Why does it want to install a pki.ca.local?

1. The problem I’m having:

I am trying to use Caddy purely with self generated certs.
I don’t understand why it tries to install a root ca in this case

2. Error messages and/or full log output:

$ caddy run --config caddy/Caddyfile
2023/03/11 15:46:14.783	INFO	using provided configuration	{"config_file": "caddy/Caddyfile", "config_adapter": ""}
2023/03/11 15:46:14.783	WARN	Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies	{"adapter": "caddyfile", "file": "caddy/Caddyfile", "line": 2}
2023/03/11 15:46:14.784	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/03/11 15:46:14.784	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0x140001becb0"}
2023/03/11 15:46:14.784	WARN	tls	stapling OCSP	{"error": "no OCSP stapling for [media.home]: no OCSP server specified in certificate"}
2023/03/11 15:46:14.784	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2023/03/11 15:46:14.785	INFO	tls	cleaning storage unit	{"description": "FileStorage:/Users/tcurdt/Library/Application Support/Caddy"}
2023/03/11 15:46:14.785	INFO	tls	finished cleaning storage units
2023/03/11 15:46:14.798	WARN	pki.ca.local	installing root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2023/03/11 15:46:14.893	INFO	failed to execute "keytool -list": exit status 1

keytool error: java.lang.Exception: Keystore file does not exist:
Password:

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

macOS 12.6.3 via homebrew

b. Command:

caddy run --config caddy/Caddyfile

c. Service/unit/compose file:

NA

d. My complete Caddy config:

localhost {

  tls ./ca/servers/media.home/server.crt ./ca/servers/media.home/server.key

  respond "foo"
}

FWIW after entering the password:

2023/03/11 15:52:22.173	ERROR	pki.ca.local	failed to install root certificate	{"error": "failed to execute keytool: exit status 1", "certificate_file": "storage:pki/authorities/local/root.crt"}
2023/03/11 15:52:22.173	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2023/03/11 15:52:22.173	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/03/11 15:52:22.173	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/03/11 15:52:22.173	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2023/03/11 15:52:22.174	WARN	tls	stapling OCSP	{"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate", "identifiers": ["localhost"]}
2023/03/11 15:52:22.174	INFO	autosaved config (load with --resume flag)	{"file": "/Users/tcurdt/Library/Application Support/Caddy/autosave.json"}
2023/03/11 15:52:22.175	INFO	serving initial configuration

Caddy is trying to get your system to trust its own CA for https://localhost. This is normal. :slight_smile:

I know what it is trying - but I am not sure why :slight_smile:

There is no tls internal.
And there is nothing automatic about the certs anymore when I provide them.

Does Caddy try to install the CA cert no matter what?

What’s in your ./ca/servers/media.home/server.crt file?

I will re-generate so it should be fine to just show it :slight_smile:

-----BEGIN CERTIFICATE-----
MIIEojCCAoqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAl2YWZl
ci5vcmcwHhcNMjMwMzExMTUyMzIyWhcNMzMwMzA4MTUyMzIyWjAVMRMwEQYDVQQD
DAptZWRpYS5ob21lMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0kwM
L1gEufnqkRv84t/yeHRqdKEmd2MPCguCmmU4seeEfHoJGrhMpMUaGmqfo1VzSQDS
CdpuC/3LLeS/HxenxJZ702CcHee24+jgGrtGNQYIUEoM+v+OR6VZB/rmr1LtGQih
qDCvDPaJATTYj8WPX8UcEcQTOFZOFEoqou5QiKYpsOxSGwsCzxfRq9cTdvRc/vT6
//724ZqPrhEKq7DON5ALi7EvftDxkjQ0Fdgq3nIxZyLlE/DIpA9NjkQEvHW3g6YC
gh1lhTFiFmlfmXlEdBRfSpXZbpfCBUKWLWjT30TnM4TS5cLYIIKKdXzs41CTJvT/
uffcHHXZTwjIw8/v3AxkWrw01bQnweSkLx1CCc/3QrruuF+K3aEbw54jM86A4Oep
LHgRYJmJ5nHenCS80agC0b3qiNXYE9zXLDhYWreO13vUh9gGgVNrlSsI7HfugiqD
sC9g3e8wWeFDtQgBXjmeZ9zxTSbns1rJGs2Q0j2LeCuLSn9FGSo1UR8rf0v7aNB7
mWM35Sv7mJTJxNr2VMZP2u/m2RIGyQWW2gPHbApclmmIv2K4zi+sGNapsqm8/1+C
ZhPYtfH7HTeUIBNAuvf6nmvp2Hb5JsL90mlm078W7ZX1NIbc4YfyHw+13z2D3trQ
XLygeW7T9Gs+OUEoOdigkzhYvuckCuAxtv9JCo0CAwEAATANBgkqhkiG9w0BAQUF
AAOCAgEAPzai4KHchWV/Ms3meW2vQONKKbzlNBuAwhweuaRhQ1iC7x6GINKDtbGy
lGpRgMEfGKF+nZ0mnTxflUl/7Vb2KzqtuFIO80WIu89jvSqKfIVa/+LMDiXbGI1a
yNb57GlJXEQEFXckElmxtNjkcNPuyuqHH/J/l15gz4JhCefZ52+qw8Gv4e95Am6g
DD+88JKfOAY7GyTWU3iBUswk1g2xYfQYLDnERnPuFOWngGfofJRDGpuDwQ6HIGkt
OOoYkXOvmwDodx7g+AlMZnjvDbKIfl3BUORheBKJuo8FwfjQ+EEChiMwxPSCuIND
RKwHKZLD+zyck6nq6kpgmlTyEB2S+VGFZu/+pYA1BgFMHtAqOXMA1cJVgf66PQg6
OE/YKO1NKrlRoDkZT0tHiKDEVjf3SUUN6JWETFA/04DtuI0zLb4ipyTXguLKC+Js
6hNPUYij9gHd/cfPOPvEMw7y4xDQeuVVKKu5dTY/WpRJsfXe1MimI/4P0FSHCrXA
r/2foAfZIeD9eb4iBiQMd3MMSmx2ZGDTTjcEIcdqo0k7ZGs5mcHoznDVc4rFfvdg
ufUVCmdi2nWZ5RwG6xIGpMszDjjVoUEkuIBpHYtjC4knS3lwa5Bfgv1SytpHGilL
VOuybGdUC0L5Wv41/TAck8GU95CEFSBMRRlZLsyBOCdNz805AAI=
-----END CERTIFICATE-----

Thanks. So that’s why: the certificate only contains a CommonName (deprecated, btw) for media.home, not localhost, so Caddy still needs to generate a cert for localhost.

No need; certificates are public keys.

Aaaah! I didn’t realize it would have to match - but in retrospect that makes sense.
Should the mismatch be in the logs, maybe? I might have the log level set not verbose enough.

And how should it look like non-deprecated?
While I’ve set CN, subjectAltName should also be set. But I don’t see anything in the SAN.

  printf "subjectAltName=DNS:$SERVER" > extfile.cnf
  # printf "[SAN]\nsubjectAltName=DNS:$SERVER" > extfile.cnf

  echo > passphrase.txt
  openssl genrsa -passout file:passphrase.txt -out server.key $BITS

  openssl req -new -sha256 -subj "/CN=$SERVER" -key server.key -out server.csr
  openssl x509 -req -days $DAYS \
    -in server.csr \
    -CA $CAD/ca.crt -CAkey $CAD/ca.key -CAserial $CAD/ca.srl \
    -extfile extfile.cnf \
    -out server.crt

Thanks for the help!

1 Like

There are debug logs that should emit more info. We could probably also emit debug logs when we load external certs too.

Yeah, set a SAN. I’d suggest even doing it instead of CN – just be aware that some cert viewers handle empty-CN names kinda weird (like Firefox’s cert viewer!).

Why “instead”? This is what I came up with:

  [req]
  req_extensions = v3_req
  distinguished_name = req_distinguished_name

  [req_distinguished_name]

  [v3_req]
  basicConstraints = CA:FALSE
  keyUsage = digitalSignature, keyEncipherment
  subjectAltName = @alt_names

  [alt_names]
  DNS.1 = ${SERVER}
-----BEGIN CERTIFICATE-----
MIIEuDCCAqCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARob21l
MB4XDTIzMDMxMjA1MTc0MVoXDTMzMDMwOTA1MTc0MVowFTETMBEGA1UEAwwKbWVk
aWEuaG9tZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMbZJQDYGOhK
Qn6t1JfxW7nqOG2APUc3gNrGWZ3FyuXHXSJdIb72aotgai4JWE7MPKXvjWYuzJll
ayikq9bYwkOwUhPya7C8eu9C6G4gm8ZNniuvsYrG/aN57Z2oBQ128eQY+kjK/BUy
idRthpZvpUVp+WFHmnw803Mb/dPXOwdFRTx/Um+8xHvsOvUcgh5eHXk5o7xVEqsZ
p63ozHkeNNMFAH+Zn1Hu2H0fP7vfRcctxU0rJJSiZvnjqZD8wU/5OTBZIGcOnigx
7+GHDcFRWlXHEERnthASwVovhBRUBfwszI1fAAFgQJFrosSPI3EWCHFBzGdI2uWt
/w6yLLdmjpi+6ohCmmtnZoDG+Y2jo/MYndV+J3KBd51K2quewmgxs0IDeweygzRQ
RfRC02MMsctoCk06v7sYdygry/n33l1wzyw65qKNYt5NYGxkMJ0jV/UZoapT1uYL
42xE6ti5DPb93OhqXs1aObCRzXhBoIMP4s1bZDlLEy/BFCfY81wYoeoxiUO7q62z
nNoVLsJBhwcUlD5kCeq76ibHfYSsaPJFW8ITDzHZdgSsUUaXkJXTEgsS4EmxsAB6
KH/1R5J3OPfIZ+7TQwVc+k3yhrZuTlNJ4MIUA/FLGw3BB8X7XADQC1ZA32XIBhZ9
VIHfb2cdeTKxvpQlnFRU+TTjDeYS/IZRAgMBAAGjGTAXMBUGA1UdEQQOMAyCCm1l
ZGlhLmhvbWUwDQYJKoZIhvcNAQEFBQADggIBAEhWuqMAXDDki9sCAfoIsh6umYNC
BpMzoNl3MrERmHnQVrSRzhSsG2Oa2FRPjYjtMdlci8R1sWwy2FQt7INyn7RaK3e4
zbLAXvLZPghLXgOXQa1zXDIOr8M9sQOsdhTX/QPzKtfkgQQ03+3qBzLoHeQy2Nm0
AgSeQ0FJEsHtXptXpXetbEwZbU15k1xOIAKV+m2ZjyBDXKCwP2QluEVRa77v4vqp
/5j9kR826ZJUd2dZiqflkz6UxS8zS9H+xe+KnzC6L+k31OnTp8XnQNCn+Lua3X6z
67u6Wm+HioSjLWcqnpzu+z/E9SSgLv+sV6QWS4uVxmwEgdYL6sGRh0zxSE7C1Yfm
x5iq6ylY4uNKVFyTLAxRs5eV0OSCJHqahmBioXp4T1y/Xf79VlZtimntr9ycw2JH
nKzxam43SbAsNclA2g8pc2P1SoLKuXJDrPpMuHkwpDmgxxs3nvgRaiemu9EYldHu
/whSxoJyuJJpKxPhIbEPM8KtCdSaWjMUWuLHuuG5bzTbc/wRR/QfWWLe27X6gVgH
+bB7WmZx+Yy/EX+m7CEOEcsMBoqhgvlqta+7vDKnQHTZeceqxbOyL3T/pxfh+PsG
rOWmzMjixV2k+kzY3/yaUh4b+4aJVkYWFIVbqdBBdbTpnt4MK8cUOWJRce2VBhiH
3pMM22HbBBmzP5Y6
-----END CERTIFICATE-----

I hope it does the trick :slight_smile:

1 Like

Just cause I’m a purist :slight_smile: There’s no reason to keep CN – unless you have a very antiquated relying party software that doesn’t read SANs or for some reason expects CN, even though they’re deprecated.

Anyway, it doesn’t matter if it has a CN. But the SAN definitely has to match your site! :+1:

1 Like

Just for the records:

It seems like now that all domains match up, Caddy does no longer ask to install the internal CA.

Thanks for the help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.