3166182,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["localhost:2019"]}
Apr 10 18:42:55 brockovich caddy[144238]: 2020/04/10 18:42:55 [INFO][cache:0xc00069e9b0] Started certificate maintenance routine
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.3389246,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.3391316,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"warn","ts":1586558575.5540116,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
Apr 10 18:42:55 brockovich caddy[144238]: 2020/04/10 18:42:55 define JAVA_HOME environment variable to use the Java trust
Apr 10 18:42:55 brockovich caddy[144238]: 2020/04/10 18:42:55 not NSS security databases found
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"error","ts":1586558575.561442,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: exit status 1","certificate_file":"storage:pki/authorities/local/root.crt"}
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.5627358,"logger":"tls","msg":"cleaned up storage units"}
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.5630877,"logger":"http","msg":"enabling experimental HTTP/3 listener","addr":":443"}
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.5633273,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["brockovich.sunrisemovement.dev","www.sunrisemovement.dev","sunrisemovement.dev"]}
Apr 10 18:42:55 brockovich caddy[144238]: 2020/04/10 18:42:55 [WARNING] Stapling OCSP: no OCSP stapling for [www.sunrisemovement.dev]: no OCSP server specified in certificate
Apr 10 18:42:55 brockovich caddy[144238]: 2020/04/10 18:42:55 [WARNING] Stapling OCSP: no OCSP stapling for [sunrisemovement.dev]: no OCSP server specified in certificate
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.5698445,"msg":"autosaved config","file":"/srv/http/.config/caddy/autosave.json"}
Apr 10 18:42:55 brockovich caddy[144238]: {"level":"info","ts":1586558575.5700452,"msg":"serving initial configuration"}
Apr 10 18:43:36 brockovich caddy[144238]: 2020/04/10 18:43:36 http2: panic serving [2601:42:0:6200:d111:db58:1bc9:319]:58335: runtime error: invalid memory address or nil pointer dereference
Apr 10 18:43:36 brockovich caddy[144238]: goroutine 35 [running]:
Apr 10 18:43:36 brockovich caddy[144238]: net/http.(*http2serverConn).runHandler.func1(0xc00027a3c0, 0xc000395f8e, 0xc0002b1380)
Apr 10 18:43:36 brockovich caddy[144238]: net/http/h2_bundle.go:5713 +0x16b
Apr 10 18:43:36 brockovich caddy[144238]: panic(0x144d380, 0x2470800)
Apr 10 18:43:36 brockovich caddy[144238]: runtime/panic.go:969 +0x166
Apr 10 18:43:36 brockovich caddy[144238]: github.com/caddyserver/caddy/v2/modules/caddyhttp.(*Server).ServeHTTP(0xc00069aea0, 0x192e1e0, 0xc00027a3c0, 0xc0004d3c00)
Apr 10 18:43:36 brockovich caddy[144238]: github.com/caddyserver/caddy/v2@v2.0.0-rc.2/modules/caddyhttp/server.go:203 +0x932
Apr 10 18:43:36 brockovich caddy[144238]: net/http.serverHandler.ServeHTTP(0xc0009deb60, 0x192e1e0, 0xc00027a3c0, 0xc0004d2d00)
Apr 10 18:43:36 brockovich caddy[144238]: net/http/server.go:2807 +0xa3
Apr 10 18:43:36 brockovich caddy[144238]: net/http.initALPNRequest.ServeHTTP(0x19335a0, 0xc000903b30, 0xc000674e00, 0xc0009deb60, 0x192e1e0, 0xc00027a3c0, 0xc0004d2d00)
Apr 10 18:43:36 brockovich caddy[144238]: net/http/server.go:3381 +0x8d
Apr 10 18:43:36 brockovich caddy[144238]: net/http.(*http2serverConn).runHandler(0xc0002b1380, 0xc00027a3c0, 0xc0004d2d00, 0xc0007e27e0)
Apr 10 18:43:36 brockovich caddy[144238]: net/http/h2_bundle.go:5720 +0x8b
Apr 10 18:43:36 brockovich caddy[144238]: created by net/http.(*http2serverConn).processHeaders
Apr 10 18:43:36 brockovich caddy[144238]: net/http/h2_bundle.go:5454 +0x4e1
Apr 10 18:43:37 brockovich caddy[144238]: 2020/04/10 18:43:37 http2: panic serving [2601:42:0:6200:d111:db58:1bc9:319]:58336: runtime error: invalid memory address or nil pointer dereference
Apr 10 18:43:37 brockovich caddy[144238]: goroutine 49 [running]:
Apr 10 18:43:37 brockovich caddy[144238]: net/http.(*http2serverConn).runHandler.func1(0xc00027a570, 0xc000395f8e, 0xc000001800)
Apr 10 18:43:37 brockovich caddy[144238]: net/http/h2_bundle.go:5713 +0x16b
Apr 10 18:43:37 brockovich caddy[144238]: panic(0x144d380, 0x2470800)
Apr 10 18:43:37 brockovich caddy[144238]: runtime/panic.go:969 +0x166
Apr 10 18:43:37 brockovich caddy[144238]: github.com/caddyserver/caddy/v2/modules/caddyhttp.(*Server).ServeHTTP(0xc00069aea0, 0x192e1e0, 0xc00027a570, 0xc0000cd700)
Apr 10 18:43:37 brockovich caddy[144238]: github.com/caddyserver/caddy/v2@v2.0.0-rc.2/modules/caddyhttp/server.go:203 +0x932
Apr 10 18:43:37 brockovich caddy[144238]: net/http.serverHandler.ServeHTTP(0xc0009deb60, 0x192e1e0, 0xc00027a570, 0xc0000ccd00)
Apr 10 18:43:37 brockovich caddy[144238]: net/http/server.go:2807 +0xa3
Apr 10 18:43:37 brockovich caddy[144238]: net/http.initALPNRequest.ServeHTTP(0x19335a0, 0xc0002c1740, 0xc000675180, 0xc0009deb60, 0x192e1e0, 0xc00027a570, 0xc0000ccd00)
Apr 10 18:43:37 brockovich caddy[144238]: net/http/server.go:3381 +0x8d
Apr 10 18:43:37 brockovich caddy[144238]: net/http.(*http2serverConn).runHandler(0xc000001800, 0xc00027a570, 0xc0000ccd00, 0xc0007e3480)
Apr 10 18:43:37 brockovich caddy[144238]: net/http/h2_bundle.go:5720 +0x8b
Apr 10 18:43:37 brockovich caddy[144238]: created by net/http.(*http2serverConn).processHeaders
Apr 10 18:43:37 brockovich caddy[144238]: net/http/h2_bundle.go:5454 +0x4e1
The money quotes appear to be “define JAVA_HOME environment variable to use the Java trust” and “not NSS security databases found”, but I don’t know where to start with those. Any ideas?