V2: Local root cert is not automatically trusted by macOS

lukas · March 31, 2020, 10:07am

1. My Caddy version (`caddy version`):

v2.0.0-beta.20 h1:oUNG1uh0UV8LWLlAVDZolFzk112++V/pxY+fF0HLmlY=

2. How I run Caddy:

a. System environment:

macOS Catalina 10.15.4

b. Command:

caddy run --config /usr/local/etc/Caddyfile

d. My complete Caddyfile config:

localhost

respond "Hello, world"

3. The problem I’m having:

I’d expect Caddy to ask me for the password to add the root cert to macOS’ keychain. However Caddy doesn’t do that.

Caddy throws an error “not NSS security databases found” (see below), but I only care about the macOS keychain. Is this supposed to work yet?

4. Error messages and/or full log output:

2020/03/31 10:04:45.126	INFO	using provided configuration	{"config_file": "/usr/local/etc/Caddyfile", "config_adapter": ""}
2020/03/31 10:04:45.127	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/31 10:04:45.128	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/31 10:04:45.128	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/31 12:04:45 [INFO][cache:0xc0005a5900] Started certificate maintenance routine
2020/03/31 10:04:45.139	INFO	tls	setting internal issuer for automation policy that has only internal subjects but no issuer configured	{"subjects": ["localhost"]}
2020/03/31 10:04:45.141	INFO	tls	cleaned up storage units
2020/03/31 10:04:45.342	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/31 12:04:45 define JAVA_HOME environment variable to use the Java trust
2020/03/31 10:04:45.343	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/31 10:04:45.343	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/31 12:04:45 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/31 10:04:45.344	INFO	autosaved config	{"file": "/Users/lux/Library/Application Support/Caddy/autosave.json"}
2020/03/31 10:04:45.344	INFO	serving initial configuration

lukas · March 31, 2020, 10:34am

Ah, this is actually a bug in Caddy that is caused by Firefox not being installed. I have created an issue on GitHub.

matt · April 1, 2020, 8:21pm

Should be fixed now: Continue even if a trust store is not found · Issue #3 · smallstep/truststore · GitHub – will update Caddy’s go.mod file in a little bit to use that.

system · May 1, 2020, 8:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.