V2: tls internal - NSS support on Windows

When starting Caddy v2 beta 18 with tls internal, in logs I get the info that nss support is missing. And I see that Firefox gives me a warning when visiting my site. So how can I make it work for Windows?


}, [2001:470:1f0b:1de:9dab:7d:6c69:cc86]:80 {
	redir https://dev.hnrk.io{uri} 301
dev.hnrk.io {
	root * C:\caddy\www
	tls internal
	encode brotli zstd gzip
	header * {
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"


{"level":"info","ts":1584894928.7211328,"msg":"using provided configuration","config_file":"C:\\caddy\\Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1584894928.725039,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["localhost:2019"]}
2020/03/22 17:35:28 [INFO][cache:0xc0004e70e0] Started certificate maintenance routine
{"level":"info","ts":1584894928.7582421,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"info","ts":1584894928.7592187,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
{"level":"warn","ts":1584894928.7601953,"logger":"http","msg":"user server is listening on same interface as automatic HTTP->HTTPS redirects; user-configured routes might override these redirects","server_name":"srv0","interface":"tcp/:80"}
{"level":"warn","ts":1584894928.771914,"logger":"pki.ca.local","msg":"trusting root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
2020/03/22 17:35:28 Note: NSS support is not available on your platform
2020/03/22 17:35:28 define JAVA_HOME environment variable to use the Java trust
2020/03/22 17:35:33 certificate installed properly in windows trusts
{"level":"info","ts":1584894933.1166406,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1584894933.1176171,"logger":"http","msg":"enabling experimental HTTP/3 listener","addr":":443"}
{"level":"info","ts":1584894933.1176171,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["dev.hnrk.io"]}
{"level":"info","ts":1584894933.1234765,"msg":"autosaved config","file":"C:\\Users\\hnrk\\AppData\\Roaming\\Caddy\\autosave.json"}
{"level":"info","ts":1584894933.124453,"msg":"serving initial configuration"}
2020/03/22 17:35:33 [INFO][dev.hnrk.io] Obtain certificate; acquiring lock...
2020/03/22 17:35:33 [INFO][dev.hnrk.io] Obtain: Lock acquired; proceeding...
2020/03/22 17:35:33 [INFO][dev.hnrk.io] Certificate obtained successfully
2020/03/22 17:35:33 [INFO][dev.hnrk.io] Obtain: Releasing lock
2020/03/22 17:35:33 [WARNING] Stapling OCSP: no OCSP stapling for [dev.hnrk.io]: no OCSP server specified in certificate
2020/03/22 17:35:55 http: TLS handshake error from [2001:470:1f0b:1de:9dab:7d:6c69:cc86]:49246: remote error: tls: unknown certificate authority

Did you restart Firefox after installing the root certs?

Edit: Nvm, just remembered that the lib we’re using doesn’t support NSS on Windows. You’ll have to install it manually for that OS. Hence the log:

Note: NSS support is not available on your platform

1 Like

Thank you @matt! Maybe changing the note to “nss not supported on {OS.platform}. Please install manually” would help, because I thought, that support is there but not available ATM on my machine.