Why does it want to install a pki.ca.local?

tcurdt · March 11, 2023, 3:50pm

1. The problem I’m having:

I am trying to use Caddy purely with self generated certs.
I don’t understand why it tries to install a root ca in this case

2. Error messages and/or full log output:

$ caddy run --config caddy/Caddyfile
2023/03/11 15:46:14.783	INFO	using provided configuration	{"config_file": "caddy/Caddyfile", "config_adapter": ""}
2023/03/11 15:46:14.783	WARN	Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies	{"adapter": "caddyfile", "file": "caddy/Caddyfile", "line": 2}
2023/03/11 15:46:14.784	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/03/11 15:46:14.784	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0x140001becb0"}
2023/03/11 15:46:14.784	WARN	tls	stapling OCSP	{"error": "no OCSP stapling for [media.home]: no OCSP server specified in certificate"}
2023/03/11 15:46:14.784	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2023/03/11 15:46:14.785	INFO	tls	cleaning storage unit	{"description": "FileStorage:/Users/tcurdt/Library/Application Support/Caddy"}
2023/03/11 15:46:14.785	INFO	tls	finished cleaning storage units
2023/03/11 15:46:14.798	WARN	pki.ca.local	installing root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2023/03/11 15:46:14.893	INFO	failed to execute "keytool -list": exit status 1

keytool error: java.lang.Exception: Keystore file does not exist:
Password:

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

macOS 12.6.3 via homebrew

b. Command:

caddy run --config caddy/Caddyfile

c. Service/unit/compose file:

NA

d. My complete Caddy config:

localhost {

  tls ./ca/servers/media.home/server.crt ./ca/servers/media.home/server.key

  respond "foo"
}

tcurdt · March 11, 2023, 4:15pm

FWIW after entering the password:

2023/03/11 15:52:22.173	ERROR	pki.ca.local	failed to install root certificate	{"error": "failed to execute keytool: exit status 1", "certificate_file": "storage:pki/authorities/local/root.crt"}
2023/03/11 15:52:22.173	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2023/03/11 15:52:22.173	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/03/11 15:52:22.173	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/03/11 15:52:22.173	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2023/03/11 15:52:22.174	WARN	tls	stapling OCSP	{"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate", "identifiers": ["localhost"]}
2023/03/11 15:52:22.174	INFO	autosaved config (load with --resume flag)	{"file": "/Users/tcurdt/Library/Application Support/Caddy/autosave.json"}
2023/03/11 15:52:22.175	INFO	serving initial configuration

matt · March 11, 2023, 5:20pm

Caddy is trying to get your system to trust its own CA for https://localhost. This is normal.

tcurdt · March 11, 2023, 7:48pm

I know what it is trying - but I am not sure why

There is no tls internal.
And there is nothing automatic about the certs anymore when I provide them.

Does Caddy try to install the CA cert no matter what?

matt · March 11, 2023, 7:50pm

What’s in your ./ca/servers/media.home/server.crt file?

tcurdt · March 11, 2023, 8:09pm

I will re-generate so it should be fine to just show it

matt · March 11, 2023, 11:47pm

Thanks. So that’s why: the certificate only contains a CommonName (deprecated, btw) for media.home, not localhost, so Caddy still needs to generate a cert for localhost.

No need; certificates are public keys.

tcurdt · March 12, 2023, 12:28am

Aaaah! I didn’t realize it would have to match - but in retrospect that makes sense.
Should the mismatch be in the logs, maybe? I might have the log level set not verbose enough.

And how should it look like non-deprecated?
While I’ve set CN, subjectAltName should also be set. But I don’t see anything in the SAN.

  printf "subjectAltName=DNS:$SERVER" > extfile.cnf
  # printf "[SAN]\nsubjectAltName=DNS:$SERVER" > extfile.cnf

  echo > passphrase.txt
  openssl genrsa -passout file:passphrase.txt -out server.key $BITS

  openssl req -new -sha256 -subj "/CN=$SERVER" -key server.key -out server.csr
  openssl x509 -req -days $DAYS \
    -in server.csr \
    -CA $CAD/ca.crt -CAkey $CAD/ca.key -CAserial $CAD/ca.srl \
    -extfile extfile.cnf \
    -out server.crt

Thanks for the help!

matt · March 12, 2023, 3:49am

There are debug logs that should emit more info. We could probably also emit debug logs when we load external certs too.

Yeah, set a SAN. I’d suggest even doing it instead of CN – just be aware that some cert viewers handle empty-CN names kinda weird (like Firefox’s cert viewer!).

tcurdt · March 12, 2023, 5:24am

Why “instead”? This is what I came up with:

  [req]
  req_extensions = v3_req
  distinguished_name = req_distinguished_name

  [req_distinguished_name]

  [v3_req]
  basicConstraints = CA:FALSE
  keyUsage = digitalSignature, keyEncipherment
  subjectAltName = @alt_names

  [alt_names]
  DNS.1 = ${SERVER}

I hope it does the trick

matt · March 12, 2023, 6:05am

Just cause I’m a purist There’s no reason to keep CN – unless you have a very antiquated relying party software that doesn’t read SANs or for some reason expects CN, even though they’re deprecated.

Anyway, it doesn’t matter if it has a CN. But the SAN definitely has to match your site!

tcurdt · March 12, 2023, 4:23pm

Just for the records:

It seems like now that all domains match up, Caddy does no longer ask to install the internal CA.

Thanks for the help!