Enabling get_certificate should disable cert automation

[BioEvo]

I set the get_certificate section in caddyfile, caddy verified all parameters and directly goes to HTTP-01 challenge.

here's my procedure to reproduce the issue:

1. pull the latest version of caddy image and create a fileserver, and serve /etc/caddy as root

docker pull caddy
docker run --rm --hostname cert.mysite -p 80:80  -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug

root@demo:/test# docker run --rm --hostname cert.mysite -p 80:80  -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug
2023/03/03 09:50:13.498	WARN	admin	admin endpoint disabled
2023/03/03 09:50:13.499	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc0003fae00"}
2023/03/03 09:50:13.499	WARN	http	server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server	{"server_name": "static", "http_port": 80}
2023/03/03 09:50:13.499	INFO	tls	cleaning storage unit	{"description": "FileStorage:/data/caddy"}
2023/03/03 09:50:13.499	INFO	tls	finished cleaning storage units
2023/03/03 09:50:13.499	DEBUG	http	starting server loop	{"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:50:13.499	INFO	http.log	server running	{"name": "static", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:50:13.499	INFO	Caddy serving static files on :80

2. open another terminal and copy the hosts file from cert.mysite

mkdir -p /test && cd /test
docker cp certmgr:/etc/hosts /test/hosts

3. try to validate if http://cert.mysite/Caddyfile is avaliable in another container:

root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy wget -o /dev/null  -O - cert.mysite/Caddyfile
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

:80 {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

one record of log is printed by cert.mysite

root@demo:/test# docker run --rm --hostname cert.mysite -p 80:80  -p 443:443 -it --name certmgr caddy caddy file-server --root /etc/caddy --debug
2023/03/03 09:50:13.498	WARN	admin	admin endpoint disabled
2023/03/03 09:50:13.499	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc0003fae00"}
2023/03/03 09:50:13.499	WARN	http	server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server	{"server_name": "static", "http_port": 80}
2023/03/03 09:50:13.499	INFO	tls	cleaning storage unit	{"description": "FileStorage:/data/caddy"}
2023/03/03 09:50:13.499	INFO	tls	finished cleaning storage units
2023/03/03 09:50:13.499	DEBUG	http	starting server loop	{"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:50:13.499	INFO	http.log	server running	{"name": "static", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:50:13.499	INFO	Caddy serving static files on :80
2023/03/03 09:50:19.583	DEBUG	http.handlers.file_server	sanitized path join	{"site_root": "/etc/caddy", "request_path": "/Caddyfile", "result": "/etc/caddy/Caddyfile"}
2023/03/03 09:50:19.583	DEBUG	http.handlers.file_server	opening file	{"filename": "/etc/caddy/Caddyfile"}

4. create /test/Caddyfile with:

{
	debug
}
https://web.mysite {
	tls {
		get_certificate http http://cert.mysite/cert
	}
	file_server
	root * /usr/share/caddy
}

5. star anoter container for HTTP cert gatter:

root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy
2023/03/03 09:54:56.848	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
2023/03/03 09:54:56.849	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["//[::1]:2019", "//127.0.0.1:2019", "//localhost:2019"]}
2023/03/03 09:54:56.850	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2023/03/03 09:54:56.850	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2023/03/03 09:54:56.850	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc000119260"}
2023/03/03 09:54:56.850	INFO	tls	cleaning storage unit	{"description": "FileStorage:/data/caddy"}
2023/03/03 09:54:56.851	INFO	tls	finished cleaning storage units
2023/03/03 09:54:56.851	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2023/03/03 09:54:56.851	INFO	failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/03/03 09:54:56.851	DEBUG	http	starting server loop	{"address": "[::]:443", "tls": true, "http3": true}
2023/03/03 09:54:56.851	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:54:56.851	DEBUG	http	starting server loop	{"address": "[::]:80", "tls": false, "http3": false}
2023/03/03 09:54:56.851	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/03/03 09:54:56.851	INFO	http	enabling automatic TLS certificate management	{"domains": ["web.mysite"]}
2023/03/03 09:54:56.851	INFO	autosaved config (load with --resume flag)	{"file": "/config/caddy/autosave.json"}
2023/03/03 09:54:56.851	INFO	serving initial configuration
2023/03/03 09:54:56.852	INFO	tls.obtain	acquiring lock	{"identifier": "web.mysite"}
2023/03/03 09:54:56.852	INFO	tls.obtain	lock acquired	{"identifier": "web.mysite"}
2023/03/03 09:54:56.852	INFO	tls.obtain	obtaining certificate	{"identifier": "web.mysite"}
2023/03/03 09:54:56.853	DEBUG	events	event	{"name": "cert_obtaining", "id": "5ee698ea-a7b0-42d4-8fd2-2d148a1bcf91", "origin": "tls", "data": {"identifier":"web.mysite"}}
2023/03/03 09:54:56.853	DEBUG	tls.obtain	trying issuer 1/2	{"issuer": "acme-v02.api.letsencrypt.org-directory"}
2023/03/03 09:54:57.428	DEBUG	tls.acme_client	http request	{"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["756"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/03/03 09:54:57.607	DEBUG	tls.acme_client	http request	{"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["F977mkR7mwCLcOasyyIoTtnnqzTE5wOhhDe4xtpAylAi_Pc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/03/03 09:54:57.797	DEBUG	tls.acme_client	http request	{"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["991443716"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["267"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/991443716"],"Replay-Nonce":["F70EyZ_pC24oN4PtiMWxr1NXVxWGzy0lP6GgbhBSUStj1tw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2023/03/03 09:54:57.798	INFO	tls	waiting on internal rate limiter	{"identifiers": ["web.mysite"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/03 09:54:57.798	INFO	tls	done waiting on internal rate limiter	{"identifiers": ["web.mysite"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/03/03 09:54:57.978	DEBUG	tls.acme_client	http request	{"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["991443716"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["212"],"Content-Type":["application/problem+json"],"Date":["Fri, 03 Mar 2023 09:54:57 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["F70EZ0AyzmBi1gJHVQOnVwxHCzrDIRBTmLFAHCqPZh1mMWo"],"Server":["nginx"]}, "status_code": 400}
2023/03/03 09:54:57.978	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "web.mysite", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"web.mysite\": Domain name does not end with a valid public suffix (TLD)"}
2023/03/03 09:54:57.978	DEBUG	tls.obtain	trying issuer 2/2	{"issuer": "acme.zerossl.com-v2-DV90"}
2023/03/03 09:54:57.978	WARN	tls	missing email address for ZeroSSL; it is strongly recommended to set one for next time
2023/03/03 09:54:59.349	INFO	tls	generated EAB credentials	{"key_id": "LLRR_JiXvnP1Gyxq8z_DJg"}
2023/03/03 09:55:00.338	DEBUG	tls.acme_client	http request	{"method": "GET", "url": "https://acme.zerossl.com/v2/DV90", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:55:00 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/03/03 09:55:01.042	DEBUG	tls.acme_client	http request	{"method": "HEAD", "url": "https://acme.zerossl.com/v2/DV90/newNonce", "headers": {"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Fri, 03 Mar 2023 09:55:00 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["choyu-v75RZ-bY957c7mtuaNcSeoRrEvG7HmRHJ7_Us"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 200}
2023/03/03 09:55:01.864	DEBUG	tls.acme_client	http request	{"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newAccount", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["579"],"Content-Type":["application/json"],"Date":["Fri, 03 Mar 2023 09:55:01 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Location":["https://acme.zerossl.com/v2/DV90/account/LLRR_JiXvnP1Gyxq8z_DJg"],"Replay-Nonce":["V4YzFYtZr4O5Kj-c-VBhxNZo5toNBIsaofRmEMM11AM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 201}
2023/03/03 09:55:01.865	INFO	tls	waiting on internal rate limiter	{"identifiers": ["web.mysite"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2023/03/03 09:55:01.865	INFO	tls	done waiting on internal rate limiter	{"identifiers": ["web.mysite"], "ca": "https://acme.zerossl.com/v2/DV90", "account": ""}
2023/03/03 09:55:02.512	DEBUG	tls.acme_client	http request	{"method": "POST", "url": "https://acme.zerossl.com/v2/DV90/newOrder", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.4 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["116"],"Content-Type":["application/problem+json"],"Date":["Fri, 03 Mar 2023 09:55:02 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["jQSBi7xGSLNSh3oaSYD3XZqo6XJkKRC4EEuYSOPB2wI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]}, "status_code": 400}
2023/03/03 09:55:02.512	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "web.mysite", "issuer": "acme.zerossl.com-v2-DV90", "error": "HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [web.mysite]"}
2023/03/03 09:55:02.512	DEBUG	events	event	{"name": "cert_failed", "id": "1298f96f-180f-4a9e-97c7-ccdc8854f8c0", "origin": "tls", "data": {"error":{},"identifier":"web.mysite","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
2023/03/03 09:55:02.512	ERROR	tls.obtain	will retry	{"error": "[web.mysite] Obtain: [web.mysite] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [web.mysite] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 5.659666017, "max_duration": 2592000}

6. no new log from cert.mysite, let's get the version of caddy in container:

root@demo:/test# docker run --rm -it -v /test/hosts:/etc/hosts -v /test/Caddyfile:/etc/caddy/Caddyfile caddy caddy version
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

[BioEvo]

If we change the /test/Caddyfile in setp 4 with some existing file just like:

{
	debug
}
https://web.mysite {
	tls {
		get_certificate http http://cert.mysite/Caddyfile
	}
	file_server
	root * /usr/share/caddy
}

It makes no difference. I know manual says the response must have a 200 status code and the body must contain a PEM chain including the full certificate (with intermediates) as well as the private key. But there is no access_log in cert.mysite, which means cert.mysite didn't get the HTTP request from caddy.

[mholt]

Thanks for the detailed issue!

I suppose the expectation here is to not get certificates from the issuers because a certificate manager (get_ceritificate subdirective) is specified.

But just to clarify, you did actually make an HTTPS request to https://web.mysite right? I would expect to see something in the logs about that if you did. Regardless of the issuers trying to get a certificate at startup, you still need to make a TLS handshake with web.mysite in order for the certificate manager to be invoked.

[BioEvo]

My fault, I didn't understand the description about get_certificate . I tried to make a request to https://web.mysite from cert.mysite, and I got these logs from cert.mysite:

{"level":"debug","ts":1678158186.21117,"logger":"http.handlers.file_server","msg":"sanitized path join","site_root":"/etc/caddy","request_path":"/cert","result":"/etc/caddy/cert"}
{"level":"debug","ts":1678158186.2112262,"logger":"http.handlers.file_server","msg":"opening file","filename":"/etc/caddy/cert"}

It works! Every time I make a request from cert.mysite to https://web.mysite, these logs are printed. The one last problem is: although HTTP is functional on web.mysite, caddy still keeps requesting for letsencrypt and zerossl.

Thanks to your reply, I find the way to build a external cert manager for caddy now.

[mholt]

Glad you were able to make progress.

I'm currently addressing the "still requesting certs from CAs" issue -- I guess most users would expect, in the presence of a get_certificate, that CAs are not even attempted.

[BioEvo]

Glad you were able to make progress.

I'm currently addressing the "still requesting certs from CAs" issue -- I guess most users would expect, in the presence of a get_certificate, that CAs are not even attempted.

Thank you!

Actually, I was trying to build something like issuer proxy for caddy. It has two benefit: 1. being able to setup SSL for caddy without internet. 2. No more dns token for every single server without public IP, dns token leaking is far more serious than certificate leaking.

I thought I cloud create a certmgr to manage certificate, and let caddy pull SSL certificate from certmgr by get_certificate without internet access. Now I realized that by using get_certificate, caddy will request certificate for every single session, and caddy will not manage/cache certificate any more, because the build-in renew service is totally disabled. That makes sense because manual says "certificate manager modules implies that an external tool or service is keeping the certificate renewed". The goal is partly achieved, HTTPS server without internet could be setting up, but if certmgr is down, every downstream caddy server would be unable to initialized new sessions.

[francislavoie]

You could solve that by running a caching proxy on the same machine as Caddy, or using something like like the cache-handler plugin and making another server in Caddy which would cache it.

https://example.com {
	tls {
		get_certificate http http://localhost:8881
	}
}

:8881 {
	cache
	reverse_proxy your-cert-server:8080
}

Or you could just implement your own module instead of http which does caching. It's pluggable, see https://caddyserver.com/docs/json/apps/tls/automation/policies/get_certificate/ which are all the existing ones currently.

[BioEvo]

You could solve that by running a caching proxy on the same machine as Caddy, or using something like like the cache-handler plugin and making another server in Caddy which would cache it.

https://example.com {
	tls {
		get_certificate http http://localhost:8881
	}
}

:8881 {
	cache
	reverse_proxy your-cert-server:8080
}

Or you could just implement your own module instead of http which does caching. It's pluggable, see https://caddyserver.com/docs/json/apps/tls/automation/policies/get_certificate/ which are all the existing ones currently.

Thank you! I think cache-handler will be good enough for most cases.

[mholt]

I've been working on this the last few days... it's quite tricky / involved; I've started by making certificate manager config part of OnDemand config in CertMagic: caddyserver/certmagic@master...certmanager-refactor

[mholt]

@BioEvo Could you please try #5533? I think I have a patch that works. Basically, specifying a cert manager enables on_demand TLS, which makes sense since managers do their work at handshake-time. As long as the manager returns a cert it won't fall back to any issuers.

[johnmmcgee]

You could solve that by running a caching proxy on the same machine as Caddy, or using something like like the cache-handler plugin and making another server in Caddy which would cache it.

https://example.com {
	tls {
		get_certificate http http://localhost:8881
	}
}

:8881 {
	cache
	reverse_proxy your-cert-server:8080
}

Or you could just implement your own module instead of http which does caching. It's pluggable, see https://caddyserver.com/docs/json/apps/tls/automation/policies/get_certificate/ which are all the existing ones currently.

Thank you! I think cache-handler will be good enough for most cases.

Awesome workaround. However, the ability to set a cache without this would be pretty cool though.

Here is a quick php script that i put together that will work as a server_name query handler:

<?php
$serverName = $_GET['server_name'];

$crt = '';
$key = '';

if ($serverName === 'domain1') {
    $crt = 'domain1_ecc/domain1.cer';
    $key = 'domain1_ecc/domain1.key';
} elseif ($serverName === 'domain2') {
    $crt = 'domain2_ecc/domain2.cer';
    $key = 'domain2_ecc/domain2.key';
}

if (!empty($crt) && !empty($key)) {
    echo file_get_contents($crt);
    echo file_get_contents($key);
} else {
    echo "Server name not found.";
}
?>

[johnmmcgee]

Actually, the loopback to the cache doesnt seem to work for me. I am not sure if its a configuration issue or something with my container. I may have to mess with that portion some more.

[mholt]

@johnmmcgee I'm not super familiar with the cache module, but it could be that you need to set a header to make the response cacheable? (Not sure though.)

[johnmmcgee]

i have a handler setup. i have:

order cache before rewrite

If i shell into the container and do a connection to localhost:4581, $LOCALIP:4581 or 127.0.0.1:4581 (my cache port) it works. however, caddy connecting to itself on port 4581 does not seem to work.

EDIT: i read that as handler, not header.. either way, the cache DOES work when connecting to it outside of caddy connecting to itself.

[johnmmcgee]

setting the label to:

http://localhost:4581 fixed my issue.