Validation problem with TLS config

1. Caddy version (caddy version):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

Over Command Line

a. System environment:

Using golang:latest docker image, built using xcaddy, command: xcaddy build --with github.com/caddy-dns/cloudflare --with github.com/hairyhenderson/caddyprom --with github.com/caddyserver/ntlm-transport --with github.com/greenpau/caddy-auth-saml

b. Command:

caddy validate -config caddy.json

c. My complete Caddyfile or JSON config:

{
    "apps": {
     "http": {
      "servers": {
       "srv0": {
        "listen": [
         ":80"
        ],
        "routes": [
         {
          "match": [
           {
            "host": [
             "rproxy-ka.prod.server1.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "body": "gbus rvpx v0.54",
                "handler": "static_response"
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         }
        ]
       },
       "srv1": {
        "listen": [
         ":443"
        ],
        "routes": [
         {
          "match": [
           {
            "host": [
             "one3.prod.globi.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "group": "group5",
              "handle": [
               {
                "handler": "rewrite",
                "uri": "/one3{http.request.uri}"
               }
              ],
              "match": [
               {
                "path": [
                 "/"
                ]
               }
              ]
             },
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "upstreams": [
                 {
                  "dial": "ruprod:80"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         },
         {
          "match": [
           {
            "host": [
             "dvgw.prod.server1.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "upstreams": [
                 {
                  "dial": "ruprod:8181"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         },
         {
          "match": [
           {
            "host": [
             "one1.prod.server1.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "upstreams": [
                 {
                  "dial": "10.200.0.168:3000"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         },
         {
          "match": [
           {
            "host": [
             "dckr.int.server1.org"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "upstreams": [
                 {
                  "dial": "10.200.0.176:9000"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         },
         {
          "match": [
           {
            "host": [
             "docs.server1.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "upstreams": [
                 {
                  "dial": "10.44.0.5:8081"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         },
         {
          "match": [
           {
            "host": [
             "support.server1.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "upstreams": [
                 {
                  "dial": "10.44.0.5:8091"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         },
         {
          "match": [
           {
            "host": [
             "seismic-idp.lsa.prod.server1.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "upstreams": [
                 {
                  "dial": "10.44.0.5:8095"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         },
         {
          "match": [
           {
            "host": [
             "one2.prod.globi.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "upstreams": [
                 {
                  "dial": "10.43.10.18:80"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         },
         {
          "match": [
           {
            "host": [
             "one4.prod.globi.us"
            ]
           }
          ],
          "handle": [
           {
            "handler": "subroute",
            "routes": [
             {
              "handle": [
               {
                "handler": "reverse_proxy",
                "headers": {
                 "request": {
                  "set": {
                   "Host": [
                    "{http.request.host}"
                   ],
                   "X-Forwarded-For": [
                    "{http.request.remote}"
                   ],
                   "X-Forwarded-Port": [
                    "{http.request.port}"
                   ],
                   "X-Forwarded-Proto": [
                    "{http.request.scheme}"
                   ],
                   "X-Real-Ip": [
                    "{http.request.remote}"
                   ]
                  }
                 }
                },
                "transport": {
                 "protocol": "http",
                 "tls": {
                  "insecure_skip_verify": true
                 }
                },
                "upstreams": [
                 {
                  "dial": "10.200.0.175:443"
                 }
                ]
               }
              ]
             }
            ]
           }
          ],
          "terminal": true
         }
        ],
        "tls_connection_policies": [
         {
          "match": {
           "sni": [
            "one1.prod.globi.us"
           ]
          }
         },
         {
          "match": {
           "sni": [
            "one2.prod.globi.us"
           ]
          }
         },
         {
          "match": {
           "sni": [
            "one3.prod.globi.us"
           ]
          }
         },
         {}
        ]
       }
      }
     },
     "tls": {
      "automation": {
       "policies": [
        {
         "subjects": [
          "one1.prod.server1.us",
          "one2.prod.server1.us",
          "one3.prod.server1.us",
          "support.server1.us",
          "docs.server1.us",
          "seismic-idp.lsa.prod.server1.us"
         ],
         "issuer": {
          "challenges": {
           "dns": {
            "provider": {
             "api_token": "removed",
             "name": "cloudflare"
            }
           }
          },
          "email": "removed",
          "module": "acme"
         }
        },
        {
         "issuer": {
          "email": "removed",
          "module": "acme"
         }
        }
       ]
      }
     }
    }
   }
   

3. The problem I’m having:

When trying to verify this config on this specific version, it fails. On v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8= built exactly the same way, its considered valid. What’s wrong with it?

4. Error messages and/or full log output:

{"level":"info","ts":1640754676.0914085,"msg":"using provided configuration","config_file":"/builds/globius/caddy-autoci/caddy.json","config_adapter":""} validate: loading http app module: provision http: getting tls app: loading tls app module: decoding module config: tls: json: unknown field "issuer"

5. What I already tried:

• Not sure what to try here, I checked the TLS formatting, and it matched up properly with the documentation.

6. Links to relevant resources:

JSON Config Structure - Caddy Documentation was used.

Don’t use this anymore, that plugin is no longer necessary because metrics are built-in now.

Automation policies now take an array of issuers, not just a single issuer. Since Caddy v2.2.0, Caddy supports multiple issuers at the same time, and by default has Let’s Encrypt and ZeroSSL enabled.

You can probably save yourself a lot of headaches by moving to a Caddyfile instead, you’ll have a much shorter config.

Also, remove all the headers stuff from your reverse_proxy, it’s not useful. Caddy already sets the appropriate headers automatically (docs are for Caddyfile, but also apply to JSON in this case):

I am defining the right module though, using the JSON documentation found here

and it shows here in the config I am definitely using the right issuer module (as this came from a Caddyfile converted to a JSON due to a friend recommending it as some settings cannot be set in the Caddyfile, but can be set in the JSON)

No, it’s now issuers, with a s, and it takes an array of issuer objects.

D’oh! Ok. Let me just re-write the Caddyfile again then, and see if everything works then.

Happy New Year!

This topic was automatically closed after 30 days. New replies are no longer allowed.